We are working through the issues of PCI compliance and need to add encryption to some of our fields.

Question:

If a literal string is included as part of a script step, like $key = "ASD87654", when the script is saved is that literal stored as clear text in the FileMaker file or is the script compiled somehow masking or converting the literal string to something that would not be recognizable?

Same question for a function, is the function compiled so as to mask its contents?

Or, in the context of the FileMaker file being read in a text editor, is this a non issue? The files are secured with a developer's account and users will not have access to the script editor, function editor or the field definitions.

Perhaps more directly, for those of you using encryption, where is it safe to locate the key?

How about in pre-7 systems, would the keys be in clear text in calculations or script steps when viewing the file in a text editor?

You note:

The files are secured with a developer's account and users will not have access to the script editor, function editor or the field definitions.

That's probably not sufficient. At a minimum, you should remove the [Full Access} Accounts with the Developer Tool.

It really is not safe to store the key--or at least the entire key--anywhere in the file itself. If the key were to be stored in a field, that field [color:red]absolutely must be set to be to prevent its being read. The problem is that may render the key unsuable for encryption or decryption by any of the subordinate user Accounts. If it is stored in the script, it is not outside the realm of possibility that the contents of the script could be read.

What are the specific threats you're trying to address? What are the risks of those threats' occurring? What would be the level of impact of a breach? Answers to these questions are important to help you assess what is the appropriate approach to this issue.

Take a look at 24 U's Hasp Encryption system. It might provide what you need.

Steven