PCI_DSS Compliance

[John Kamm]

Not sure where to put this so I will start here. Is anyone willing or able to discuss PCI_DSS issues? VeriSign quoted $35,000 for the certification process. Our application uses the VeriSign SDK and does not store the card number or CVV so the fee seems to be a bit excessive. Canadian gateways are requiring proof of compliance by Jan 1 2010. Has anyone heard that US gateways will follow suit? What are others doing in the spirit of PCI_DSS compliance? I hope we can have a frank discussion on these issues as they affect many of our FileMaker business solutions.

[Steven H. Blackwell]

Hello, John. Good to see you at this Forum.

Perhaps we can begin this discussion by your listing key bullet points for PCI compliance. Then we can go from there to address how FMP/FMS meets those.

Steven

[John Kamm]

An excellent suggestion.

The core of the Payment Card Industry Data Security Standard (PCI DSS) is a group of 12 principles and accompanying requirements, around which the specific elements of the DSS are organized. As a software application developer, we are most concerned with requirements 3 and 4 regarding the storage and handling of cardholder data:

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Cardholder data and authentication data are considered to be the primary account number (PAN), cardholder name, service code, expiration date, magnetic strip data, CVV (3 or 4 digit id) and PIN.

Paraphrasing the requirements:

Requirement 3.1 – cardholder data should be kept to a minimum and should be disposed of as soon as its business purpose has been fulfilled. Policy needs to be documented.

Requirement 3.2 – do not store authentication data even if encrypted – magnetic strip, CVV.

Requirement 3.3 - The PAN can be displayed but it should be masked (show last 4 digits) unless the viewer has a business reason to see the full number.

Requirement 3.4 - The PAN can be stored if encrypted.

Requirement 3.5 – Protect cryptographic keys.

Requirement 3.6 – Document cryptographic policy and procedures, changes keys at least once a year.

Requirement 4.1 – Encrypt data when transmitting over public networks (SSL)

Requirement 4.2 – Never send unencrypted PANs by email, chat, etc.

The complete requirements document is available here https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

In our solution we do not store the PAN or CVV or mag strip. We are using the VeriSign SDK to transmit the data, encrypted over SSL. It seems to me we are in compliance and I would like to have the solution certified as such but don’t want to pay VeriSign $35k to do it.

Anyone have some suggestions?

[Steven H. Blackwell]

There are several FileMaker plug-ins for encrypting data at rest, including the one from 24U that is two factor. it requires a hardware dongle as well. I can provide a comprehensive list of these later today.

FileMaker Servr can encrypt data in transit between FMS and FIleMaker pro cleints, including the Web Publishing Engine. IIS or Apache can encrypt between the web server adn the end user with standard certificates.

The path between the WPE and the web server must be managed separately.

Steven

[Steven H. Blackwell]

Three good encryption plug-ins:

24U Hasp

Skydancer AES

Skydancer Blowfish

Skydancer link.

24U link.

Steven