Pci DSS

Richard Kreiss rkreiss at gccconsulting.net
Tue Sep 17 21:51:12 PDT 2013 


> -----Original Message-----
> From: filepro-list-bounces+rkreiss=verizon.net at lists.celestial.com
> [mailto:filepro-list-bounces+rkreiss=verizon.net at lists.celestial.com] On
> Behalf Of Walter D Vaughan Jr
> Sent: Tuesday, September 17, 2013 2:15 PM
> To: filePro Mailing List
> Subject: RE: Pci DSS
> 
> > -----Original Message-----
> > From: ken_wakeman at me.com [mailto:ken_wakeman at me.com]
> > Sent: Tuesday, September 17, 2013 12:46 PM
> > Subject: Re: Pci DSS
> >
> > Well I may be ok then.
> >
> > Running Fp 5.6
> > Openserver 6.0
> >
> > But I think that I would need to decrypt on tha auto process if the
> > user
> needs
> > to view the encrypted info.
> [Walter D Vaughan Jr]
> No one after a card is processed should ever need to access it within filePro.
> Burn it instantly.
> Deal with the card at the authorized.net or your processor level You will fail
> PCI compliance if you think people need access to card information
> >
> > Second , looks like no index then on that field.
> [Walter D Vaughan Jr]
> Why would you want an index on credit card field
> - you should never have to look up a card number. . Typed a wrong number or
> amount? Again you deal with it at the processor level. They need a refund?
> "I will need your card again Ms Smith in order to refund your order. We used
> a card that ended in 4789 last time, can you give me that card number again?"
> >
> > Thoughs ?
> Your problem is going to have a layered access control. And a million other
> things like enforcing a password policy and having a written document
> describing how you will spot check your network from someone setting up an
> ad-hoc wi-fi network without your knowledge.
> 
> Some banks will work with helpful sites like http://www.compliance101.com/
> to help you through the process.
> 
> And remember you will fail. If you are going to hold card numbers then you
> need to "be aware of everyone who has access to your sensitive systems,
> from employees to vendors, and be sure to track their network activity" (Visa
> Req. 10) First part easy, second part not so much.
> 
> The point is, you have GOT to get out of the holding cardholder information
> business in your systems.
> 

If you do hold card holder information, that is the advantage of fp 5.6 or higher field encryption. All of this data can be encrypted.  With 5.7 full file encryption is available adding one more layer of protection from the outside.  You can encrypt one file or all of the files making it very difficult for someone not  running your filepro to access your data.  The encryption is tied to your  license so even if someone had filepro they could not take your data and use it on their system.

Based on hacking reports, do you really want to trust your sensitive data to an outside source.  The banks and credit card companies don't exactly have a stellar reputation for protecting card holder information.


Richard Kreiss
GCC Consulting

Office: 410-653-2813

More information about the Filepro-list mailing list