We have been asked by a customer to wirte software and recommend FileMaker 13 configurations to support their credit card merchant processing. The PCI-DSS compliance requirements are complex and open to a wide variety of interpretation. Unfortunately, penalties can be high for non-compliance. Does anyone have reliable answers to the following 5 questions; and, are there other concerns that we should bring to our client's attention.
1. It has been suggested that the data encryption model in FileMaker 13 is not robust enough to support PCI compliance and that one should purchase 3rd party plugins to support this. Is it really true that the native AES-256-bit encryption for storage and dataflow is not compliant?
2. The PCI-DSS Section 2.2.1 specifies that each server should have only 1 function. The example they give is database server versus web server. Since the FileMaker 13 model supports both in the same programs, does that disqualify FileMaker 13 from being used as a PCI-DSS compliant development and operation tool?
3. Based on 2.2.1, if FileMaker 13 qualifies as compliant, does the client need to purchase 2 server licenses: 1 for the web access support and a 2nd to house the database access?
4. Based on 2.2.1, if Filemaker 13 qualifies as compliant with a single server serving both web and database access, does the client need to house only the credit card processing application on one server and purchase a 2nd server for the other business applications?
5. The FileMaker purchasing guide seems to indicate that ODBC and JDBC and even Custom Web Development do not count against the licensed connections that one purchases for the Server. Do we understant this correctly? For example, can a client purchase a server with only the 1 connection and then access tables through ODBC from a 3rd party application from 50 separate client workstations at the same time?
Thank you for your help with this.
Management Planning Systems