3 Replies Latest reply on Apr 3, 2014 6:59 PM by disabled_JohnWolff

    Supporting Payment Card Industry Data Security Requirements (PCI-DSS) with FileMaker 13


      We have been asked by a customer to wirte software and recommend FileMaker 13 configurations to support their credit card merchant processing. The PCI-DSS compliance requirements are complex and open to a wide variety of interpretation. Unfortunately, penalties can be high for non-compliance. Does anyone have reliable answers to the following 5 questions; and, are there other concerns that we should bring to our client's attention.


      1. It has been suggested that the data encryption model in FileMaker 13 is not robust enough to support PCI compliance and that one should purchase 3rd party plugins to support this. Is it really true that the native AES-256-bit encryption for storage and dataflow is not compliant?


      2. The PCI-DSS Section 2.2.1 specifies that each server should have only 1 function. The example they give is database server versus web server. Since the FileMaker 13 model supports both in the same programs, does that disqualify FileMaker 13 from being used as a PCI-DSS compliant development and operation tool?


      3. Based on 2.2.1, if FileMaker 13 qualifies as compliant, does the client need to purchase 2 server licenses: 1 for the web access support and a 2nd to house the database access?


      4. Based on 2.2.1, if Filemaker 13 qualifies as compliant with a single server serving both web and database access, does the client need to house only the credit card processing application on one server and purchase a 2nd server for the other business applications?


      5. The FileMaker purchasing guide seems to indicate that ODBC and JDBC and even Custom Web Development do not count against the licensed connections that one purchases for the Server. Do we understant this correctly? For example, can a client purchase a server with only the 1 connection and then access tables through ODBC from a 3rd party application from 50 separate client workstations at the same time?


      Thank you for your help with this.


      Edward Degner

      Management Planning Systems

        • 1. Re: Supporting Payment Card Industry Data Security Requirements (PCI-DSS) with FileMaker 13

          1. Who suggested this? AES256 is pretty robust, and I've passed PCI compliance to store CC info without it.


          2. You can deploy FileMaker into a multiple server configuration to satisfy this need. Separating the web from the database server.

          Page 22 - https://fmhelp.filemaker.com/docs/13/en/fms13_getting_started.pdf


          3. Documentation says one key is good. Page 8, above link.


          4. Depends on what you're using as a merchant processor. You might want to check out the numerous merchant processing plugins for filemaker, such as 360works plastic and productive computing's FM Credit Card.


          5. Correct, connection packs only affect webdirect and filemaker go connections. There are still other limitations to consider when hosting ODBC/JDBC, if you're thinking of hundreds of users simultaneously, you might run into performance and data binding issues.

          • 2. Re: Supporting Payment Card Industry Data Security Requirements (PCI-DSS) with FileMaker 13





            The first time around we used a plug-in for credit card processing. Worked OK, but harder to get PCI-DSS certified.




            The next time around, we wrote our own code to talk to the Accelerated Payment Technologies gateway. We choose Accelerated (part of Global Payments, an NYSE-listed company) because they know FileMaker (met them at DevCon) AND they made it very easy for our clients to become PCI-DSS compliant with their PCI Assure program AND we were able to negotiate some very low fees for transaction processing. To become compliant, a client need only complete a simple survey (really simple, so we do it for most clients) once a year and provide an IP address for running a scan once a quarter. (The company that provides the certification runs the scan, so the client only needs to sign in once a quarter to “acknowledge” the scan.)




            Took only a few days to write the code to talk to the gateway using a pair of very simple web viewer objects. And thus we were able to get rid of the plug-in we had been using. It was a little bit more work than using a plug-in, but it is so nice not having to worry that we might need to upgrade the plug-in after any new Java release.




            Here’s a link to the Accelerate Payments web site:










            Peace, love & brown rice,


            Morgan Jones




            FileMaker + Web:  Design, Develop & Deploy


            Certifications: FileMaker 9, 10, 11 & 12


            Member: FileMaker Business Alliance


            One Part Harmony <http://www.onepartharmony.com/>  


            Austin, Texas • USA



            • 3. Re: Supporting Payment Card Industry Data Security Requirements (PCI-DSS) with FileMaker 13

              Hi Edward,


              PCI Compliance is demanding and one that will likely grow in its demands with the growth of eCommerce and the temptation it provides for the smart thief.


              Our approach has been to take to simplest level of Compliance and leave all the demanding stuff to our Payment Gateway, who have to attain the highest level of compliance.


              I suggest you talk to John Morina at http://www.ccq-fm.com/ as he has gone through the steps needed to create a PCI Compliant payment gateway that will work with FileMaker.