1. Who suggested this? AES256 is pretty robust, and I've passed PCI compliance to store CC info without it.
2. You can deploy FileMaker into a multiple server configuration to satisfy this need. Separating the web from the database server.
3. Documentation says one key is good. Page 8, above link.
4. Depends on what you're using as a merchant processor. You might want to check out the numerous merchant processing plugins for filemaker, such as 360works plastic and productive computing's FM Credit Card.
5. Correct, connection packs only affect webdirect and filemaker go connections. There are still other limitations to consider when hosting ODBC/JDBC, if you're thinking of hundreds of users simultaneously, you might run into performance and data binding issues.
The first time around we used a plug-in for credit card processing. Worked OK, but harder to get PCI-DSS certified.
The next time around, we wrote our own code to talk to the Accelerated Payment Technologies gateway. We choose Accelerated (part of Global Payments, an NYSE-listed company) because they know FileMaker (met them at DevCon) AND they made it very easy for our clients to become PCI-DSS compliant with their PCI Assure program AND we were able to negotiate some very low fees for transaction processing. To become compliant, a client need only complete a simple survey (really simple, so we do it for most clients) once a year and provide an IP address for running a scan once a quarter. (The company that provides the certification runs the scan, so the client only needs to sign in once a quarter to “acknowledge” the scan.)
Took only a few days to write the code to talk to the gateway using a pair of very simple web viewer objects. And thus we were able to get rid of the plug-in we had been using. It was a little bit more work than using a plug-in, but it is so nice not having to worry that we might need to upgrade the plug-in after any new Java release.
Here’s a link to the Accelerate Payments web site:
Peace, love & brown rice,
FileMaker + Web: Design, Develop & Deploy
Certifications: FileMaker 9, 10, 11 & 12
Member: FileMaker Business Alliance
One Part Harmony <http://www.onepartharmony.com/>
Austin, Texas • USA
PCI Compliance is demanding and one that will likely grow in its demands with the growth of eCommerce and the temptation it provides for the smart thief.
Our approach has been to take to simplest level of Compliance and leave all the demanding stuff to our Payment Gateway, who have to attain the highest level of compliance.
I suggest you talk to John Morina at http://www.ccq-fm.com/ as he has gone through the steps needed to create a PCI Compliant payment gateway that will work with FileMaker.