What is the best way to secure CC information in Filemaker 13 and be PCI compliant
The best way is to let your upstream provider (the ones handling the charges) store the data and you only keep a reference ID to the customer In your database.
Please do not attempt to store the credit card data in your FileMaker database. When you get hacked you will only be exposing a customer reference ID.
It is possible to do it and be PCI compliant, but your solution will have to go a time-consuming and expensive ($5K+) PCI compliance audit.
If you follow the suggestion above, where you only store a token, you are considered "out of scope" and get to avoid the worst of the PCI nonsense. On the other hand it limits functionality, and it you ever wanted to change gateways (or whoever stores the credit card information and provides the tokens) you would lose all of the data.
If you decide to store it in FileMaker the PAN (Primary Account Number, the 16 digit credit card number) needs to be encrypted. My favorite is the SmartPill plugin, which allows you to use the php mcrypt function to encrypt the PAN using AES-256.
There are other PCI rules you need to observe. For example – you can never, ever store the CVV code, or full swiped track data.
You also need to provide a way to replace the encryption key at will, which means building a routine where the user enters a new encryption key and your solution loops through each card, decrypting it using the old key and re-encrypting it using the new key.
These are just some of the rules, you should check the PCI guidelines.
PS Encryption At Rest also seems like good idea. Alone it is not enough, but a good addition.
I went through this a few years back with our in-house database and opted to integrate with a company called OpenEdge (formerly X-Charge).
In the beginning they had a FileMaker plugin that would handle all of the processing but it has since been discontinued and now everything is done through XML. As Mark stated above, the benefit is you don't have the card data stored, instead you are provided an alias to the card which is stored at the processor. All account information is entered into an encrypted hosted payment form that issues a one time key (OTK) that is good for only x amount of minutes. No data is entered into the solution. You can then use that alias for recurring charges, voids, returns, etc... This takes the hassle and expense out of PCI Compliance.
the best security is to NOT ever store the data that might be breached.
Retrieving data ...