The following warnings occurred: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Warning [2] Undefined array key "avatartype" - Line: 783 - File: global.php PHP 8.1.27 (Linux)
|
PCI compliant server - Printable Version +- Form Tools (https://forums.formtools.org) +-- Forum: Form Tools (https://forums.formtools.org/forumdisplay.php?fid=1) +--- Forum: General Discussion (https://forums.formtools.org/forumdisplay.php?fid=5) +--- Thread: PCI compliant server (/showthread.php?tid=417) |
PCI compliant server - jschnyderite - Dec 29th, 2009 does this software have trouble running on pci compliant servers? my hosting company is saying that is the reason im having trouble with my install and is trying to move me to a VPS i have it running on another site with the same hosting company, though likely on a server with different configurations. RE: PCI compliant server - Ben - Jan 1st, 2010 Hey jschnyderite, Good question... the truth it, I don't know - but I suspect not. Not because FT is at all unsecure, but PCI has such strict requirements. From what I understand about PCI, it's entirely about securing servers so they can safely process credit card transactions. Form Tools should NOT be used for that. The reason is, Form Tools stores form submission content unencrypted in the database. You can't have people's credit cards stored unencrypted in a DB - it's just a bad idea. If your server is running any single script with a security hole, that information could potentially be accessed - and PHP is a notoriously unsecure programming language and there are OODLES of bad PHP scripts out there. But if you really wanted to pursue this option there are still possibilities, but they should be examined & weighed by a security specialist. First, you use the Submission Pre-Parser module to encrypt cc information prior to storing in the database. You could juggle encryption salts to minimize the likelihood of the data being unencrypted if the DB was breached. You could also use Form Tools to *initially* store the CC data, then after they've been processed, delete the sensitive information from that record. Alternatively, you could export all content to a local server, safe behind a firewall, and delete all "public" FT database content on a schedule. But to return to your original question about PCI, I don't really know enough about their requirements. I think you may need to spend time poring over their docs or get a specialist in to help determine the route to take. There are very possibly issues I haven't thought off that would need to be addressed separately. If you do find out anything and need to ramp up FT's security in one or other regard, please let me know. Thanks! - Ben |