Question from a user:
"Is public facing portal be ultra-super highly secure? Enough for Social Security numbers and other personal information?"
You can apply an SSL certificate to the Forms public portal if you would like and that would make it more secure. It's up to the client if they feel comfortable at that point having SSN's entered.
Thanks, Blake. I've already expressed that to the customer but it did not alleviate their concerns. I just wanted to make sure there weren't other recommendations to enhance security.
I'd probably worry about the other end as well if not more than the IIS side of it.
While SSL would encrypt the data coming in, what happens after that? Is Forms using a SQL Server with little or no security? Is SQL set up to encrypt its files on disk?
On the same vein, how is the process handling this data secured? Does everybody have rights to see the instances?
How is the data used in processes after the initial intake? Do users handling it during the process view it from unsecured devices? Do they use weak passwords to log into Forms?
If the other personal information includes credit cards, then the solution needs to be PCI compliant, which Forms is not at this time.
Hi Miruna,
Just checking - with the advent of the Payment Gateway; is Forms now PCI Compliant?
Thanks,
Duncan
Braintree is PCI DSS compliant as a payment gateway. Forms only embeds the Braintree pages, so as an application it does not need to be PCI complaint because the card data never hits the Forms server. This setup enables you to complete a PCI compliance self-assessment questionnaire (SAQ) for your installation of Forms. See the help file for more information and the links to the PCI self-assessment standards. I believe you would need a SAQ A-EP in this case.
Thanks Miruna!