Curbstone Gains PCI Compliance for i OS Payment System

August 26, 2008 Alex Woodie

While the Payment Cardholder Industry (PCI) has been congratulated for publishing clear and concise rules (especially compared to the muddy mess that was Sarbanes-Oxley), the 12-part Data Security Standards (DSS) regulations actually could have made a little more sense. According to Ira Chandler, president of i OS payment software provider Curbstone Software, following the letter of the PCI law is just not practical on some points. To address these concerns, the company launched a new dedicated communication module for its i operating system (i OS) payment software that keeps System i servers off the dangerous Internet.

Make no mistake about it–Chandler is a big fan of PCI. Considering that Chandler has been advocating the use of encryption to protect credit card numbers for the last decade, the fact that retailers and other companies that process credit card transactions are now required by PCI to take security seriously is a validation of sorts. “If they would [follow the PCI DSS], they wouldn’t have these problems,” he says.

It’s just that some of the wording of the PCI DSS requirements doesn’t always make the most sense. The writers of the document meant well, but they didn’t hit the nail on the head as squarely as they could.

The part that irks Chandler is the requirement that computers storing credit card data should not be connected to the Internet. Upon first reading, that sounds like a good idea. After all, the Internet is how all those clever hackers can get into your machine and steal your private data.

But, upon second reading, it’s not such a good idea. Especially when you consider that companies like Curbstone make credit card payment software requiring an Internet connection to obtain credit authorizations from the payment card networks. Not all companies that write payment software use the Internet for authorizations. But many do–including Curbstone, which connects with eight authorization networks–and it results in faster authorizations and less waiting in the check-out line.

“They talk about not storing your card data on a machine that’s connected to the Internet,” Chandler said in a recent interview. “Even if they say that, they don’t mean that, because if they meant that, our software could never be used. On an AS/400 doing green-screen order entry, we connect to the Internet because we have to go out and get the authorization. Well, they’re not talking about that because that’s going to the “auth” network. They’re talking about [using] the Internet on the customer side. If it’s B2B or B2C, having a customer or user access the Internet is what they’re talking about.”

Nonetheless, the PCI requirement about Internet connections is in there, and that makes Chandler’s customers nervous. It doesn’t matter than the Curbstone Card (the name of Curbstone’s native i OS payment software) features something called an application layer firewall that prevents any communication other than known transactions in known formats from traversing the outside network into the System i server.

It doesn’t matter that this firewall adheres to accepted security standards, and the payment software is fully verified by the authorization networks. What matters is that Curbstone’s customers are worried that a small inconsistency could lead to a PCI violation and the hefty fines that follow.

To alleviate his customers’ concerns, Chandler and his team of developers are giving customers the option of moving authorization communications off the System i server, and onto a Linux thin client device, called the Chatter Box.

“We’re moving communications off the AS/400, and putting it on this itty-bitty box, which can go in the DMZ,” Chandler says. “The box never stores any data. It’s merely a protocol conversion device, if you will. We talk to it from the AS/400 using secure sockets. . . . It has the Java code on it, which [allows communication with] whichever one of the eight different networks we want to talk to. It does the communication to the network using their certified protocols, which are all hardened. It gets the response back, and then we get the response back to the AS/400 through the SSL socket.”

Chandler didn’t launch the Chatter Box to suit the letter of the law, “but to suit the merchants who are risk avoidant, and paranoid, as they should be,” he says. “They say ‘I don’t care if you’re validated to work with the AS/400 in the LAN and to go out to the Internet to get authorization. I want it on a second box.’ Well here’s the answer.”

Curbstone, which is based near Atlanta, Georgia, recently had a qualified security assessor, or QSA, verify that its software and development techniques met PCI standards. Chandler–who compared the experience to a certain type of exam performed by a certain type of medical professional–expressed relief that the PCI audit was completed. Getting the new Chatter Box certified for PCI was “part of the reason it was so painful,” he says.

Curbstone officially announced PCI compliance last week in a joint press release with IBM. The companies also shared the story of how Adorama, a retailer of photography and video equipment, used Curbstone Card to secure its payment system.

According to Adorama, the fact that Curbstone is compliant with Visa and MasterCard security programs led those credit card companies to reduce the processing fees they charge Adorama. “In addition, we estimate these programs have reduced fraudulent online purchases by more than five percent,” Harry Drummer, special assistant to Adorama’s president, said in the press release. “We couldn’t be happier with the solution.”

PCI compliant versions of Curbstone Card and its new Chatter Box will be available soon. For more information, visit the company’s Web site at www.curbstone.com.

Putting the ‘i’ Back Into PCI

Curbstone Finds Java Satisfying for Communications Protocols

Curbstone Native OS/400 Credit Card Software Makes Debut

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Tags:

CYBER-ATTACKS ON THE RISE. PROTECT WITH THE TRIPLE PLAY.

COVID-19 has not only caused a global pandemic, but has sparked a “cyber pandemic” as well.

“Cybersecurity experts predict that in 2021, there will be a cyber-attack incident every 11 seconds. This is nearly twice what it was in 2019 (every 19 seconds), and four times the rate five years ago (every 40 seconds in 2016). It is expected that cybercrime will cost the global economy $6.1 trillion annually, making it the third-largest economy in the world, right behind those of the United States and China.”¹

Protecting an organization’s data is not a single-faceted approach, and companies need to do everything they can to both proactively prevent an attempted attack and reactively respond to a successful attack.

UCG Technologies’ VAULT400 subscription defends IBM i and Intel systems against cyber-attacks through comprehensive protection with the Triple Play Protection – Cloud Backup, DRaaS, & Enterprise Cybersecurity Training.

Cyber-attacks become more sophisticated every day. The dramatic rise of the remote workforce has accelerated this trend as cyber criminals aggressively target company employees with online social engineering attacks. It is crucial that employees have proper training on what NOT to click on. Cyber threats and social engineering are constantly evolving and UCG’s Enterprise Cybersecurity Training (powered by KnowBe4) is designed to educate employees on the current cutting-edge cyber-attacks and how to reduce and eliminate them.

A company is only as strong as its weakest link and prevention is just part of the story. Organizations need to have a quick response and actionable plan to implement should their data become compromised. This is the role of cloud backup and disaster-recovery-as-a-service (DRaaS).

Data is a company’s most valuable asset. UCG’s VAULT400 Cloud Backup provides 256-bit encrypted backups to two (2) remote locations for safe retrieval should a cyber-attack occur. This is a necessary component of any protection strategy. Whether a single click on a malicious link brings down the Windows environment or an infected SQL server feeds the IBM i, once the data is compromised, there is no going back unless you have your data readily available.

Recovery is not a trivial task, especially when you factor in the time sensitive nature of restoring from an active attack. This leads to the third play of the Triple Play Protection – DRaaS. Companies have myriad concerns once an attack is realized and a managed service disaster recovery allows employees to keep focus on running the business in a crisis state.

The combination of training employees with secure backup and disaster recovery offers companies the best chance at avoiding financial disruption in an age of stronger, more frequent cyber-attacks.

Reach out to UCG Technologies to discuss your company’s security needs and develop a data protection plan that fits you best.

ucgtechnologies.com/triple-play

800.211.8798 | info@ucgtechnologies.com

Workplace Service Firm Licenses Lawson’s i OS-based ERP Automatic or Static Storage?

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search