• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Curbstone Gains PCI Compliance for i OS Payment System

    August 26, 2008 Alex Woodie

    While the Payment Cardholder Industry (PCI) has been congratulated for publishing clear and concise rules (especially compared to the muddy mess that was Sarbanes-Oxley), the 12-part Data Security Standards (DSS) regulations actually could have made a little more sense. According to Ira Chandler, president of i OS payment software provider Curbstone Software, following the letter of the PCI law is just not practical on some points. To address these concerns, the company launched a new dedicated communication module for its i operating system (i OS) payment software that keeps System i servers off the dangerous Internet.

    Make no mistake about it–Chandler is a big fan of PCI. Considering that Chandler has been advocating the use of encryption to protect credit card numbers for the last decade, the fact that retailers and other companies that process credit card transactions are now required by PCI to take security seriously is a validation of sorts. “If they would [follow the PCI DSS], they wouldn’t have these problems,” he says.

    It’s just that some of the wording of the PCI DSS requirements doesn’t always make the most sense. The writers of the document meant well, but they didn’t hit the nail on the head as squarely as they could.

    The part that irks Chandler is the requirement that computers storing credit card data should not be connected to the Internet. Upon first reading, that sounds like a good idea. After all, the Internet is how all those clever hackers can get into your machine and steal your private data.

    But, upon second reading, it’s not such a good idea. Especially when you consider that companies like Curbstone make credit card payment software requiring an Internet connection to obtain credit authorizations from the payment card networks. Not all companies that write payment software use the Internet for authorizations. But many do–including Curbstone, which connects with eight authorization networks–and it results in faster authorizations and less waiting in the check-out line.

    “They talk about not storing your card data on a machine that’s connected to the Internet,” Chandler said in a recent interview. “Even if they say that, they don’t mean that, because if they meant that, our software could never be used. On an AS/400 doing green-screen order entry, we connect to the Internet because we have to go out and get the authorization. Well, they’re not talking about that because that’s going to the “auth” network. They’re talking about [using] the Internet on the customer side. If it’s B2B or B2C, having a customer or user access the Internet is what they’re talking about.”

    Nonetheless, the PCI requirement about Internet connections is in there, and that makes Chandler’s customers nervous. It doesn’t matter than the Curbstone Card (the name of Curbstone’s native i OS payment software) features something called an application layer firewall that prevents any communication other than known transactions in known formats from traversing the outside network into the System i server.

    It doesn’t matter that this firewall adheres to accepted security standards, and the payment software is fully verified by the authorization networks. What matters is that Curbstone’s customers are worried that a small inconsistency could lead to a PCI violation and the hefty fines that follow.

    To alleviate his customers’ concerns, Chandler and his team of developers are giving customers the option of moving authorization communications off the System i server, and onto a Linux thin client device, called the Chatter Box.

    “We’re moving communications off the AS/400, and putting it on this itty-bitty box, which can go in the DMZ,” Chandler says. “The box never stores any data. It’s merely a protocol conversion device, if you will. We talk to it from the AS/400 using secure sockets. . . . It has the Java code on it, which [allows communication with] whichever one of the eight different networks we want to talk to. It does the communication to the network using their certified protocols, which are all hardened. It gets the response back, and then we get the response back to the AS/400 through the SSL socket.”

    Chandler didn’t launch the Chatter Box to suit the letter of the law, “but to suit the merchants who are risk avoidant, and paranoid, as they should be,” he says. “They say ‘I don’t care if you’re validated to work with the AS/400 in the LAN and to go out to the Internet to get authorization. I want it on a second box.’ Well here’s the answer.”

    Curbstone, which is based near Atlanta, Georgia, recently had a qualified security assessor, or QSA, verify that its software and development techniques met PCI standards. Chandler–who compared the experience to a certain type of exam performed by a certain type of medical professional–expressed relief that the PCI audit was completed. Getting the new Chatter Box certified for PCI was “part of the reason it was so painful,” he says.

    Curbstone officially announced PCI compliance last week in a joint press release with IBM. The companies also shared the story of how Adorama, a retailer of photography and video equipment, used Curbstone Card to secure its payment system.

    According to Adorama, the fact that Curbstone is compliant with Visa and MasterCard security programs led those credit card companies to reduce the processing fees they charge Adorama. “In addition, we estimate these programs have reduced fraudulent online purchases by more than five percent,” Harry Drummer, special assistant to Adorama’s president, said in the press release. “We couldn’t be happier with the solution.”

    PCI compliant versions of Curbstone Card and its new Chatter Box will be available soon. For more information, visit the company’s Web site at www.curbstone.com.

    RELATED STORIES

    ID Theft Case Put Focus on Credit Card Security

    Putting the ‘i’ Back Into PCI

    Curbstone Finds Java Satisfying for Communications Protocols

    Curbstone Native OS/400 Credit Card Software Makes Debut



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    VISUAL LANSA 16 WEBINAR

    Trying to balance stability and agility in your IBM i environment?

    Join this webinar and explore Visual LANSA 16 – our enhanced professional low-code platform designed to help organizations running on IBM i evolve seamlessly for what’s next.

    🎙️VISUAL LANSA 16 WEBINAR

    Break Monolithic IBM i Applications and Unlock New Value

    Explore modernization without rewriting. Decouple monolithic applications and extend their value through integration with modern services, web frameworks, and cloud technologies.

    🗓️ July 10, 2025

    ⏰ 9 AM – 10 AM CDT (4 PM to 5 PM CEST)

    See the webinar schedule in your time zone

    Register to join the webinar now

    What to Expect

    • Get to know Visual LANSA 16, its core features, latest enhancements, and use cases
    • Understand how you can transition to a MACH-aligned architecture to enable faster innovation
    • Discover native REST APIs, WebView2 support, cloud-ready Azure licensing, and more to help transform and scale your IBM i applications

    Read more about V16 here.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    Infinite Software:  Migrate System i RPG or COBOL apps to Linux, Windows or Unix
    COMMON:  Join us at the Focus 2008 workshop conference, October 5 - 8, in San Francisco, California
    Computer Measurement Group:  CMG '08 International Conference, December 7-12, Las Vegas

    IT Jungle Store Top Book Picks

    Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
    Getting Started with PHP for i5/OS: List Price, $59.95
    The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
    The System i Pocket RPG & RPG IV Guide: List Price, $69.95
    The iSeries Pocket Database Guide: List Price, $59.00
    The iSeries Pocket Developers' Guide: List Price, $59.00
    The iSeries Pocket SQL Guide: List Price, $59.00
    The iSeries Pocket Query Guide: List Price, $49.00
    The iSeries Pocket WebFacing Primer: List Price, $39.00
    Migrating to WebSphere Express for iSeries: List Price, $49.00
    iSeries Express Web Implementer's Guide: List Price, $59.00
    Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
    Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
    Getting Started with WebSphere Express for iSeries: List Price, $49.00
    WebFacing Application Design and Development Guide: List Price, $55.00
    Can the AS/400 Survive IBM?: List Price, $49.00
    The All-Everything Machine: List Price, $29.95
    Chip Wars: List Price, $29.95

    Workplace Service Firm Licenses Lawson’s i OS-based ERP Automatic or Static Storage?

    Leave a Reply Cancel reply

Volume 8, Number 31 -- August 26, 2008
THIS ISSUE SPONSORED BY:

ASNA
Aldon
looksoftware
Bytware
RJS Software Systems

Table of Contents

  • A Bumblebee for BI–Now That’s Just ‘Smart’
  • Curbstone Gains PCI Compliance for i OS Payment System
  • Life is Easy for iPhone Apps on the Morph Labs Cloud
  • WebClient for CA Plex 1.4 Now Available
  • Avnet to Resell VDoc Content Management Suite in U.S.
  • SNMP Software from COMTEK Gives Up Lock on QSYSOPR
  • Lawson Signs Customers to Software Contracts
  • RJS Software to Sell Security Software from Sophos
  • ProData Launches Online Forum for DBU Users
  • Moshi Moshi Saga Continues at Bytware

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • With Power11, Power Systems “Go To Eleven”
  • With Subscription Price, IBM i P20 And P30 Tiers Get Bigger Bundles
  • Izzi Buys CNX, Eyes Valence Port To System Z
  • IBM i Shops “Attacking” Security Concerns, Study Shows
  • IBM i PTF Guide, Volume 27, Number 26
  • Liam Allan Shares What’s Coming Next With Code For IBM i
  • From Stable To Scalable: Visual LANSA 16 Powers IBM i Growth – Launching July 8
  • VS Code Will Be The Heart Of The Modern IBM i Platform
  • The AS/400: A 37-Year-Old Dog That Loves To Learn New Tricks
  • IBM i PTF Guide, Volume 27, Number 25

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle