Curbstone Revamps Card Payment Software to Avoid PCI Exposure
July 16, 2013 Alex Woodie
Curbstone, a developer of credit card payment software for the IBM i server, is rolling out a new software as a service (SaaS) credit card payment solution, called Curbstone CorrectConnect (C3) that will shield customers from the most onerous requirements of the PCI DSS security standard. The new offering, which Curbstone customers are already using, features additional options for Web-based merchants, as well as organizations that take payment information over the phone.
We are still in the first decade of PCI DSS compliance, but it doesn’t seem to be getting any easier for merchants. Besides the upfront costs of gaining compliance–well into the six figures for the bigger shops–merchants must complete onerous self-assessments every quarter. And with the threat of disruptive audits hanging around merchants’ necks, it’s no wonder they are looking for a solution to their PCI pain.
Now, Curbstone is delivering a hosted payment solution that drastically reduces its customers’ exposure to PCI compliance and audits. Ira Chandler, the founder and CEO of Curbstone, recently gave IT Jungle the low down on the new C3 offering.
“We have built a Web portal that consists of redundant AS/400s living at a world-class hosting facility in Atlanta,” Chandler says via email. “The facility is PCI validated as secure. At that site, we will provide the target for the new software that all customers will use. Instead of [customers] storing the card data on their system, the C3 portal will save the card data. Also, instead of the customer contacting the authorization networks directly, the C3 portal systems will handle the comm with the authorization networks.”
The Web portal functions as a front-end and uses HTTPS POST to securely communicate with the authorization network. The solution supports the same seven settlement providers as the Curbstone Card (C2) software does, giving customers a choice and helping to avoid lock-in.
All communication between C3 and clients’ IBM i-based systems is done using tokens. Because the payment data is tokenized, it means that customers are no longer storing credit card data on their systems, and therefore they are not subject to the storage requirements of PCI DSS. It doesn’t completely exonerate customers them from PCI DSS compliance, Chandler says, “but it is a start.” As a result, customers will qualify for the SAQ-C-VT requirement, which is less onerous than the PCI Self-Assessment Questionnaire (SAQ-D).
Chandler expects a good chunk of his 300-plus C2 customers will consider moving to C3, which is also lighter weight than C2. C3 also uses virtually an identical API to C3, which means that the process of feeding the backend IBM i applications with transaction data will not be much different with C3 than it was with C2, thereby minimizing programming work for customers making the move to C3. The two products can run simultaneously on the customer system in any combination of simulation, test, and live modes, he adds.
Customers who want to get as far away from PCI DSS requirements as possible may be interested in two additional credit card data entry solutions that Curbstone is releasing.
The first is called the Isolated Payment Terminal (IPT). The IPT is a piece of software that customer service representatives at companies that accept mail order and telephone orders can use to enter credit card information. IPT runs on any HTTPS-capable Web browser. Curbstone recommends customers run the IPT on $100 tablets with a dedicated WiFi router, but any laptop, smartphone, or other mobile device will do. It’s designed to be the smarts of a “virtual terminal,” per the PCI DSS spec.
“What makes this unique,” Chandler explains, “is that the order information entered in the order entry software is sent to the tablet, so no re-keying is required. All the operator keys in to the tablet is the card number, the expiration, and the security code. The tablet gets the response from the auth network, and the AS/400 gets the complete response at the same time. This allows the order entry software to operate in the same fashion as it did with C2.”
The second new offering is called the Payment Landing Pages (PLP), which is a way for the merchant’s e-commerce system to pass the user to a dedicated payment page on Curbstone’s system. This eliminates the need for the merchant’s Web server to ever touch its customers’ credit card data. Chandler compares the PLP process to the way that eBay hands payment processing over to Pay Pal, and then Pay Pal hands the customer back to eBay when the transaction is complete.
C3 was written in PHP by Alan Seiden, a renowned PHP on IBM i expert. Chandler says that the use of PHP enables multi-threading, which means very fast authorizations. “We have tested the client-to-server throughput, using dummy auth requests, round trip, to be less than 0.2 seconds with loads of 1,000 transactions per minute,” Chandler says. “PHP kicks butt.”
Curbstone is currently in the process of four simultaneous PCI audits (because if one PCI audit is great fun, then four at the same time must be pure bliss). One of the audits is on the existing C2 software; one is for the C3 client software that lives on the customer AS/400; another is for the C3 server software; and the last on the Curbstone Corporation as a service provider. “We will be deploying customers this year and will eventually transform our business from licensed software to software as a service,” Chandler says.