Back in the day, credit card fraud was heavily focused on Retail card-present. This was because the bad guys could buy a list of stolen card info and use that to rewrite the magnetic stripe on the back of old cards. When swiped, the merchant did not realize the swiped data was truly "swiped" (stolen) and processed the charge.
EMV TO THE RETAIL RESCUE
Now, the new CHIP and Signature cards, called EMV, make it impossible to do that, and have eliminated that lucrative method of stealing money from merchants. According to Visa: "Merchants who accept chip cards witnessed a 76 percent dip in card present counterfeit payment fraud since the U.S. payments industry began the shift to EMV chip in 2011."
SHIFT TO e-COMMERCE
Fraud is a growing and constant threat to merchants who accept cards, and now espeically in e-commerce. E-commerce does not enjoy the protections offered by chip cards. Most e-commerce fraud is done by brute force, repeatedly trying to process stolen card data. One merchant of Curbstone was protected against a brute force attack earlier this year that resulted in over one half-million automted authorization attempts.
Here at Curbstone, we’ve compiled some hints on where to start in minimizing fraud in e-Commerce and the consequent risk to the business. These tips are not only useful to our clients, but to any merchant. Following are some measures that can minimize fraudulent e-commerce transactions.
Here at Curbstone Corporation, we provide secure payment technology for US and Canada-based merchants on the IBM i (AS/400, iSeries) platform.
We play a critical role in our clients’ success, but, according to Curbstone Operations Manager Ryan Nichols, our merchants are the real heroes. They work at the coalface to sell their products and services and advance their businesses.
They all deserve a shout-out for their efforts so we’ve decided to begin a series of posts in which we’ll shine the spotlight on them, and honor some of our favorite customers, showing what they’ve accomplished with our technology.
This time around, we visited with Geiger Brandspiration’s Michael J. Plourde, Director Data & Analytics, to get a feeling for where his company came from and what it is all about.
It turns out that Geiger Brandspiration, based in Lewiston ME, is one of the largest distributors of promotional merchandise in the world and definitely the largest privately owned enterprise of its type. It supplies a large range of promotional items to clients across the US and worldwide, including Fortune 1000 multi-nationals.
Read more about how Geiger leverages Curbstone's security, integration, and cost-savings...
SAQ. Three letters that can strike fear into the minds of hackers.
Self-Assessment Questionnaire. SAQ. Provided by our friends at the Payment Card Industry Security Standards Council (SSC).
The PCI Data Security Standards (DSS) were developed to ensure that companies accepting credit cards follow industry best practices when handling sensitive consumer information, including their card numbers. These are the "BEST PRACTICES" for merchants, and the way they are validates is with very specific questions, as many as ~600, provided by the PCI SSC.
As of 01/31/2017 - yes, years ago - your bank/acquirer was obligated to require a self-audit from YOU.
Heard nothing from them? This mandate may not have been enforced by your bank or acquirer, though that does not let you off the hook.
The Wall Street Journal reported in May, 2019, that Bank of America was considering dissolving the decade-long joint venture with authorization network service provider, First Data. Their change was the result of dissatisfaction with First Data's customer service and technical abilities.
Since 2013, Curbstone, the market leader for card processing technology for the IBM Power Systems running the IBM i operating system, had supported First Data. Having experienced the same customer service and technical issues, Curbstone had notified its clients ONE MONTH EARLIER, in April, 2019 that it would be dropping support for the First Data authorization network platform. In the course of the following year, all of Curbstone's clients will be migrated to other platforms, with the majority moving to TSYS authorization network. Curbstone’s merchants are being provided sufficient time and consideration to transition to a new network.
Read more about First Data, now FISERV, and Bank fo America...
When Curbstone was looking for replication software that would work on our Blue hardware, we knew we did not want to wind up Blue.
Initially, to guarantee the replication speed we required for immediate failover, we wrote our own replication. We were not Blue, we were happy. We had two stacks of gear that were redundent, and when failover happened, the data was always on the second system. All was well.
Then we decided to add a third stack, and while it worked, we wanted more.
The HUNT was on. We looked at the several excellent HA/DR backup and replication products. We pored over the features, support and costs, and one clear winner emerged.
Find out who...
For Verifone Payware Transact customers: You have a BETTER option than you expect...
Just call 888-844-8533 to get moving again.
Just call 888-844-8533 to get moving again.
The NRF has asked the Federal Trade Commission to conduct an investigation into an organization (PCI) founded by the credit card industry that sets data security standards, saying the group’s controversial practices raise antitrust concerns.
They are targeting the Payment Card Industry Security Standards Council (PCI SSC).
The NRF is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and Internet retailers from the United States and more than 45 countries.
They are saysing that “We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector...”
VERIFONE DETAILS 2014-10-10
not assumed to be the latest news...
"Because VeriFone is committed to delivering powerful new solutions and technologies, we intend to End-Of-Life (“EOL”) PAYware Transact as follows:
Final Order Date: After December 31, 2014 VeriFone will cease taking orders for new PAYware Transact licenses issued to new customers. Customers may elect to purchase new MID/TID or add on services to existing licenses through December 31, 2015.
Final Shipment Date: After January 15, 2015 VeriFone will stop shipping orders for new PAYware Transact licenses. Existing customers may elect to purchase new MID/TID or add on services to existing licenses through December 31, 2015. End of
Development Date: Effective immediately there will be no new VeriFone sponsored software development with respect to PAYware Transact
Read more about Curbstone's REPLACEMENT...
CURB CREDIT CARD CHAOS with our Credit Card Processing System based on the IBM Power Systems running the IBM 'i' Operating System...
If your Order Entry is based on the IBM i, we provide three areas of value:
- INCREASED PCI COMPLIANT SECURITY
- COST-SAVINGS ON PROCESSING FEES
- SEAMLESS, NATIVE INTEGRATION TO YOUR ORDER ENTRY
PHONE ORDERS | CALL CENTERS | E-COMMERCE | RETAIL EMV
Optimize SECURITY, and reduce PCI scope by eliminating contact with card numbers on your existing workstations. Use our Remote Tokenization to isolate you from the card data.
Take your entire existing infrastructure out of PCI scope by implementing our unique Isolated Payment Terminals to reduce your PCI reporting scope and workload.
Minimize mandatory PCI reporting, no more SAQ 'D' with our IPT, PLP, and EMV technologies. Get better security with the SAQ 'C/VT' and take your systems out of scope. Save time, complete easier SAQ self-audits.
Seamless Order Entry integration = more productivity, so your sales people never re-key data.
Speed up the order payment process, sell more, since Curbstone supports cards-on-file for returning customers, credits, and recurring billing. More convenience = happier customers who buy more!
Retains your current bank/acquirer relationship, since we supprot the majority of banks/acquirers i the US. Negotiate your best rate independently and we do not lock you in.
No merchant application process, no new fees, since Curbstone does not charge per/transaction fees with our credit card processing system.
Integrates with retail Chip Card Readers (EMV) for IBM i-integrated Retail Point-Of-Sale.
Avoid chargebacks, and send the most highly-qualified transctions to qualify for the lowest rates.
OWN your cards-on-file card DATA - Curbstone is your secure custodian.
Change networks, retain cards on file for business continuity. If you lock in to a network, they own your card data. With Curbstone, your card data that we retain is portable to your choice of authorization network.
REQUEST YOUR COMPLIMENTARY NEEDS ANALYSIS NOW
Small world --
Curbstone + TSYS -- Curbstone + TransFirst -- TSYS acquires TransFirst!
Curbstone was again selected for the Gold Partner award from TSYS, one of the largest authorization networks in the country.
For the last 12 years here at Curbstone, we have held TSYS in the highest regard due to their professionalism and responsiveness. Over 50% of our customers use their authorization network services.
The other side of TSYS is an ACQUIRER that is growing very fast. They provide the transaction collection and payment services for merchants, and their professionalism and responsiveness (a recurring theme) has justified our strong support.
Read about our new relationship and how YOU benefit...
If you sell to corporations or the Government, business to business, B2B, likely you accept credit cards that are Level III (three) Corporate Purchasing Cards. SOLUPAY has info for you!
These are intended to allow the merchant to submit a complete line item detail report AS PART OF THEIR SETTLEMENT. This is intended to be used by the card-holder as an electronic after-the-fact Purchase Order to document what they bought. Consider it the equivalent of an EDI 851 transmittal.
Since the card-issuing banks want their cardholders to get the most benefit, the card brands want to encourage you, the merchant, to fill in the line item detail. They encourage you
- How do you know it is a Level III card, as they are not visbly labeled?
- What if the line item detail is simply not available directly from your Odred Entry system?
SOLUPAY, an acquirer who is a valued Curbstone Partner, has the solution. Skipping the details, with Curbstone C2 or C3, using SOLUPAY as your acquirer, you can avoid the costly downgrades from NOT providing data you likely did not know you were missing.
One long-time Curbstone Customer just switched to SOLUPAY and is taking advantage of their solution for submitting Level III. This manufacturer, in one day's batch of transactions, had 32 that qualified at the Level III compliance rate. Their Interchange - base - rate fee would have been $2203.48. With SOLUPAY's solution, their actual fee was only $1379.06 since all the transactions qualified for Level III.
That is a savings of $824.42 - FOR THE DAY.
Contact your Account Rep at Curbstone for details on how you can save money on your B2B receivables!!
Slic Systems offers their excellent FUTIL file utility.
FUTIL is a totally free, open source utility. It is similar to WRKDBF, VIEW and SHWFC to name but a few.
The main commands are:
VUE - Edit a file
DBR - Display database relations
The Green Sheet is a wonderful resource for merchants.
This article is full of info on how to avoid fraud. http://www.greensheet.com/emagazine.php?story_id=3208
"With the ever-growing problem of identity theft, fraud is of increasing concern to merchants, especially those in the MO/TO and e-commerce categories. Some merchants take an unreasonable approach and say they want a 100 percent guarantee that if they do next-day or same-day delivery with customers they don't know, they'll never have a chargeback. To that, I reply the dream factory is located in their nearest casino.
Nowadays, it's relatively easy for thieves to make credit cards and enter data they steal via skimming. MO/TO and e-commerce merchants are prime targets for these identity thieves.
HOW TO IDENTIFY FRAUD, READ ON...
LOSE EVERY ONE!
How? According to Bill Hoidas at Matrix Payment Systems, with the new EMV Chip card regulations for face to face transactions, if a merchant swipes the mag strip on a chip card instead of using the chip function on their credit card terminal or POS and they receive a chargeback for any reason, no chargeback replies will be accepted by the card issuing banks.
They will automatically reject the chargeback reply and give Reason Code: "4870-CHIP LIABILITY SHIFT". Be warned!
Consultant Manager, Larger B2B/MOTO/Internet Accounts
Product Development Manager, Matrix Payment Systems
HIGH AVAILABILITY and HOSTING
...are not often available with focus on the IBM i Operating System and hardware. In our search for vendors, Curbstone was lucky to discover Baseline Data Services. This is a major provider of i-specific hosting, high availability, and disaster recovery services. If you ever wondered who the major banks use for these servcies, look no further.
How many providers can boast of:
- Payment Card Industry Data Security Standard (PCI DSS) Compliance
- SOX Compliance (SAS 70, SSAE 16/SOC 1, SOC 2)
- Health Insurance Portability and Accountability Act (HIPAA) Compliance
- Federal Financial Institutions Examination Council (FFIEC)
- Office of the Comptroller of the Currency (OCC)
- Federal Reserve Board (FRB) Certified
- Safe Harbor Compliance
Read more about our Partner, Baseline...
Curbstone software handles the PCI security audit log requirements for card data that we manage.
BUT, do you comply with the PCI security requirement for logging all file transfers done outside of Curbstone that contain card data?
Our friends at Linoma have a mature, compliant solution in GoAnywhere Managed File Transfer (MFT) software.
Simplify PCI DSS Compliance with Managed File Transfer
PCI compliance requires that data is secured both at rest and in transit using proper systems and procedures within the organization.
Healthcare organizations and business associates using GoAnywhere™ can achieve these goals with the additional benefit of saving considerable time for IT staff.
The GoAnywhere managed file transfer solution streamlines transmissions for healthcare including:
Read more about this great software...
Two is one, one is none. You will hear that around here a lot.
For all of you accetping credit cards and needing real-time authorization, guaranteeing that you have Internet access can be a challenge. In so many cases, ALL of your copper that provides you with connectivity is run on ONE SET of poles outside your store, HQ, or data center. If the pole is knocked down, even having DSL, a T1, and cable - ALL ON THAT SAME POLE - is of no help.
Red Box, Starbucks, American Apparel, and Blinds To Go all know how to do this.
No wired connection can deliver 100% uptime so the question isn't whether your business will lose connectivity to the Internet, the question is how to protect your organization from loss and disruption when it does happen.
With Cradlepoint WWAN failover solutions using 3G/4G/LTE, your organization can protect from these losses and mitigate risk to your brand.
When your wired Internet connectivity experiences a service disruption (in some areas this happens several times a month) your business is exposed to risks of lost revenue, productivity, and customer experience issues. Upgrading to a more robust wired connection such as T1 or T3 line is an option that comes with a significantly higher monthly cost, and it is still susceptible to outages and service disruptions such as construction related cable cuts, downed telephone lines, severe weather, etc.
And Cradlepoint provides PCI COmpliance in the device for the connections that allow it to be configured for maximum scurity!
For more info, contact our friend
Systems Services, Inc.
Interactive VOICE Response is a big deal. It can assist in your eliminating attack vectors for card processing, and can improve accuracy and throughput. Our friends at iMessaging Systems have a fine solution that we have been associated with for many years.
Designed specifically for IBM i for Power Systems, iVoice IVR delivers an easy to use API toolset to develop IVR applications independently without reliance on a vendor.
This simple, yet powerful API toolset provides developers with the all of the tools to create IVR call flows while working in familiar languages like RPG, COBOL, PHP or Java.
One of the COOLEST features is Automatic Speech Recognition: With Speech Recognition callers may "speak" to the system, rather than using the touch-tone keypad to interact. Speech Recognition enhances the caller interaction with a more natural and conversational user experience.
Read more about this native solution...
In Curbstone's many implementations, we work with lots of different security resources. GreyCastle has impressed us with their really excellent operation, and has proven to Curbstone to be a real contender in the IBM i space. Check them out for the following:
Contact our friend there, Charlie Weintraub, for more info. 518-274-7233 (SAFE) firstname.lastname@example.org
Raz-Lee's iSecurity software is a comprehensive, user-friendly security solution for IBM i (AS/400) environments. iSecurity products address insider threats, cyber attacks and external security risks, and the need to monitor business-critical application data.
As you may be aware, the powerful tools provided by IBM's i Operating System are comprehensive. What IBM's security infrastructure does NOT have is any way to FRONT-END them to allow a HUMAN to KNOW what is going on. This is where the Raz-Lee iSecurity product comes in.
Whatever your needed components, the 15 individual products that comprise iSecurity will handle your requirements.
AP-Journal Business Analysis
AP-Journal Regulation Compliance
Authority on Demand
Visualizer for Audit
Visualizer for Firewall
Our friends at TSYS have made a great educational tool...
See how real-life scenarios help merchants prepare for the EMV shift and recognize the importance of encryption, tokenization and PCI compliance.
Many small to medium sized merchants may not realize:
• They can be just as vulnerable to – and liable for – data breaches and fraud as the "big box" stores
• 60% of small businesses that suffer a data breach are out of business six months later (1)
• In 2014, 28.8% of businesses with less than 100 employees encountered fraud (2)
(2) Association of Certified Fraud Examiners, 2014 Global Fraud Study
Being prepared is crucial; don't wait until the last minute. Stop by Fraudway today and explore this hands on resource, developed specifically to help you help your customers.
We hear everywhere of imminent EMV Chip-and-PIN, but according to one recent survey, significant numbers of retailers remain relatively unprepared.
The second annual "Retail Technology Adoption Report," conducted by Lightspeed POS, finds only 18% of retailers in the U.S. have already implemented EMV payment technology, and fully 45% are poised to miss the October 15, 2015 deadline.
Of those lagging, 25% do not understand the new rules, 18% do not want to deal with the hassle or cost of switching payments hardware, and 17% have never even heard of EMV or Chip-and-PIN. As for new mobile-based schemes, similar reluctance appears on the part of retailers. Only 9% currently accept Apple Pay, and fully 40% have no plans to ever accept Apple Pay, citing lack of interest on the part of their customers.
Overall, by the end of 2016, 34% plan to support Apple Pay, 25% plan to support Android Pay, and 23% plan to support Samsung Pay. "Retailers seem to be waiting to upgrade their POS systems until they find one that can accept both EMV as well as mobile payments," concluded Dax Dasilva, CEO of Lightspeed POS.
"If you look at the numbers, the amount of retailers that plan to accept Apple Pay by the end of 2016 is close to the number that expect to be EMV ready. Retailers with modest budgets demand technology that does double duty--they're willing to delay upgrades."
As its title indicates, "EMV: Retail's $35 Billion 'Money Pit,'" produced by the IHL Group, draws some contrarian conclusions. According to this new study, most retailers will never recoup the expense that EMV imposes.
"The single biggest problem with the EMV mandate is that it is focused on trying to solve last century's problem and completely ignores the reality that retailers are facing today," postulated Greg Buzek, President of IHL Group.
"Twelve years ago, when EMV was introduced into Europe it made tremendous sense. Today, it stands in the way of real data security by stealing critical budget away from focusing on the risks that retailers face from online hackers." According to this research, unless the merchant is on the front lines of fraudulent card transactions--e.g., electronics, fuel, mass merchants, or related gift cards--the risk of loss is extremely small compared to criminal online activity. And thus, end-to-end encryption and tokenization should be moved to the forefront in place of EMV.
Some further findings: EMV costs are additive to what retailers are already paying for PCI, which now consumes 55% of their total data security budget; the typical EMV transaction will take 5 to 8 seconds longer to conclude; many consumers will leave their card in the payment device, since insertion is required for the entire transaction; EMV, with some probable confusion, will be introduced just before the critical shopping season on October 1; and the average ROI for your typical $1 billion specialty store for EMV is projected at -77% over three years.
"Retailers who simply focus on EMV at check-out without focusing on end-to-end encryption and tokenization in all of their sales channels are actually opening up a significant security hole," warned Buzek.
Gregt Buzek, IHL Group
At the PCI Security Standards Council, we encourage you to make payment security a top priority for your organization in 2015.
Presenting the PCI Security Standards Council’s Qualified Integrators and Resellers (QIR) program.
Now it’s time to take action.
Security of payment card data is a never-ending race against potential attackers. By becoming a QIR, your company is demonstrating you understand and can apply the PCI standards and that you care about your customer’s security. With data breaches continuing to capture news headlines, merchants are increasingly concerned about securing their cardholder data and they will value your proactive approach to addressing these concerns.
We’ve made some significant changes and improvements to the QIR program, including:
- Simplified application process
- Affordable pricing
- Updated training for participants
- Extended qualification period (now 3 years)
Plus, as a QIR you’ll have a competitive advantage over untrained installers since your company will have extra visibility with a listing as an approved service provider on the PCI website.
Payment card security is a shared responsibility and you can play a significant role as a QIR. We invite you to visit the QIR page on our website for further information about getting trained and qualified. To start the application process, please register your QIR Company by completing the Registration Form linked on our website.
Please contact us at QIR@pcisecuritystandards.org with any questions you may have.
Program Manager, QIR
PCI Security Standards Council
SMS Pays Off: The Power of Pay-by-Text
Mobile payments are all the rage lately—just look at Apple Pay or Square. It’s an exciting development that’s changing the face of mobile commerce–as long as customers have an iPhone 6 or access to a card reader for smartphones.
But what if customers could pay without downloading an app? What if they could pay for things over text messaging?
SMS lets customers pay using their mobile phone without the need of an app, and without needing to be at a payment terminal. Currently, methods like ApplePay rely on near field communication (NFC) to transmit credit card information from the customers’ phone to a terminal.
Tapping your phone to a payment terminal is supposed to be the easiest way to pay, but what if you didn’t even have to be at a store to do it?
One of the best things about SMS payments is that it doesn’t require a fancy card reader or the newest phone. It’s truly mobile because customers can carry out these transactions anywhere, anytime, on any cell phone. Plus, it takes almost no time at all.
Letting customers pay by text increases time and cost savings for companies and customers. For example, a customer who had to renew a magazine subscription would typically receive a letter or email from a company with a reminder, and the payment process might take a few days or weeks.
However, renewals or any sort of quick transactions can be expedited with text payments. Instead of engaging in a lengthy back-and-forth about renewing a magazine subscription, customers could get a quick outbound text that looks something like this:
What makes outbound texts like this so potentially powerful is the fact that texting is a channel customers use often and prefer. Texts have a 98% open rate, a stat other channels could only dream of. Marketing texts also have an extremely high response rate of 45%: over ten times higher than direct mail or email.
Home-Improvement Retailer Says Investigation into Breach Continues
By Michael Calia
Home Depot Inc. said that it faces at least 44 civil lawsuits in the U.S. and Canada related to a widespread data breach at the home-improvement retailer in 2014.
The company, which is also under investigation by several state and federal agencies, warned that the claims and probes "may adversely affect how we operate our business, divert the attention of management from the operation of the business and result in additional costs and fines," according to a filing.
Read more about the horrors of a data breach...
What more can we say than the URL? Read the whole thing, you CAN relate...
All code is bad
Every programmer occasionally, when nobody's home, turns off the lights, pours a glass of scotch, puts on some light German electronica, and opens up a file on their computer. It's a different file for every programmer. Sometimes they wrote it, sometimes they found it and knew they had to save it. They read over the lines, and weep at their beauty, then the tears turn bitter as they remember the rest of the files and the inevitable collapse of all that is good and true in the world.
This file is Good Code.
It has sensible and consistent names for functions and variables. It's concise. It doesn't do anything obviously stupid. It has never had to live in the wild, or answer to a sales team. It does exactly one, mundane, specific thing, and it does it well. It was written by a single person, and never touched by another. It reads like poetry written by someone over thirty.
Every programmer starts out writing some perfect little snowflake like this. Then they're told on Friday they need to have six hundred snowflakes written by Tuesday, so they cheat a bit here and there and maybe copy a few snowflakes and try to stick them together or they have to ask a coworker to work on one who melts it and then all the programmers' snowflakes get dumped together in some inscrutable shape and somebody leans a Picasso on it because nobody wants to see the cat urine soaking into all your broken snowflakes melting in the light of day. Next week, everybody shovels more snow on it to keep the Picasso from falling over.
There's a theory that you can cure this by following standards, except there are more "standards" than there are things computers can actually do, and these standards are all variously improved and maligned by the personal preferences of the people coding them, so no collection of code has ever made it into the real world without doing a few dozen identical things a few dozen not even remotely similar ways. The first few weeks of any job are just figuring out how a program works even if you're familiar with every single language, framework, and standard that's involved, because standards are unicorns.
Read more at http://www.stilldrinking.org/programming-sucks
"More worrying is the fact that attackers are moving on from stealing PCI data and are increasingly seeking personally identifiable information (PII)."
"You would think by now most merchants would know how to protect payment card information.
However, according to the recent Verizon 2015 PCI Compliance Report, only 20% of businesses passed their most recent PCI compliance assessments. While this is better than the 10% compliance rate cited in the 2014 report, it's important to note that of all the breaches reported by Verizon last year, "not a single company has been found to be compliant at the time of the breach," underscoring the importance of PCI DSS compliance.
The Payment Card Industry Data Security Standard demands cardholder data is protected and that strong access controls and authentication be put in place by merchants. Both of these requirements are essential to prevent a data breach, but they are also the hardest to comply with.
These challenges are predominantly met with "compensating controls" which by PCI Security Standards Council definition should "provide a similar level of defence as the original PCI DSS requirement," but are open to interpretation and as a result are often fundamentally vulnerable to attackers successfully attacking authentication and login processes to steal data.
The Verizon report identifies that compliance alone is not enough; the sheer veracity of attacks seen over the previous year is evidence that current data securities are inadequate.
Instead the report suggests that compliance "is a baseline, an industry-wide minimum acceptable standard, not the pinnacle of payment card security." Attackers are advancing their game, working around compliance controls to always be one step ahead of the security level achieved by regulation and industry standards.
Clearly, we are losing the battle against the bad guys.
Target is close to reaching a $20 million settlement with MasterCard to reimburse financial institutions for costs they incurred from the retailer's massive data breach in 2013.
By Robin Sidel, WSJ
Updated April 14, 2015 7:03 p.m. ET
Target Corp. is close to reaching a settlement with MasterCard Inc. to reimburse financial institutions roughly $20 million for costs they incurred from the retailer's massive data breach in 2013, according to people familiar with the negotiations.
The deal, which could be announced as soon as this week, comes after months of negotiations, these people said. The $20 million covers costs that banks incurred to reissue credit cards and debit cards as a result of the breach, as well as some of the fraud that resulted from the exposure of customer information, these people said.
The payout would be roughly the same as TJX Cos. paid to MasterCard issuers in 2008 for a data breach that exposed more than 100 million cards to fraud. TJX is the parent of discount retailer TJ Maxx and other chain stores.
The settlement underscores the ongoing financial costs that are associated with a wave of data breaches that have exposed hundreds of millions of Americans to fraud over the past year. Target disclosed in a recent financial filing that it has incurred $252 million of breach-related expenses.
Target's breach, in particular, rattled consumers because it occurred during the winter holiday shopping season. The breach compromised 40 million credit and debit card accounts.
The breach also set off a frenzy among card-issuing financial institutions as they scrambled to send new cards to customers. Some took the unusual step of reissuing cards en masse even if no fraudulent activity had been detected. It also led to renewed calls for merchants to upgrade their terminals at the checkout line to accept cards that are embedded with a computer chip that are more difficult for thieves to replicate. Target has since upgraded its stores to accept the more secure cards that are now being issued by financial institutions.
Other merchants are also upgrading their equipment ahead of an October deadline that will shift fraud liability from banks to merchants under certain circumstances. Some merchants are saying, however, they won't be able to meet the deadline.
Thanks to skilled mentors from IBM and the collective wisdom of RPG & DB2 Summiteers, we're learning that WE can positively influence the future of the IBM i - and our own careers - by proactively advocating for ourselves and our platform of choice.
In their recent Summit Keynote addresses, IBM's Ian Jarman and Steve Will have armed us with compelling data to support how IBM i - coupled with your skills - can continue to achieve your organization's business goals more efficiently and cost-effectively than other solutions.
Now at each Summit, under the skillful tutelage of Mike Cain (one of the most effective iAdvocates we know) we explore techniques to articulate our message and to get into the position to influence decision makers within our organizations.
Below are Ian's, Steve's and Mike's materials, plus other presentations, independent research studies, white papers, case studies and tips that can help you hone your own iAdvocate and career-building skills.
Skills and Tips...
Help Systems, a growing juggernaut of iSeries IBM i software has released the results of their MarketPlace Survey. From their respondents, find out ALL ABOUT THE SYSTEM i MARKET!
Thanks to the generous response from 350 IBM i users, we're another step closer to understanding the many ways businesses are using this versatile platform.
The results from this first annual survey are encouraging, and speak to a user community that is committed to building on the power of IBM i by keeping current and utilizing modern technology.
An expert panel will discuss your survey results in a live webinar on March 26. We hope you can join us.
Curbstone uses Data Queues extensively within our software, and as the primary component for our native API.
Carsten Flensburg brings us up to date on the latest NEW command and attributes of this handy, inter-program communications device.
Carsten Flensburg | System iNetwork Programming Tips Newsletter
I use data queues for many purposes and in many mission-critical applications, so whenever IBM announces additions and changes to data queues, I pay attention. With release 6.1, two new data queue attributes were added, and one new data queue API was introduced. The new Change Data Queue (QMHQCDQ) API was partially prompted by the Enforce data queue locks attribute added, because the QMHQCDQ API is currently the only available option when it comes to setting this attribute; you cannot specify it when you create a data queue. I cover more about the Enforce data queue locks attribute later in this article.
The QMHQCDQ API currently supports changing one more data queue attribute, the Automatic reclaim attribute defining whether the allocated storage of the data queue should be reclaimed whenever the last entry in the data queue is removed. This attribute is, however, also available when you create a data queue, but you now have the option of changing it, without having to re-create the data queue. The second attribute added to data queues at release 6.1 is a timestamp registering the point in time the data queue last had its storage automatically reclaimed. These new data queue features inspired me to make corresponding improvements to my previously published data queue commands as well as create the new Change Data Queue (CHGDTAQ) CL command.
Note that a FREE registration is required to view the GREAT articles on iProDeveloper.com, and it is WELL WORTH IT!
You will find a wealth of info and training materials, like the incomparable series from Carsten:
Jon Paris and Susan Gantner, legendary technical figures in the AS/400 arena, published this superb article on security.
Read more and see why they are so HAPPY!
February 05, 2015
Bash, Shellshock, Heartbleed, Poodle - Unless you've been living under a rock, you have probably heard something about security vulnerabilities like these. And as a programmer, you may well have thought to yourself "I'm glad I'm a programmer and not a Sys Admin or network guy who has to worry about that stuff." Or perhaps you've thought to yourself
"I'm glad I work on IBM i - just stay reasonably up to date on PTFs and these things can't hurt us - IBM i is inherently very secure."
It is indeed true that IBM i has significant architectural protections built in, so we can feel more comfortable about many types of security vulnerabilities compared with other platforms. And the folks at IBM Rochester do a great job of quickly creating PTFs to plug potential threats as they surface. Just take a look at the ITG whitepaper for stats on vulnerabilities of IBM i compared to Windows Server and various flavors of Linux.
And from here, they go on to prescribe EXACTLY the steps to secure your System i, whether on V6R1, 7.1, or 7.2.
Alex Woodie, Editor at The Four Hundred, knocks it OUT OF THE BALLPARK, again.
Trying to keep the IBM i relevant in your organization?
It probably seems like an uphill battle at times, especially if you have a CIO who knows next to nothing about the platform. Here are five fun facts that may help save the platform at your organization, or at least get the CIO to give it a second look before he kicks it to the curb.
Fact 1: IBM i on Power is cheaper in the long run than Windows or Linux on Intel
... In 2012, IBM hired the firm ITG to run the numbers, and the three-year TCO came back as follows:
$ 480,200 for a typical IBM i setup,
$ 862,200 for a typical Windows setup, and
$1,118,300 for a typical Linux setup.
Even the CFO can appreciate that.
Our friends at SkyView, Carol Woodbury and John Vanderwall, are offering the EASIEST solution to PCI-oriented security monitoring.
As you probably know, SkyView is the most qualified security management organization in the IBM Midrange.
SkyView Security Experts are trained and managed by Carol Woodbury. Carol Woodbury is the former Security Architect and Chief Engineering Managed for IBM's Enterprise Server Group in Rochester, MN; as well as author of the book "IBM i Security: Administration & Compliance," award winning speaker on the topic of security, Certified in Risk and Information Systems Control (CRISC) and the Co-founder, President and CTO of SkyView Partners Inc.
Introducing SkyView Partners Managed Security Services (MSS)
As John describes it: "It’s a service where we pay attention to your security so you don’t have to. We’ve found that most IBMi shops just don’t have time for security. To be “compliant” not only with PCI, but with a multitude of other standards and regulations. IBMi shops need a regular process in place to check security. In addition, they have to do at a minimum an annual risk assessment. Our Managed Security Service defines a process where we check security monthly providing a summary report and perform an annual risk assessment for the client. We include licenses of selected SkyView software products to gather the data required to make this a turn-key solution. If you have preferred software, we are more than happy to use that instead. The goal is to provide valuable insight for our clients on a monthly basis. What we hear from rapidly expanding client base is thatauditors LOVE this because it’s 3rd party experts monitoring. The auditors know the work of monitoring security is actually getting done each month as opposed to being “forgotten” when left up to the client!
For IBM i, this service includes:
- An annual “risk assessment” (Security Checkup) for each partition licensed
- Monthly Monitoring of 10 security topics of your choosing - we jointly determine them
For more info, just call 1-425-458-4975 or E-mail SkyView@Curbstone.com
Feature Article by Dan Riehl at http://SecureMYi.com
How do you know if someone is scanning your IP ports for vulnerabilities? Or how do you know if you're being attacked by denial of service attacks like a SYN Flood or Smurf attack?
The IBM i Intrusion Detection System (IDS) alerts you when an attack against the system is in progress. In most cases, you have no other way to monitor for these intrusion events. With IBM i version 6.1 and 7.1, you can have the IDS up and running in a few minutes. IBM i Navigator for Windows provides an IDS Setup Wizard, which makes setting up the IDS a very simple process. On my system, I had it up and running in about 30 minutes—25 of those were spent reading the documentation and the On-Line help text.
Why do I need an Intrusion Detection System?
An IBM i connected to any network should be running the IDS. Some may say they're protected behind a corporate firewall and therefore are immune to these types of attacks. But attacks also come from inside your network, and as far as outside attacks, do you want to bet the security and availability of your System that the firewalls can reject ALL unwanted traffic?
When an attack occurs, instant notification of the attack can be sent to a message queue as well as via email to several email addresses you stipulate. When you see an incoming attack, you can then take preventative actions to stop the attack or prevent the attacker from getting to you again. As prevention, you can set packet filtering rules within IBM i Navigator and adjust firewall rules as needed. The IDS is a detection system; it, alone, cannot prevent an attack.
In addition to monitoring for attacks, the IDS also detects if the IBM i is being used as the attacker of another system. You would certainly want to know if someone is launching an attack from within your system.
IBM i 6.1 and 7.1 Differences from 5.4
Since OS/400 V5R4M0, IBM i has included the IDS that monitors network activity for numerous types of attacks. Under V5R4M0, setting up the IDS is a difficult and frustrating exercise. But as of IBM i 6.1, and the introduction of the IDS Setup Wizard, configuring the IDS has become a very simple process. The dependency on the Quality of Service (QoS) Server in V5R4M0 has been removed. The QoS server integration was my biggest stumbling block in that older implementation. I just could not get it to work.
The remainder of this article will focus on the IDS in IBM i 6.1 and 7.1. If you're still at 5.4, you can configure the IDS using the instructions in the IBM Redbook IBM i5/OS Intrusion Detection System at http://www.redbooks.ibm.com/redpapers/pdfs/redp4226.pdf
Get his FREE Security e-book when you sign up for his valuable Security newsletter.
Dan Reihl, from http://www.securemyi.com/
These are the chapters:
1. Restricting the change of Security Related System Values
2. Libraries Higher than QSYS
3. The Security Tools Menu
4. How secure are your Passwords?
5. Disabled and Forgotten QSECOFR
6. System Service Tools Profiles Management Tips
7. Security Policy?
8. Journaling your files and other objects
9. How-to start Journaling
10. And your Save Restore backup media?
11. Nefarious Masqueraders
12. Where Does *PUBLIC Get All That Authority?
13. Making System Value QCRTAUT More Restrictive
14. Keep Users from Adding Files to Libraries
15. The Nasty Exposures inherent in iSeries QUERY
16. SQL vs i/OS Assignment of Authorities
17. Restoring Private Authorities
18. Securing IFS files
19. IFS and Adopted Authority
20. Using i/OS Security Auditing
21. Starting Security Auditing
22. Are you auditing security related events?
23. Auditing inquisitive users
24. More on User Auditing
25. More on Object Auditing
26. Auditing in the IFS
27. Setting the auditing value for newly created objects
28. Wait! Don’t kill ALL those trees!
This week’s security number is $1 Billion… the likely amount that has been stolen with the Carbanak malware.
Security is about “vigilance." Would the banks have lost less if they were more vigilant? By some accounts the Carbanak malware has been in place since 2013. No one can prevent people from getting in, but that is no excuse for not being vigilant when it comes to your data security.
- Do you know the risks?
- Are you looking at key reports regularly?
- Have you done all you can to reduce the risk and keep the monitoring task from overwhelming you?
- Have you reduced the real estate hackers can move in by remediating issues?
Don’t be the next headline. The solution is outsourcing assessment and regular monitoring to an expert group who can evaluate, summarize, and briefly explain the risks. That’s exactly what SkyView Managed Security Service is all about.
At SkyView Partners, we offer Managed Security Services where we systematically pay attention to security for you.
- Our team, led by Carol Woodbury, former Security Architect and Chief Engineering Manager for IBM’s Enterprise Server Group, will monitor key security elements
- We will provide you with a monthly summary so you know, at a glance, what may need attention
- Once a year we do a comprehensive risk assessment so you see where your risk status
Want to see the details?
The information you get is invaluable. The monthly per partition price is very reasonable. It’s a whole lot less than the cost of a breach.
Join the growing list of global customers who are letting Carol Woodbury’s team at SkyView Partners pay attention to security… so they don’t have too!
All the best,
Chairman, CEO and Co-Founder
SkyView Partners Inc. | (425) 458-4975 xt 718| Mobile : 206-915-7284
This image below is from a random 14 hour period of a typcial day in the life of one of our marketing servers.
Note that this server does not have anything to do with our software operations and only provides static marketing materials from a public-facing Linux server. Each listing below represents at least 5 INVALID attempts to log into the operating system or other software.
The majority of the addresses are foreign (read China) and all of these attempts are successfully blocked due to our implementing PCI Best Practices standards on ALL of our servers, including those that NEVER handle card data.
WHAAAAAAAT? This is the new card-present standard mandated for October 2015, and 34% have not heard of it?
Thirty-four percent of merchants interviewed late last year for an Aite Group research report on EMV readiness had never heard of the U.S. migration to EMV-chip payment cards, despite the fast-approaching October 2015 deadline set by the card networks.
Furthermore, of the more than 400 merchants surveyed, 46% said they had not yet begun any preparations for EMV acceptance. A company that misses the October deadline faces a shift in fraud liability (gas stations have until October 2017).
There is a general understanding throughout the U.S. payment industry that smaller merchants are going to be the last to convert to implement the point of sale technology needed to accept EMV cards, but something is amiss if — three years after the card brands announced the U.S. initiative — merchants don't even know what EMV is.
This revelation "is just stunning," said report author Thad Peterson, senior analyst with Boston-based Aite Group. "I have talked to friends who operate different types of retail operations and it [EMV] is not something they are paying attention to."
Don Bush, VP of Marketing at Kount
As EMV is adopted in the US, merchants will need to partner with payment processors and card schemes to tackle the changing face of fraud, believes Don Bush.
The rollout of EMV cards in the United States has a deadline of October 2015. This has logistical issues but perhaps more importantly it is likely to prompt a major shift in credit card fraud to card-not-present transactions. As the second largest market for online revenues when the US moves to EMV technology at ‘brick and mortar’ POS, we can expect a transition from offline fraud to online channels such as the desktop and mobile, as fraudsters increase their fraudulent activities.
Figures from the UK Card Association show how this occurred in the UK after it adopted EMV technology – a trend that played out in other countries across the world. The difference between then and now though is that ecommerce is now a retail phenomenon. According to eMarketer, over $200 billion of additional spending could flow through CNP transactions globally by 2017, presenting a vast world of opportunity to online fraudsters looking for a piece of the pie.
The burden of liability no longer rests solely with merchants. For years, they have been responsible for ensuring their customers’ transactions are secure. Typically this involves aligning with either a trusted payment service provider (PSP), payment gateway, or hosted pay page (HPP) that works with a fraud prevention leader. The goal is to ensure transactions are secure as well as able to provide crucial information of fraudulent behaviour the retailer is experiencing.
However, financial regulators are increasingly linking fraud mitigation and compliance with regulations, which pushes the liability moving up the food chain, extending from merchants to payment choke points.
Does your company accept credit-card payments? If so, you're responsible for Payment Card Industry (PCI) mandates.
This is a brand new article from Curbstone's CTO, Ira Chandler, providing high level guidance for CEOs, CTOs, CFOs, CSOs, and IT, on the best ways to become PCI compliant.
"Just because you run the world's most secure and reliable computing platform (the IBM i, System i, iSeries, AS/400), you're not exempt from the requirements of the international security council (PCI) that dictates merchant security.
In this short article, we will address the following questions:
- Who must comply?
- What are the levels of compliance?
- Where are the i-specific resources?
- Is this an ongoing process?
- How do I get started?
TSYS is the largest processor of merchant acquirers and bank credit card issuers (#1 for credit card issuers and #2 for merchant processing in the United States). TSYS processes for over 730,000 merchants with over $138 billion a year in credit and debit card transactions.
TSYS selected Curbstone - AGAIN - to be a GOLD Partner for 2018, based on our exemplary service to merchants using TSYS for processing.
Some TSYS History:
In 1959 TSYS started as a division of Columbus Bank and Trust (CB&T). In 1974, CB&T started processing credit cards for other banks. In 1983, TSYS became a separate publicly traded company, although majority ownership remained with CB&T and its successor, Synovus. In 1991, TSYS began development on the next generation of processing platforms.
On October 25, 2007, TSYS and Synovus (holding 81% of shares at the time) announced a spin-off that was completed as of the end of 2007.
On July 12, 1999, Total System Services, Inc. announced the signing of a multi-year agreement with Bancahsa, to process its Honducard-Visa credit cards, which represented a step in Total System Services' international expansion strategy to become the global processor of choice.
In 2008 TSYS launched n>genuity, a quarterly publication designed to provide pertinent research, in-depth commentary and timely insight on the trends that impact the world of payments
In 2010, TSYS announced they acquired majority stake in First National Bank of Omaha's merchant acquisition business for $150.5 million , which was renamed TSYS Merchant Solutions
In August 2012 TSYS announced a joint venture with Central Payments Co, one of the fastest growing ISOs in the US.
In November 2012 TSYS announced its acquisition of ProPay, a Utah based company with over 250,000 merchants.
In February 2013 TSYS announced that it had agreed to purchase Netspend, a prepaid debit card provider, for $1.4 billion in cash.
In November 2013 TSYS announced TSYS Merchant Insights, a new partnership with Womply, a San Francisco-based startup, to provide revenue, social media, and reputation analysis tools to all TSYS merchants.
When Tim Cook unveiled Apple Pay last year, the company hailed it as a simple contactless payment solution that also brings extra security to credit cards.
Except according to one report, Apple Pay is actually making it easier for scammers to commit credit fraud.
Apple Pay's security problem has nothing to do with Touch ID, NFC, Apple's secure element, or stolen iPhones. All of that is locked down as tightly as Apple advertised. The problem, according to an unconfirmed report from DropLabs, is that Apple Pay is so easy to use, fraudsters don't even have to create a physical fake card anymore.
According to Drop Labs' report, scammers have gone with a much more low-tech way to take advantage of Apple Pay.
Instead of hacking the hardware, fraudsters are just buying stolen consumer identities, complete with credit card info, and loading that into Apple Pay. This allows them to create a fake digital credit card without going through the hassle of printing it out on plastic to use in stores...
Article by Buster Hein. [ READ MORE HERE ]
The authorities on online fraud, Cardinal Commerce, have published a great whitepaper. They are the good folks who run the Verified by Visa and Mastercard SecureCode operations for those card brands. Curbstone is certified to support both for e-commerce. Here is the beginng of what they have to say:
There is a lot of information circulating about Online Fraud – what should you believe? Here are seven secrets you should know, which might surprise you.
1. Even though your online fraud rate is very low, you really do need to worry about it.
You may not have had to worry in the past, but fraudsters are getting smarter every day, and they are looking for unprotected websites to perpetrate their fraudulent activity. As more online retailers set up Consumer Authentication and fraud tools, the fraudsters will focus on retailers who haven’t implemented these solutions, and fraud on those sites will increase. Additionally, as more US banks issue chip cards, fraudsters will have difficulty creating counterfeit cards for in-person use, so the fraud will migrate to online shopping sites, where the chip will not protect the transaction.
2. EMV/Chip cards do not prevent online fraud.
EMV chip cards prevent in-person fraud, but offer little protection for online transactions. Historically, in other regions where chip cards rolled out, like in the UK, in-person fraud rates fell, but online fraud rates soared, increasing 97% between 2004 and 2008 (according to Bank of International Settlements, Financial Fraud Action, BI Intelligence). To prevent online fraud (and increase your online sales), merchants should use a Consumer Authentication solution. This verifies that the person conducting the transaction is really the cardholder. Consumer Authentication protects online transactions just like the chips in the chip cards protect POS transactions – it verifies that cardholders are who they say they are. CardinalCommerce provides a rules-based Consumer Authentication solution that will actually increase sales, improve margins (by reducing interchange fees, shifting liability on chargebacks and reducing manual review), and enhance the consumer experience.
For the remaining 5 points, click below!
According to the Payment Card Industry Security Standards Council (PCI SSC), a Service Provider is any:Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. (Source:www.pcisecuritystandards.org)
Since we are deploying the C3 Secure Protal, we set the wheels in motion four years ago to achieve this. After a grueling 8 month audit by our Qualified Security Assessors, CompliancePoint, we have been approved.
VALUE PROPOSITION FOR IBM SYSTEM i: MINIMIZING COSTS AND RISKS FOR MIDSIZE BUSINESSES
The challenges faced by midsize businesses remain daunting. Weak markets, competitive pressures, cost reduction mandates, and demands for greater operating efficiency and productivity are the norm in most industries. In many, globalization continues.
Information technology has become central to meeting these challenges. Even relatively small organizations now have enterprise resource planning (ERP), customer relationship management (CRM), business intelligence (BI), e-commerce and other state-of-the-art systems. The number of “must have” solutions continues to expand.
The good news is that a plethora of new capabilities has become available to midsize businesses. The bad news is that new technologies can significantly increase the complexities with which organizations must deal. Solution value may be degraded, IT costs may escalate and risks of business disruption may increase. Current economic conditions do not argue in favor of such strategies.
Excessive complexity has undermined the IT strategies of many large organizations. In a midsize business with more limited resources and technical skills, the impact may be a great deal more serious. How can this be avoided? One option is to employ IBM i 7.1 on latest-generation POWER7 and POWER8 based systems. These offer industry-leading integration and optimization across all components of hardware and software stacks. More than any other platform available today, they offer midsize users the benefits of advanced technology while minimizing costs, complexities and risks.
By Seth Borenstein and Jack Gillum - Associated Press
Credit card data isn't quite as anonymous as promised, a new study says.
Scientists showed they can identify you with more than 90 percent accuracy by looking at just four purchases, three if the price is included - and this is after companies "anonymized" the transaction records, saying they wiped away names and other personal details.
The study out of the Massachusetts Institute of Technology, published Thursday in the journal Science, examined three months of credit card records for 1.1 million people.
"We are showing that the privacy we are told that we have isn't real," study co-author Alex "Sandy" Pentland of MIT said in an email. His research found that adding just a glimmer of information about a person from an outside source was enough to identify him or her in the trove of financial transactions they studied.
Companies routinely strip away personal identifiers from credit card data when they share information with outsiders, saying the data is now safe because it is "anonymized." But the MIT researchers showed that anonymized isn't quite the same as anonymous.
Drawing upon a sea of data in an unnamed developed country, the researchers pieced together available information to see how easily they could identify somebody. They looked at information from 10,000 shops, with each data piece time-stamped to calculate how many pieces of data it would take on average to find somebody, said study lead author Yves-Alexandre de Montjoye, also of MIT.
In this case the experts needed only four pieces, three if price is involved.
CEO/CFO/CIO/CSO, YOU ARE LIKELY WRONG! SEE TWO IBM "i" SPECIFIC SOLUTIONS BELOW.
What your bank/acquirer should be telling you about PCI Compliance, and likely has not
Curbstone is concerned that iSeries, Power System i, AS/400 users who THINK they are PCI compliant, ARE NOT! This is a high level guide to show you how to get your company on track with PCI compliance.
PCI APPLIES TO YOU!
If you accept payments by credit cards or debit cards YOU MUST BECOME PCI compliant.
PCI is a security standard, “Industry Best Practices,” that MUST be adhered to by ALL companies that process, transmit or store credit card information. Note the use of the THREE actions:
ANY ONE OF THE THREE puts you squarely in PCI scope.
Do not just focus on only the STORAGE of data, as handling card data in your screen, on your terminals or workstations, or over your network is what truly puts you IN SCOPE.
If credit card data is KEYED or SWIPED into ANY application on a workstation on your network, your ENTIRE network is “IN SCOPE”. Everything connected by copper wires or Wi-Fi is included in the scope.
Curbstone credit card processing software
The result of over two decades of evolution, Curbstone's software is the leading solution for secure card handling on the IBM iSeries System i, and AS/400 platforms. Selected by IBM for their System i Developers' Roadmap, Curbstone is the pre-eminent vendor for this space, and our software is built on the First commercial Credit Card software for the AS/400, written by Curbstone Founder, Ira Chandler, in 1993. Just call 888-844-8533 with your questions!
|Native interface for iSeries System i||Integrate to your apps with in-house expertise, 15 lines of code||√|
|Support by many third party software vendors||Plug and Play with many ERP off-the-shelf order-entry packages||√|
|Unlimited technical and operational support||Call us first, don't fight to decide who can best assist||√|
|Entire process developed around TOKENIZATION||Eliminate unnecessary use of plain text card numbers||√|
|Full support for referential transactions||Refer to any prior transaction by its token, for reuse||√|
|Reduce PCI exposure with remote tokenization||Offload storage of sensitive data from your systems||√|
|Removes e-commerce shopping cart from PCI Scope||Use Payment Landing Pages (PLP) to offload card handling||√|
|PCI validated as Service Provider Level 1||Highest security, greatest peace of mind, least risk||√|
|PCI validated as PA-DSS for software component||Highest security, greatest peace of mind, least risk||√|
By Rich Loeber
The first line of defense for most systems is the combination of user profile and password. For most IBM i shops that I've worked in, once you know one user profile, you can usually guess most of the rest of the user profiles. Different shops use different approaches, but they all seem to key off the user's name or initials. Some shops may use a more obscure method, but that only tends to make support more difficult when you need to quickly identify the user based only on their profile name.
Given that guessing a user profile can be pretty easy, it makes it very important that passwords not fall into the category of being easy to guess. For many years, the IBM i OS has provided tools to let you implement a variety of measures to help you with this goal. This tip will look at some of these and point you in the direction where you can find even more.
The keys to knowing how to enforce password rules are found in the system values that are included in the IBM i OS. The OS includes a whole set of system values that start with QPWDxxxxx. Each of these can be used to do things like set the password expiration time period, limit specific characters in a password, limit adjacent characters and digits, enforce password length minimums and maximums, control how often a password can be reused and more. My personal favorites in this of rules is to disallow any vowels in a password, disallow repeating characters and require at least one digit. These simple rules go a very long way in forcing users to create passwords that are hard to guess.
In 2014, at least 644 data breaches have been reported, a 25.3 percent rise from the same period last year, the Identity Theft Resource Center . Hackers have stolen millions of customers’ email addresses and credit and debit card information given to Target, Neiman Marcus, Michaels, UPS, Dairy Queen, Goodwill and others.
Credit and debit card and contact information from more than 110 million Target customers was exposed. Target posted its lowest store traffic in three years shortly after the breach was announced. First-quarter profit fell 46 percent, but the cost to Target, about $140 million, is much less than T.J. Maxx’s in 2006 when it suffered a similar but much smaller data breach.
Some 45% of Americans say they or a household member has had credit- or debit-card information stolen in a data breach, according to a WSJ/NBC News poll. Recent breaches have hit Home Depot and J.P. Morgan Chase.
Kisco has released a new, AFFORDABLE tool that could be of interest to those requiring a high-level tool to assist in enforcing security standards like PCI.
Curbstone has no formal relationship with Kisco, but we are aware of their long history as a quality software vendor for the AS/400, then the iSeries, and now the IBM System i.
iSecMap is a new security mapping and enforcement tool for your IBM i system (Power System/i, i5, iSeries or AS400). iSecMap creates a comprehensive map of the security configuration and settings on your system and then automatically monitor your system for changes.
iSecMap works with
- security system values
- user profiles
- group profiles (including supplemental groups)
- authorization lists
- library level security
- library object security
- objects stored in IFS paths
- and more...
In each area, you establish a baseline of information about the security and then iSecMap checks for changes. Live alerts can be issued to let you know when your security has changed from the way you set it up. This lets you enforce your security environment without finding a surprise at an unexpected event.
You can see more details about iSecMap at their website: http://www.kisco.com/ism/
The AS/400 family of systems covers a wide range of users. A small system might have three to five users, and a large system might have several thousand users. Some installations have all their workstations in a single, relatively secure, area. Others have widely distributed users, including users who connect by dialing in and indirect users connected through personal computers or system networks. Security on the AS/400 system is flexible enough to meet the requirements of this wide range of users and situations. You need to understand the features and options available so that you can adapt them to your own security requirements. This chapter provides an overview of the security features on the system.
System security has three important objectives:
- Protecting against disclosing information to unauthorized people.
- Restricting access to confidential information.
- Protecting against curious system users and outsiders.
- Protecting against unauthorized changes to data.
- Restricting manipulation of data to authorized programs.
- Providing assurance that data is trustworthy.
- Preventing accidental changes or destruction of data.
- Protecting against attempts by outsiders to abuse or destroy system resources.
System security is often associated with external threats, such as hackers or business rivals. However, protection against system accidents by authorized system users is often the greatest benefit of a well-designed security system. In a system without good security features, pressing the wrong key might result in deleting important information. System security can prevent this type of accident. The best security system functions cannot produce good results without good planning. Security that is set up in small pieces, without planning, can be confusing. It is difficult to maintain and to audit. Planning does not imply designing the security for every file, program, and device in advance. It does imply establishing an overall approach to security on the system and communicating that approach to application designers, programmers, and system users.
As you plan security on your system and decide how much security you need, consider these questions:
- Is there a company policy or standard that requires a certain level of security?
- Do the company auditors require some level of security?
- How important is your system and the data on it to your business?
- How important is the error protection provided by the security features?
- What are your company security requirements for the future?
7 deadly PCI compliance mistakes you can't afford to commit:
- Not Managing User Permissions Properly
All user roles must follow all rules – even ones of least privilege. All permissions must be appropriate for the applications and processes a certain user deals with.
- Not Conducting a Readiness Assessment
This assessment should answer the questions “Who, what, when, where and why?” It’s a proactive, but necessary measure that keeps you in compliance so you don’t find yourself facing those huge fines we talked about earlier.
- Not Enough Support from Executives and Senior Management
Some tasks and processes you can do without the awareness or approval from leadership. PCI compliance isn’t one of them. If you don’t already have the support of organizational leaders, then it’s time to start conversations about PCI compliance. You must tell them the exact time and financial resources you need to make compliance a reality for your company.
- Ignoring Virtualization Compliance
Unfortunately, this often gets overlooked. If you have just a single virtual machine, your entire virtual infrastructure must comply with PCI standards. How they word this standard is somewhat vague. So, a large part of how the standard gets enforced is based on how auditors interpret it.
- Not Changing Vendor Default Configurations
If you leave default configurations in place, it’s easy to duplicate and deploy all your virtual machines. You can scan your IT infrastructure for new devices, but this doesn’t work very well in the case of virtual machines.
- Not Monitoring Log Data
Monitoring your log data is one of the key facets of PCI compliance. You also need to thoroughly protect it.
- Storing Cardholder Data as Plain Text
Less is more when it comes to cardholder data. Store as little of it as possible. If you absolutely have to store it, don’t keep the entire 16-digit card number. And of course, PIN and/or CVV data CAN'T and shouldn’t be in your log files either. All cardholder data should be encrypted, and encryption keys should be kept in as few locations as possible.
The AS/400, iSeries, System i that we run may be less susceptible to security breaches and have fewer vulnerabilities, but that is based on our operating and configuring them correctly in a secure manner.
The task of securing computer systems has been with us for decades. Over the last several years, a number of new United States (U.S.) and country-specific laws and regulations have come into effect. In the U.S. these include:
- Payment Card Industry (PCI)
- Sarbanes-Oxley (SOX)
- Health Insurance Portability and Accountability Act (HIPAA)
- ISO/IEC 27000-family information security standards (ISO27k)
These laws and regulations are forcing organizations to reconfigure and more closely audit their systems’ accessibility to be compliant with security and privacy requirements. Depending upon the nature of your business and country requirements, demonstrating compliance with these regulations is becoming a requirement to do business.
Some regulations come from government agencies, and others come from essential business partners such as payment card processors VISA and MasterCard and others. New regulatory requirements require that IT professionals adapt to new ways of working and new ways of thinking about and tracking security.
This publication addresses the security capabilities available under IBM i 6.1. Before addressing IBM i specifics, we spend time in this chapter going over some security basics that evolve into making use of IBM i security capabilities. If you are well versed in these basics, you may skim through the content in this chapter and quickly go to the succeeding chapters.
In general, computer security involves the implementation of specific measures taken to protect a computer environment against espionage, sabotage, crime, attack, or any type of unintentional or accidental harm. The computer environment is inclusive of the hardware, network, applications, and data.
To implement computer security, you must understand and analyze the risks to the computer environment and take appropriate actions to reduce the risks to the acceptable level appropriate for the organization. No consultant or auditor can tell you how to set up security for your organization unless they have a complete understanding of your organization’s assets, threats, risks, and environment.
To determine the proper security settings for a system, you must implement a security program. This chapter introduces many of the terms used in a security program. Chapter 2, “Security process and policies” on page 13, introduces the process to follow to build a security program. A security policy is the central component of a security program and must be documented before the proper level of security controls can be applied to the computer environment.
Everyone from senior management to users should be concerned with security. Security protects your computer system and sensitive information from both intentional and unintentional security breaches.
An important step in implementing a security program is to determine which systems, information, and additional items to secure. After you establish your security policy, you must conduct training to educate the users to be compliant with the new security rules. Security is what you have after you analyze the risks, lessen the risks that you can, and know which risks you have chosen to accept.
Guidance from the SANS Institute on setting System i system value settings.
The purpose of this document is to assist anyone configuring or auditing iSeries and System i (formerly known as AS/400) system values. This document should only serve as an informational guide and represents a security consultant's opinion on what the "Best Practice" setting should be in a typical corporate environment. Appropriate system value settings for the reader's environment may differ due to varying circumstances.
This paper begins with a brief introduction of the iSeries platform. Next, a high level overview of how an iSeries machine functions is given, which leads into specifically discussing the system values.
Fifteen of the most important system values have been chosen and will be analyzed in the following paper.
Although system values from all areas of the iSeries platform are analyzed, an emphasis has been placed on system values related to iSeries security. Each system value bullet point contains a description of what that value controls and an explanation for each option associated with the system value. Last, a Best Practice setting is suggested in addition to the reasoning behind such a suggestion.
The IBM AS/400 (short for Application System/400), is a line of minicomputers that was introduced in 1988 and is still a popular choice today among IT Professionals and a wide range of companies. However, the AS/400 has recently become known as the iSeries. All models of the iSeries are run on a version of the Motorola/IBM 64 bit RISC (Reduced Instruction Set Computer) PowerPC processor specifically optimized for the OS/400 operating system. The iSeries is IBM's midrange series of computer systems used primarily for business applications, most of which are written in RPG III and RPG IV. There are 25,000 applications and 3,000 client/server applications that run on the iSeries machines. The iSeries serves in a variety of networking configurations: as a host or intermediate node to other AS/400s and System/3x machines, as a remote system to mainframe controlled networks and as a network server to PCs. It is capable of supporting up to sixteen area networks, each with hundreds of clients.
On the iSeries, all user and system data structures are held in objects (files, folders, libraries, menus, programs, user profiles, etc.). It is possible to see in the objects only via their defined interfaces. iSeries operates on object-level security. The iSeries comes with four major operating system components: Integrated Communications, Integrated Database, Integrated Work Management, and Integrated Security. The functions within the Integrated Security component protect all objects and data from unauthorized access. The iSeries has default values known as system values, which can be used to control the operations of the system. System values are a part of iSeries and cannot be created by a user. However, most can be changed to customize your system according to your requirements. System values are used as default parameters in many commands and object descriptions. Other system values control the operation of certain parts of the operating system.
[ READ MORE ]
Every AS/400, iSeries, "System i" IT shop has some sort of change-management system. And it's often more a burden than a help. Why? Because of a number of change management myths that we hold near and dear.
Written by David Shirey
The single most unheeded dictum, which seems to come from every successful entrepreneur-turned-billionaire, is to not be afraid of making mistakes. In fact, many people proudly declare that mistakes are the only way you make progress, and they attribute much of their success to their ability to make mistakes. Interestingly enough, this never seems to have worked out for me, but they're the rich ones, so they must know.
But ours is a world of caution, and it's one company in 10,000 that truly does not consider mistakes a cardinal sin. Careers are shipwrecked on mistakes. In many companies, management never remembers your victories, only the goofs.
Because of this deeply ingrained mindset, change control has evolved from the coder's helper to the coder's nightmare, and more than one company has set up change-control systems that double or triple the time it takes to get something "to market" without really providing any additional safety.
Here are just a few of the change-management myths we have embraced that have helped it grow from a tool to a prison.
Another suspected POS breach involving card data theft at Chick-fil-A restaurants.
Up to 9,000 card numbers have been reportedly stolen. Did the PCI DSS V3 fail or were PCI requirements missed?
The official statement from the company is linked below but more analysis has been provided by Brian Krebs.
Krebs suspects this breach has all the hallmarks of other POS breaches reported during 2014 at Jimmy Johns and Dairy Queen. There has been a suggestion that franchises of these chains use the same Signature Systems Inc PDQ POS systems which are known to have been compromised via stolen access credentials intended for remote support.
Anyone using PDQ POS systems should confirm that support access credentials for their systems have been recently updated, and that they are regularly changed going forwards.
Of course, PCI DSS Version 3 specifically mandates the need for Service Providers to use unique and regularly changed access credentials for precisely this reason (see Requirement 8.5.1 – Unique Authentication Credentials for Service Providers) so it seems that PCI compliance was not being met.
Read the full Krebs on Security Chick-fil-A article
Read the full Chick-fil-A statement on the breach
One of the key risk enhancers to many technology projects is the lack of evaluation of the cyber-security risk, introduced to the organization by carrying out the project. If organizations do carry this out it is usually at the end of the project or after the event (if at all). Unevaluated risks could include:
- Unapproved ports being opened on firewalls which allow access to the network and critical
- Using critical data in a new way that increases a risk of breach
- Poor coding allowing vulnerabilities to be introduced
- Third parties accessing critical data in an unsecured manner
- Unapproved users being given access to critical data in a new application
Project Management processes should include formal gateposts built in whereby a security analysis is required to take place. The objectives of the security gatepost in the projects should be:
- Evaluation of the risk associated with the implementation of new technology or change to the existing technology.
- Evaluation of the data that will be a part of the project and the behaviors the change will bring upon that data.
- Security code review (if part of the project).
- Vulnerability scans to ensure that prior to deployment to production the changes are secure.
- Access changes required to the systems.
You must identify issues within change and project management practices related to security controls and implement improvements within those processes.
Recent investigations into Home Depot's massive security breach that occurred earlier this year unraveled evidence that the damage was worse than previously expected and that a Window's vulnerability in the retailer's main computer network allowed hackers access.
Most of us in the AS/400 - System i arena are aware that Home Depot's corporate business runs a huge number of iSeries systems. We should note that connecting them to weaker links, or more vulnerable operating systems, diminishes their stature as the most secure comercially-available system.
Home Depot announced that roughly 56 million credit card accounts and 53 million email addresses were compromised.
Hackers took advantage of a security hole in Windows, which enabled them to spread malware and collect customer data, according to the Wall Street Journal.
"These [compromised] files did not contain passwords, payment card information or other sensitive personal information," Home Depot said in a statement that detailed the findings of weeks of investigation by the retailer, in cooperation with law enforcement and the company's third-party IT security experts.
"The company is notifying affected customers in the U.S. and Canada," Home Depot explained. "Customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails."
Carol Woodbury, World-reknowned security expert provides the details in her killer article on increasing AS/400, iSeries System i security as it relates to the thing we all love to hate - OUR PASSWORDS!
You may not realize it, but many of the organizations recently breached are large IBM i shops. We'll never know whether our beloved IBM i was breached because that information is never published. But to dismiss the possibility out of hand and ignore steps that you can take to protect your organization and—more importantly—the data on your IBM i systems is putting that data at significant risk. This article focuses on protecting passwords since exploiting stolen credentials (user IDs and passwords) is one method being used by hackers to gain access to data.