Focused on the IBM System i, iSeries, AS/400
Table of Contents
- Who is Curbstone?
- 30 Minute Webinar: TSYS Bumps Your Profits
- Apple Pay
- Comprehensive, Informative Article “PCI for i” at MCPress
- Download our WhitePaper: CAGE THE PCI BEAST
- Selected PCI Download Resources
- Your Personal Webinar on PCI Avoidance With Curbstone
- EMV by 2015
- Monitoring, consider Halcyon
- More Data Breaches
- Not yet a Customer?
- We are Golden, Says TSYS
- CorrectConnect (C3) Updates
Partner TSYS Increases Your Profit Margin .5 to 1.0%
Accept cards for payment of B2B sales? 30 Minute webinar shows a PAINLESS way to decrease charges on Corporate cards
TSYS has been a partner of Curbstone since our inception, and they have an intimate knowledge of transaction processing on the IBM AS/400, iSeries, and Power System on IBM i. Level III Cards are Corporate Purchasing Cards used primarily in B2B purchases, where the cardholder wants a record of the entire purchase electronically. They can create POs after-the-fact, for instance, so they save money and monitor their purchases better. Passing Level III data with Curbstone and partner TSYS can increase the margin on your sales by 0.5% to 1.0% on Corporate, Business, and Purchasing Card transactions.
Curbstone’s 30 minute LEVEL III webinar will cover ALL of the important topics.
TSYS is a Curbstone Partner who has expertise in supporting merchants based on the IBM i and iSeries AS/400.
Who is Curbstone?
SUMMARY: An IBM Business Partner who specializes in getting you paid
Founded in 2002, Curbstone is a software and services provider specializing in payment middleware, with a focus on the IBM System i and iSeries. Certified as secure by the PCI as a Payment Application vendor since 2004, we have escalated our security to the highest level, and have just been certified as secure as a “Service Provider Level 1”. This is the same level that a bank or authorization network must achieve. This was done to prepare for the deployment of our next-generation service, Curbstone CorrectConnect, a secure Internet Portal.
SUMMARY: Apple makes a big move in payments, uses remote tokenization
OCTOBER 20,2014 – Release day for Apple i/OS with Apple Pay. In this great example of the new breed of card processing, Apple Pay isolates your card number back at the bank that issued it. Apple Pay uses a combination of the Touch ID fingerprint sensor and an NFC chip inside the iPhone 6 and iPhone 6 Plus to allow owners to touch a sensor at a store and confirm a payment with Touch ID. At no time is that card number in your possession, and even better, it is never in the possession of someone where you are shopping. These numbers are never stored on Apple servers. With Apple Pay, when you add your card to Passbook, a unique Device Account Number is assigned, encrypted, and securely stored in the Secure Element, a dedicated chip in iPhone.
This is the true “remote tokenization” that provides a high level of security. In fact, Curbstone started using “local tokenization” back in 2003 when we designed Curbstone Card. This allowed the systems to perform transactions on cards that were securely stored in the encrypted database without bringing them to visibility in the application. Apple has taken it a bit further. As the Point of Sale hardware and system providers increase support for Apple Pay and the other forms of remote tokenization, Curbstone will include them in our suite of supported methods. More to follow…
Comprehensive, Informative Article on “PCI for i” at MCPress
SUMMARY: Everything you need to know about System i and PCI, really
Non-commercial, educational content, SPECIFIC to the System i, AS/400:
ACTIVITIES THAT QUALIFY YOU FOR A PCI AUDIT or SAQ:
“Store: Retain cardholder data (in any way) in non-volatile storage
Write data to disk in physical files
Write data to disk IFS root file system files
Process: Handle cardholder data (in any way) in volatile storage
Accept keyed card data into a screen on any workstation
Accept swiped mag stripe data into a screen on any workstation
Accept card data in a browser screen generated by your software/server
Transmit: Send cardholder data from any system to any other
Send cardholder data from an e-commerce server to your IBM i
Send data from any workstation to your IBM i
Send data to an authorization network for validation”
Download our WhitePaper: CAGE THE PCI BEAST
“ Meeting these ever-intensifying PCI DSS mandates poses unique challenges to companies whose main business system is the IBM Midrange AS/400, System i.”
We list 10 critical questions, and If you answered NO to ANY of these, you are likely in violation of the PCI DSS!
Selected PCI Download Resources
SUMMARY: Recommended links from the Payment Card Industry Security Standards Council
Agree to the terms on some, to download
· Quick Reference Guide
· Glossary of Terms and Acronyms
· PCI DSS 3.0 Best Practices Standards
· The typical Self Assessment Questionnaire for System i merchants, the “D”
· Excellent step-by-step guidance to get compliance done efficiently
· Worksheet for above to assist in prioritizing compliance efforts
· Detailed Report of Compliance for Merchants to fill in
· Attestation of Compliance for submission to your bank/acquirer
SUMMARY: October 2015 is one year away, so EMV is coming to a register near you soon
In Europe, the “fish and chips” are typically bought with a “chip and pin”. This is the general characterization of the EMV standard from Eurocard, Mastercard and Visa. The chip and pin use a smart card with a cool contact patch on the front with which the card terminal communicates. This allows a sophisticated exchange of data that is far more secure than the plain text data on the magnetic stripe of existing cards.
Partner HALCYON, First Choice for Monitoring the i
SUMMARY: When downtime is not an option, comprehensive system monitoring is the answer
Curbstone has intense requirements for monitoring systems and infrastructure. For our PCI components, we have deployed extensive monitoring, logging, and analysis layers. One product that has impressed us is from Halcyon Software. This mature, comprehensive system is perfect for enterprises needing monitoring of Systems, Applications, Infrastructure, and just about anything else that is a key part of your operation. They specialize in preventing business disruption, and are fully cross-platform. They have one-click “templates” to support Infor, JBA, SAP, JDE, and many others. Check them out at http://www.halcyonsoftware.com/. Stay tuned for a special announcement. Remember, payment card processing certainly is mission-critical…
More Card Data Breaches, What to Do
SUMMARY: PCI has complete security Best Practices policies available for download
Seems like every day, another organization is hit with a breach of security resulting in loss of data. And from what we see, the vast majority of breaches were avoidable. SO WHAT TO DO? Follow the PCI Best Practices security guidelines. If you were to hire a consultant to create a comprehensive security plan, you could spend literally hundreds of thousands of dollars to develop what you can download for free, here: https://www.pcisecuritystandards.org/security_standards/pcidss_agreement.php (Agree to the terms to download)
This is also supported by the Self-Assessment Questionnaire (SAQ) that puts the document into clear action items. https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.docx If your organization touches card data, as the PCI says “processes, transmits, or stores” it, then likely you qualify to complete this particular SAQ. To facilitate the implementation, they also provide, at no cost, these two tools to use to BECOME compliant: https://www.pcisecuritystandards.org/documents/Prioritized_Approach_for_PCI_DSS_v3_.pdf and https://www.pcisecuritystandards.org/documents/Prioritized_Approach_v3.xlsx.
Note that about ONE in SEVEN breaches was done by INSIDERS. This is an area that the PCI standards really shine, as securing your internal systems is generally easier, faster, and less expensive than the external hardening. This critical vulnerability alone is good reason to implement the PCI standards.
Not Yet a Customer?
SUMMARY: If you want to accept card payments on the “i”, we are your best choice
Curbstone is a software vendor and IBM Business Partner whose founder wrote the first commercial card software for the IBM AS/400 in 1993. Our legacy product, Curbstone Card™, is the ONLY Payment Server software selected by IBM for the System i Developers’ Road Atlas. With over 3000 Merchant IDs handled, Curbstone is the leading IBM Midrange software vendor. Since we are the glue that connects you, the merchant, to the authorization network and bank/acquirer, we do not share in the rates or charge a per/transaction fee. Your relationship with your bank/acquire is retained, and we work to insure that you get the BEST rate possible. You can even change your bank/acquirer if you choose, and we will reconfigure your Curbstone software for free, once per year, while under support.
We are Golden, Says TSYS
SUMMARY: Total Systems honors Curbstone’s 11 years of support and service
image001.jpg@01CFCBBF.9C615410" >Certified GOLD Partner, that is. With a total of 21 year history with this authorization network, Curbstone qualified again for this prestigious status. Since TSYS is prevalent in providing authorization network communication services for so many small banks, acquirers, and ISOs, we connect to them for just over half of all of our customers. Their reliability and processing speed are legendary. Likely, you will hear little about them, as your Merchant Agreement will likely be with the Bank/Acquirer that specifies your rates. But, working behind the scenes, they process over $1 trillion a year in credit and debit card transactions. One TRILLION. They are the largest processor of merchant acquirers and bank credit card issuers (#1 for credit card issuers and #2 for merchant processing) in the United States.
CorrectConnect (C3) Updates
SUMMARY: Curbstone completed audit and is PCI “Service Provider Level 1”
On May 13, Curbstone completed an eight month security audit by our Qualified Security Assessor, CompliancePoint. We engaged them over three years ago to design and assist in implementing an Internet Portal so we could provide advanced functionality for our customer base. This process required Curbstone to develop past the Payment Application Data Security Standard (PA-DSS) for which we have qualified for the last nine years, and instead to meet the far more demanding “Service Provider” Data Security Standard. This is the same security dictate that PayPal, authorization networks, and banks must adhere to, so it was a daunting and expensive task for our small company.
The result of the effort is a fully PCI security compliant processing portal in a PCI-validated data center, using the State of the Art Universal Threat Management and firewall technology, implemented by recognized experts in the security field. In addition, the entire system, including the supporting arm at our headquarters, is redundant, with instant failover at every possible level. Thanks to CompliancePoint for helping us achieve this impressive accomplishment.
Schedule Your Personal CorrectConnect (C3) Webinar
SUMMARY: Learn about our New SaaS CorrectConnect™ portal for PCI AVOIDANCE – Learn:
$1ü PCI Security Compliance – the ESSENTIALS
$1ü Offloading the storage of card info to Curbstone’s Portal
$1ü “Payment Landing Pages™” offload your e-commerce payments
$1ü Retain your bank/acquirer and existing Merchant Account
$1ü more to SAVE YOU TIME, MONEY, and PCI compliance complexity…
“Informative presentation! Good balance of sales & technical data.” P.B.
“I found the Webinar to be a good refresher for how the Payment Card
Industry operates. Ira presented C3 Curbstone in terms the rest of
us can understand. …Overall, it was a good presentation.” R.K.
“Thank you for an excellent webinar presentation yesterday.” B.J.
“I was impressed with the changes to Curbstone's software…” J.R.B.
“This afternoon's presentation was certainly informative and the C3
product looks like it helps immensely dealing with PCI compliance.” K.K.
“Great Job! Thank you for such an awesome webinar.” H.D.
“Very good presentation!” A.S.
“I like what I see…” D.P.
CompliancePoint, PCI Security Assessors
SUMMARY: Our choice for Security Auditing and Consulting
Over the years, Curbstone has employed four different security auditors. By far, the most effective has been the crew from CompliancePoint http://www.compliancepointis.com/. If you are interested in security for your organization, they are the nationwide auditors who we strongly recommend. We encourage you to contact them for info on their services, and please mention we sent you. Curbstone does not receive any fees from them for referrals or engagements, we recommend them because we trust and believe in them. A great contact is Jeff Brown, 770-255-1020 or email@example.com.
C3 Deployment Date
SUMMARY: Release date depends on others, now…
A common question... The frank answer, we do not know yet. The majority of the remaining process is out of our hands. Much of it is administrative processing by the auth networks with whom we are certified, and some of it is waiting on Visa and MasterCard. In spite of the fact that we do NOT “board” merchants or sell processing services, the card industry is very discriminating as to who they allow to handle merchants’ transactions. The approvals have to come from all parties in the chain, and none of that could be initiated until we obtained the PCI Service Provider DSS certification. Since the bulk of the remaining process is in the hands of our auth networks and the card brands, we can only wait patiently. To learn more about what we are doing in the meantime, see the Beta topic right below.
We are proud to announce that we have completed 13 Beta releases of the client-side software for C3! Shortly, we will release the first “Release Candidate”. That is the version of the client-side software that is used by you, the merchant, to connect to the C3 Portal. A Release Candidate means that all of the required functionality for release 1.0 is included. Generally, no additional features will be added to a Release Candidate; only fixes will be performed to those key production features. This Release Candidate (“RC”) will go out to a select few Beta sites for initial testing, then to a broader Beta population. Once we have a high confidence in the RC, we will release it to our Independent Software Vendor (ISV) Partners, and they will use it to test their integration. When their testing is complete, they will announce availability of their software that supports C3. Curbstone will then schedule upgrade implementations for those customers according to the Master Implementation Queue. mailto:firstname.lastname@example.org?subject=Beta Tester Program Interest
Master Implementation Queue
SUMMARY: Take your place in line ASAP for the Curbstone Card to C3 upgrade
Upgrading all hundreds of customers will take us a while. To manage that process, Curbstone is maintaining a Master Implementation Queue, which is a list of the customers in the order that we will schedule to upgrade them. Customers are added to the list in the order of their purchase of the upgrade. As they come to the top, customers will be given a proposed (earliest) upgrade date, and the customer can then schedule the upgrade on that date or at ANY time subsequent that is convenient for them. They will have priority on scheduling.
Those customers who are not in the queue should consider that Curbstone has a limited capacity to board merchants on C3. Whether that is at a rate of one a week, or five, the process will take a while. If taking advantage of the security enhancements of C3 is important to you, we suggest you contact us (email@example.com) for an upgrade quote ASAP! Much of our customer base has already purchased the upgrade and are already in the queue.
SUMMARY: Curbstone is working to complete required re-certifications for C3
One critical step of the process to bringing C3 Portal online is that we must perform formal testing with each network with whom we are certified. While this will mostly redo our most recent prior certification, in a few cases we will be adding support for recent industry mandates. The re-certifications will be performed with all C3 networks, which includes Paymentech, TSYS, and First Data.
Note that Elavon/NOVA and Global Payments are not on the list. We had to make the difficult decision to stop supporting Elavon and Global in C3. The primary reason for both was lack of merchant interest. We had only a small handful of customers on those platforms, and the cost of re-certification and supporting them going forward could not be justified. We believe our three supported networks offer comparable or superior technology, performance and cost of use for our clients.
TSYS, Paymentech, and First Data will all be supported in FULL multi-threaded mode which will insure that we have the capacity for even the largest enterprises. Note that the largest equipment rental organization in the US uses one single implementation of Curbstone Card to support all of its approximately 500 retail locations. That is the scalability that we designed into the software that has allowed us to deploy the bulk of it on the Portal with the confidence we can handle the load.
Curbstone Card (C2) Update
SUMMARY: Updating to most recent C2 is required to migrate to C3
From our inception as a company, the software you are running today was designed to allow you to update to a newer version ONLY when there was a compelling reason to do so. In this way, we did not FORCE you to update every time we release another version. So, we have worked hard to insure that ANY version of Curbstone Card can update to any subsequent version directly. We know that is never the case with most software, and we know why. It is a major challenge to do that, but it was important enough for us to adhere to this policy over the last 12 years.
Now that we are going to migrate your card data from your AS/400 i to our C3 Portal, we are going to require that all customers be on the latest Curbstone Card version. The complications of supporting innumerable different versions for the migration process is simply no longer possible. So, at some point in the future, but prior to your upgrade to C3, your company will update Curbstone Card to the latest version. Since the software on the merchant machine will be far simpler than your current C2 (though the user experience will remain largely unchanged) we do expect far less frequent changes of the merchant software than we have generated in the past. And, regardless, there is still no charge for updates, and we will gladly walk you through the process.
The Future of C2
SUMMARY: C2 will be end-of-life and you will get at least one year notice of end of support
Once C3 is fully deployed, Curbstone will not continue to support Curbstone Card (C2). If you have read the previous topics, the reasons should be obvious. So, at some point, Curbstone will officially “end-of-life” C2. Prior to that, in anticipation, we will notify our customers when they renew their existing ASUS that their renewal will be the last one for the C2 product. That provides over one year notice of end of support for C2. Since the C3 product was designed to replace C2 with identical functionality (so far as the merchant API – your Order Entry interface), the transition to C3 should be painless. In addition, we designed C3 to co-exist side by side with C2 on the same machine without conflict. This will facilitate simultaneous live operation and testing functions.
So, while the end of C2 in inevitable, the migration path is painless. For a more detailed analysis of the upgrade fee, just contact firstname.lastname@example.org. We can prove that C3 is economically valuable for even the smallest merchants.
Thank you for your interest in Curbstone.
President, Curbstone Corporation