What your bank/acquirer should be telling you about PCI Compliance, and likely has not

Curbstone is concerned that iSeries, Power System i, AS/400 users who THINK they are PCI compliant, ARE NOT!  This is a high level guide to show you how to get your company on track with PCI compliance.


If you accept payments by credit cards or debit cards YOU MUST BECOME PCI compliant.

PCI is a security standard, “Industry Best Practices,” that MUST be adhered to by ALL companies that process, transmit or store credit card information. Note the use of the THREE actions:

    1. PROCESS
    3. STORE

ANY ONE OF THE THREE puts you squarely in PCI scope.

Do not just focus on only the STORAGE of data, as handling card data in your screen, on your terminals or workstations, or over your network is what truly puts you IN SCOPE.

If credit card data is KEYED or SWIPED into ANY application on a workstation on your network, your ENTIRE network is “IN SCOPE”.  Everything connected by copper wires or Wi-Fi is included in the scope.



The AUTHORITATIVE document on what ALL Curbstone customers must do is the Payment Card Industry (PCI) Data Security Standard “Self-Assessment Questionnaire D”.  This is the comprehensive listing of what a CIO/CSO/MIS Director should be doing to secure their company’s data.  Download it here:

Only a QSA – PCI Qualified Security Auditor – can tell you exactly what your requirements are from a corporate view.  DO NOT RELY on any other authority or source.

If found non-compliant, you will be fined, and the bank might also terminate your relationship or increase your transaction fees. Be familiar with your merchant account agreement, which outlines your exposure.


The banks/acquirers with whom you have a formal Merchant Account are responsible for enforcing compliance, not the PCI council or Curbstone.  So you are legally responsible to satisfy the requirements of the bank/acquirer with whom you have a signed merchant agreement.  Unfortunately, banks are not technical, and their requirements sometimes misleadingly focus on “penetration/intrusion” testing of your IP address(s).  That is one single component of security, but DO NOT LET IT MISLEAD YOU; your corporate responsibility extends to truly protecting your company’s data.

A copy of the PCI DSS document is available here:


All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ("DBA").

Any entity, including merchants, that stores, processes or transmits Visa cardholder data must be PCI DSS compliant. In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants.

Details at

Level / TierMerchant CriteriaValidation Requirements
1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
    • The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by merchant bank



1. Curbstone Solution

We have developed two methods to minimize your cost and complexity of PCI compliance. They both hinge on taking your existing system out of PCI scope to varying degrees. Our latest technology (C3 with IPT and PLP) can take you 100% OUT OF PCI SCOPE.

  a - SECURE LOCAL STORAGE - Local Tokenization

Curbstone's legacy product, Curbstone Card™, licensed since 2004, meets the PCI requirements for the "Payment Application" component of your system. We refer to it as a "transaction processing engine". This is the set of programs used to process cards, not the user interface and order handling programs that are usually part of your ERP.  Our "engine" securely operates ON your system and stores the data encrypted per PCI requirements.  The responsibility is YOURS to insure that your ERP/Order Entry software is validated as PA-DSS secure. If your (non-homegrown) Order Entry software touches the credit card number, it is required to be audited to the PAS-DSS standard. Here is where to look it up, a list of PA-DSS Validated Apps from the PCI site:

Is your software vendor listed?


Curbstone has worked for the last three years on a portal-based solution to offload, initially, the STORAGE of the transactions from your system.  This new product, Curbstone CorrectConnect™, (C3) provides a lightweight program that runs on your iSeries System i, and communicates with our web-based portal.  All of the data storage is maintained on our portal, so the STORAGE component of STORE, PROCESS, or TRANSMIT is handled for you.  

To eliminate your PROCESSING and TRANSMITTING, as well, we developed "Isolated Payment Terminal" (IPT) and "Payment Landing Page" (PLP) technology.  For more information on how to TAKE YOUR EXISTING SYSTEMS COMPLETELY OUT OF PCI SCOPE, contact us at


2. PCI Solution

If you choose to continue to STORE, PROCESS, and/or TRANSMIT cardholder data from your existing infrastructure, you are obligated to follow the requirement of the PCI.

PCI compliance is a process, consisting of three steps: Assess, Remediate and Report.

To Assess is to inventory your IT assets and business processes for card processing and analyze them for vulnerabilities that could expose cardholder data. To Remediate is to fix those vulnerabilities. To Report entails compiling records required by PCI DSS to validate remediation and submitting compliance reports to the acquiring bank with whom you do business. These three steps are an ongoing process. These steps also enable vigilant assurance of payment card data safety.

The PCI Security Standards Council provides a Prioritized Approach to help you understand how to reduce risk.

What Is the Prioritized Approach?

The Prioritized Approach provides security milestones that will help merchants and other organizations incrementally protect against the highest risk factors and escalating threats while on the road to PCI DSS compliance. The Prioritized Approach and its milestones provide the following benefits:

• Roadmap that an organization uses to address its risks in priority order

• Pragmatic approach that allows for “quick wins”

• Supports financial and operational planning

• Promotes objective and measurable progress indicators

This document has the details:


PCI DSS “Self-Assessment Questionnaire D and Attestation of Compliance”:

The PCI Data Security Standard Overview on PCI SSC Website:

FAQ’s on PCI:

Visa merchant levels chart: