Guidance from the SANS Institute on setting System i system value settings.
The purpose of this document is to assist anyone configuring or auditing iSeries and System i (formerly known as AS/400) system values. This document should only serve as an informational guide and represents a security consultant's opinion on what the "Best Practice" setting should be in a typical corporate environment. Appropriate system value settings for the reader's environment may differ due to varying circumstances.
This paper begins with a brief introduction of the iSeries platform. Next, a high level overview of how an iSeries machine functions is given, which leads into specifically discussing the system values.
Fifteen of the most important system values have been chosen and will be analyzed in the following paper.
Although system values from all areas of the iSeries platform are analyzed, an emphasis has been placed on system values related to iSeries security. Each system value bullet point contains a description of what that value controls and an explanation for each option associated with the system value. Last, a Best Practice setting is suggested in addition to the reasoning behind such a suggestion.
The IBM AS/400 (short for Application System/400), is a line of minicomputers that was introduced in 1988 and is still a popular choice today among IT Professionals and a wide range of companies. However, the AS/400 has recently become known as the iSeries. All models of the iSeries are run on a version of the Motorola/IBM 64 bit RISC (Reduced Instruction Set Computer) PowerPC processor specifically optimized for the OS/400 operating system. The iSeries is IBM's midrange series of computer systems used primarily for business applications, most of which are written in RPG III and RPG IV. There are 25,000 applications and 3,000 client/server applications that run on the iSeries machines. The iSeries serves in a variety of networking configurations: as a host or intermediate node to other AS/400s and System/3x machines, as a remote system to mainframe controlled networks and as a network server to PCs. It is capable of supporting up to sixteen area networks, each with hundreds of clients.
On the iSeries, all user and system data structures are held in objects (files, folders, libraries, menus, programs, user profiles, etc.). It is possible to see in the objects only via their defined interfaces. iSeries operates on object-level security. The iSeries comes with four major operating system components: Integrated Communications, Integrated Database, Integrated Work Management, and Integrated Security. The functions within the Integrated Security component protect all objects and data from unauthorized access. The iSeries has default values known as system values, which can be used to control the operations of the system. System values are a part of iSeries and cannot be created by a user. However, most can be changed to customize your system according to your requirements. System values are used as default parameters in many commands and object descriptions. Other system values control the operation of certain parts of the operating system.
[ READ MORE ]
Every AS/400, iSeries, "System i" IT shop has some sort of change-management system. And it's often more a burden than a help. Why? Because of a number of change management myths that we hold near and dear.
Written by David Shirey
The single most unheeded dictum, which seems to come from every successful entrepreneur-turned-billionaire, is to not be afraid of making mistakes. In fact, many people proudly declare that mistakes are the only way you make progress, and they attribute much of their success to their ability to make mistakes. Interestingly enough, this never seems to have worked out for me, but they're the rich ones, so they must know.
But ours is a world of caution, and it's one company in 10,000 that truly does not consider mistakes a cardinal sin. Careers are shipwrecked on mistakes. In many companies, management never remembers your victories, only the goofs.
Because of this deeply ingrained mindset, change control has evolved from the coder's helper to the coder's nightmare, and more than one company has set up change-control systems that double or triple the time it takes to get something "to market" without really providing any additional safety.
Here are just a few of the change-management myths we have embraced that have helped it grow from a tool to a prison.
Another suspected POS breach involving card data theft at Chick-fil-A restaurants.
Up to 9,000 card numbers have been reportedly stolen. Did the PCI DSS V3 fail or were PCI requirements missed?
The official statement from the company is linked below but more analysis has been provided by Brian Krebs.
Krebs suspects this breach has all the hallmarks of other POS breaches reported during 2014 at Jimmy Johns and Dairy Queen. There has been a suggestion that franchises of these chains use the same Signature Systems Inc PDQ POS systems which are known to have been compromised via stolen access credentials intended for remote support.
Anyone using PDQ POS systems should confirm that support access credentials for their systems have been recently updated, and that they are regularly changed going forwards.
Of course, PCI DSS Version 3 specifically mandates the need for Service Providers to use unique and regularly changed access credentials for precisely this reason (see Requirement 8.5.1 – Unique Authentication Credentials for Service Providers) so it seems that PCI compliance was not being met.
Read the full Krebs on Security Chick-fil-A article
Read the full Chick-fil-A statement on the breach
One of the key risk enhancers to many technology projects is the lack of evaluation of the cyber-security risk, introduced to the organization by carrying out the project. If organizations do carry this out it is usually at the end of the project or after the event (if at all). Unevaluated risks could include:
- Unapproved ports being opened on firewalls which allow access to the network and critical
- Using critical data in a new way that increases a risk of breach
- Poor coding allowing vulnerabilities to be introduced
- Third parties accessing critical data in an unsecured manner
- Unapproved users being given access to critical data in a new application
Project Management processes should include formal gateposts built in whereby a security analysis is required to take place. The objectives of the security gatepost in the projects should be:
- Evaluation of the risk associated with the implementation of new technology or change to the existing technology.
- Evaluation of the data that will be a part of the project and the behaviors the change will bring upon that data.
- Security code review (if part of the project).
- Vulnerability scans to ensure that prior to deployment to production the changes are secure.
- Access changes required to the systems.
You must identify issues within change and project management practices related to security controls and implement improvements within those processes.
Recent investigations into Home Depot's massive security breach that occurred earlier this year unraveled evidence that the damage was worse than previously expected and that a Window's vulnerability in the retailer's main computer network allowed hackers access.
Most of us in the AS/400 - System i arena are aware that Home Depot's corporate business runs a huge number of iSeries systems. We should note that connecting them to weaker links, or more vulnerable operating systems, diminishes their stature as the most secure comercially-available system.
Home Depot announced that roughly 56 million credit card accounts and 53 million email addresses were compromised.
Hackers took advantage of a security hole in Windows, which enabled them to spread malware and collect customer data, according to the Wall Street Journal.
"These [compromised] files did not contain passwords, payment card information or other sensitive personal information," Home Depot said in a statement that detailed the findings of weeks of investigation by the retailer, in cooperation with law enforcement and the company's third-party IT security experts.
"The company is notifying affected customers in the U.S. and Canada," Home Depot explained. "Customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails."
Carol Woodbury, World-reknowned security expert provides the details in her killer article on increasing AS/400, iSeries System i security as it relates to the thing we all love to hate - OUR PASSWORDS!
You may not realize it, but many of the organizations recently breached are large IBM i shops. We'll never know whether our beloved IBM i was breached because that information is never published. But to dismiss the possibility out of hand and ignore steps that you can take to protect your organization and—more importantly—the data on your IBM i systems is putting that data at significant risk. This article focuses on protecting passwords since exploiting stolen credentials (user IDs and passwords) is one method being used by hackers to gain access to data.
A bank that sponsors merchants for the acceptance of credit card transactions.
The bank that maintains the merchant relationship and receives all transactions from the merchant.
ADDRESS VERIFICATION SERVICE (AVS)
A service that verifies the cardholder's billing address in order to help combat fraud in "card not present" transactions (e.g. mail order, telephone order, internet, etc.).
A bank that participates in another bank's card program, usually by turning over its applicants for bankcards to the bank administering the bankcard program and by acting as a depository for merchants.
AMERICAN EXPRESS OR AMEX
An organization that issues cards and acquires Transactions (unlike Visa and MasterCard, which are bank associations).
A code issued by a card-issuing bank allowing a sale to be charged against a cardholder's account. Approval means that the amount is within the cardholders remaining credit limit and that the card has not been reported lost or stolen. Approvals are requested via an AUTHORIZATION.
MasterCard and Visa are the existing bankcard associations. Their purpose is to establish and administer the rules and regulations governing the credit card business. Discover and American Express are similar but not technically associations since they are single companies.
Judith S. Bines, CISA, CBM, CCFSA, PA
Over the last few years, due to the demand for more information technology work, there has been a trend of operational and financial auditors transitioning to performing IT audit. This new brand of auditor is challenged with learning IT, yet often does not have all of the necessary resources available to assist in this process. When faced with this dilemma, one must remember that everyone was a novice at least once.
Most will think that auditing an operating system is a high-tech adventure. Well, sometimes it can be. Any audit can be made as technical as the auditor performing the task is creative.
The main purpose of this article is to help the novice auditor, IT or otherwise, perform an IBM i, iSeries, AS/400 operating system review. All the auditor will need is a little background, access to an AS/400 security administrator and/or an AS/400 user ID, and knowledge of a few commands.
First, an auditor must understand what an operating system is. The easiest way is to think of the operating system as the core or foundation of the computer environment. The operating system is the foundation upon which all other programs rely. For example, in a microcomputer environment, Windows or Linux would be the operating system or the foundation upon which the application programs such as Microsoft Office, QuickBooks or Turbo Tax would rely. In a midrange environment, the OS/400, AIX or UNIX operating systems would be the foundation upon which an installation's general ledger system, human resource system or warehouse processing system would rely. The same concept also applies for the mainframe environment.
PCI’s Qualified Integrators & Resellers (QIR)™ Program
makes it easier for merchants to confidently deploy new security controls – and it also indicates your commitment to safeguard payment card data on their behalf.
As a trained PCI QIR you will gain these benefits:
- Achieve industry-recognized qualification
- Differentiate yourself by demonstrating your commitment to payment card security and PCI compliance
- Be included on merchants’ go-to global list of qualified integrators and resellers
- Receive specialized training from PCI SSC experts on guidelines for implementing and maintaining payment applications
- Earn CPE credits
The QIR training and qualification program provides you with the training and best practices to ensure a secure installation for your merchants. And it makes it easier for merchants to identify and engage integrators and resellers who are qualified to install their PA-DSS applications in a manner that facilitates PCI DSS compliance.
As an integrator/reseller you play a key role in the payment ecosystem. Enroll in the QIR eLearning course today!
Keep payment data safe – we can help!
Prior to the 2015 EMV chip and PIN upgrade deadline, cybercriminals are expected to increase the volume of attacks early in 2015, to compromise as much as possible while they still can.
Read these articles for more insights:
Help your client secure their data - sign up for the QIR training course. Enroll in this self-paced eLearning course and become a QIR today!
The goal of this article is to help developers seamlessly integrate electronic payment systems (EPS) into their applications correctly. These applications can be traditional thick client solutions or web-based n-tier server solutions.
Curbstone specializes in the deployment of very thin client solutions using REMOTE TOKENIZATION for companies based o the IBM Power System running the IBM "i" Operating System (aka AS/400 or iSeries). These technologies use a locally-run very thin client to send non-sensitive card transaction data to the Curbstone Portal. Using different technologies, that non-sensitive data is married with the Card Number, Expiration Date, and Security Code to perform authorizations. Supported business types include e-commerce, Retail EMV, and Telephone Orders.
The Primary goal of Curbstone was to remove ALL EXISTING COMPUTING INFRASTRUCTURE FROM THE SCOPE OF PCI REPORTING. This means that nothing that currently exists can touch sensitive card data. The reason is that an audit on a very isolated, purpose-built system is WAY easier than auditing the entire computing infrastructure. The audits are quicker, easier, and more meaningful. The points of intrusion are reduced exponentially, reducing risk of sensitive data loss.
The Secondary goal of Curbstone was to provide REAL-TIME, SEAMLESS INTEGRATION with Order Entry applications that run on the IBM i operating system. The very thin client of Curbsotne's CorrectConnect (C3) provides the contact point on the system through which transactions are intiiated. Since it is native on the IBM Power System, the programs there, with some very easy programming, can talk directly to it and pass the required transaction fields. Because the client is in real-time communicatio with the C3 Portal, those transactions are processing a matter of seconds, returning the results to the client, and then the Order Entry application.
The Third goal of Curbstone is to process transctions that are well-qualified, and avoid unnecessary downgrades and vulnerability to chargebacks. This is done by selecting the correct transaction type, populating all of the required fields correctly, and processing the authorizatio and settlement in a timely manner. While compromises must be made for required business processes, the goal is always to PAY THE LOWEST RATE!
Regardless of the application type, the integration needs to be done in a way that meets the financial industry requirements, the business process requirements, and the needs and usability requirements of the end-user of the application. Ideally, EPS should be done in a way that is invisible to the end-user of the application while providing the merchant the lowest possible processing rates.
There sound obvious goals, but due to the convoluted nature of the payment industry and many developers’ lack of intimate understanding of the payment industry, these goals are seldom easily achieved. Developers often wish they could go back and redo an application knowing what they know after they finish. For this reason, it takes several times to get it right. Many basic, but important errors can be avoided through initial proper planning. With Curbstone's UNLIMITED Implementation and Technical Support, we work hard to ensure the programmers are doing the correct things from the start. With MANY hundreds of implementations, we have a mature and effective process to make this happen.
The objective of this guide is to give the developer the basic knowledge of the payment industry needed to augment the Curbstone guidance to “get it right the first time.”
Security Expert, Carol Woodbury, of SkyView Partners, has published her FAVORITES list for 2014.
Favorite IBM i Report
My favorite IBM i report is the one generated from running Print User Profile (PRTUSRPRF) - or from running SkyView's Risk Assessor product. This report is actually four reports—all in the same spooled file. I use the first report to review users' group membership, special authority assignments, and limited capability setting. The second report lists configuration information such as the users' initial menu and initial program. The third report is useful in determining whether a profile has a password, the password last changed date, and the users' last sign-on date. (This shows when an organization is using the IBM-supplied profiles for inactive sign-on.) The last report is helpful when moving the system between password levels.
Favorite Security Report
I couldn't choose. I have two favorite reports. Verizon's Data Breach Investigations Report and the Ponemon Institute's Cost of Data Breach Report. Both reports are enlightening and show the trends of hacks and breaches.
We hope you've enjoyed the IBM System i (iSeries) Tips and Techniques we've sent out during 2014. In case you missed them - here is a quick refresh of Halcyon's most popular tips.
The government is looking to coordinate efforts to better prevent, respond to future finance industry hacks.
In the aftermath of a massive hacking attack on several banks this summer, the Senate Banking Committee will hold a hearing on Wednesday about protecting the finance industry from cyber crime.
High-ranking federal officials from the Federal Bureau of Investigation, the Secret Service, the Treasury Department and the Department of Homeland Security are scheduled to appear. The meeting is expected to focus on ways that the various federal agencies can better coordinate with one another in their efforts to prevent and respond to cyber attacks in the financial sector.
Political leaders are focusing on the issue after news in August that hackers hit JPMorgan Chase JPM 2.15% and several other banks in a massive cyber attack. JPMorgan later revealed that the attack compromised the accounts of 76 million households and 7 million small businesses, though the bank has said it has found no evidence of higher than normal instances of fraud or abuse of customer information.
By: Jennia Hizver, Consulting Practice Security Researcher and Consultant, AT&T
INTRO: Penetration tests are valuable for several reasons:
- Determining feasibility of a particular set of attack vectors
- Identifying higher-risk vulnerabilities resultinfg from combo of lower-risk vulnerabilities exploited in particular sequence
- Identifying vulnerabilities difficult or impossible to detect with automated network or application vul scanning software
- Assessing magnitude of business and operational impacts of successful attacks
- Testing ability of network defenders to successfully detect and respond to attacks
- Providing evidence to support increased investments in security
Over the years of my career as a penetration tester,
I have encountered many myths and misconceptions regarding penetration testing, some of which I’d like to share with you:
Myth #1: Vulnerability scanning can identify all vulnerabilities in an organization’s environment, and hence, penetration tests are unnecessary.
Myth #2: Professional penetration testers use expensive commercial tools.
Myth #3: One system compromise has no effect on other systems.
Myth #4: Penetration testing focuses on production networks containing sensitive data.
Myth #5: Penetration testers use the same approach and are likely to uncover the same issues.
- Penetration testing helps companies identify weaknesses in their IT environment.
- In spite of many myths, penetration testing provides valuable insight.
(Reuters) - The Federal Bureau of Investigation warned U.S. businesses that hackers have used malicious software to launch a destructive cyberattack in the United States, following a devastating breach last week at Sony Pictures Entertainment.
Cybersecurity experts said the malicious software described in the alert appeared to describe the one that affected Sony, which would mark first major destructive cyber attack waged against a company on U.S. soil. Such attacks have been launched in Asia and the Middle East, but none have been reported in the United States. The FBI report did not say how many companies had been victims of destructive attacks.
"I believe the coordinated cyberattack with destructive payloads against a corporation in the U.S. represents a watershed event," said Tom Kellermann, chief cybersecurity officer with security software maker Trend Micro Inc. "Geopolitics now serve as harbingers for destructive cyberattacks."
The five-page, confidential "flash" FBI warning issued to businesses late on Monday provided some technical details about the malicious software used in the attack. It provided advice on how to respond to the malware and asked businesses to contact the FBI if they identified similar malware.
Security Market "Truths" for the IBM iSeries System i
- Security breaches & fear of data loss increased interest in Managed Security Services as a solution for organizations
- Increasingly complex security requirements and compliance reporting requirements are forcing organizations to outsource reporting and monitoring to experts
Curbstone has been distributing the authoritative security book by Carol Woodbury of SkyView Partners for the last dozen years. This organization has proven to be the leader in AS/400 security, and for the absolute proof, review some of the invaluable "Coffee with Carol" sessions [here]
To do security right requires tools, training, understanding of requirements, staff time and expertise. The problem is that you have limited resources. Have a qualified, third-party expert handle security monitoring/reporting.
We introduced SkyView Managed Security Services as a turnkey solution for monitoring and reporting on System i, iSeries, AS/400, security. We do the hard work, and summarize the details for you. You see the exceptions, not all the data. You leverage SkyView Partners' expertise to keep track of your security for you, without burdening your staff.
I'd like to show you the details. Email me to hear more. I invite you to a webinar why SkyView should do your security work for you. Our goal is to become a trusted member of your team, dedicated to monitoring your security and reporting on compliance, resulting in valuable, new, insights.
Chairman, CEO and Co-Founder
SkyView Partners Inc.
425-458-4975 xt 718
Curbstone CorrectConnect™ Beta Program
Curbstone is deploying brand new technology that is based on a Internet portal to eliminate the requirement that the merchant store encrypted, tokenized data on their own iSeries, System i, AS/400. This is part of four years of product planning and development that can ultimately take a Merchant completely out of PCI scope. Let me re-state that:
TAKE A MERCHANT COMPLETELY OUT OF PCI SCOPE!
This means that Curbstone's new technology can offload the "processing, storage, and transmission" of the cardholder data from the existing Merchant infrastructure, based on the IBM System i, iSeries, AS/400.
We are proud to announce that we have completed 14 Beta releases (as of 01/2015) of the client-side software for C3! Shortly, we will release the first “Release Candidate”. This tests the client-side software used by you, the Merchant, to connect to the C3 Portal.
A Release Candidate means that all of the required functionality for release 1.0 is included. Generally, no additional features will be added to a Release Candidate; only fixes will be performed to those key production features. This Release Candidate (“RC”) will go out to a select few Beta sites for initial testing, then to a broader Beta population. Once we have a high confidence in the RC, we will release it to our Independent Software Vendor (ISV) Partners, and they will use it to test their integration. When their testing is complete, they will announce availability of their software that supports C3. Curbstone will then schedule upgrade implementations for those customers according to the Master Implementation Queue.
;uA White Paper about security, and reducing the charges a merchant pays for credit card processing, as it affects users of the IBM Midrange System i, iSeries and AS/400.
Acceptance of debit and credit cards is a growing requirement for businesses of all sizes. Our focus here is on merchants accepting payment cards who base their operations on the IBM AS/400, iSeries, and now, System i.
Since 2005, the Payment Card Industry Security Standards Council (PCI) has imposed strict mandates, the Data Security Standards (DSS), to insure the security of the computer systems that PROCESS, TRANSMIT, and/or STORE sensitive credit card data.
Every business that accepts card data in any way is subject to the requirements of the PCI DSS, and the compliance ranges widely based on transaction volume, type of business, handling of the card data, and software applications. At the top end, a company could be required to have a third-party Qualified Security Auditor (QSA) who has been certified by the PCI, to perform an on-site, extensive analysis of your operation and systems. Another challenge is to find auditors who are familiar with the strengths of the IBM iSeries AS/400. The cost of these expensive and time consuming audits can be controlled by partnering with an experienced organization with appropriate expertise.
Meeting these ever-intensifying PCI DSS mandates poses unique challenges to companies whose main business system is the IBM Midrange AS/400, System i.
So many of our customers are MOTO, and B2B, as that is typical for merchants on the IBM iSeries AS/400.
While recurring charges may be considered more typical of B2C, consider the following 8 points.
Should you charge one yearly sum, monthly, or even more frequent than that?
Ultimately, you have to make that decision for yourself. But in general, recurring billing works better for businesses than single, lump-sum payments. Giving your customers this payment option can give you these benefits:
1. Earn more business:
Customers in general are more willing to pay a low-fee multiple times instead of a lump fee a single time. Plus set it and forget it pays in the end, because it is out of sight and out of mind for the consumer.
2. Manage your business more easily:
Instead of riding big waves and fighting through the lean times, you get a more even income stream throughout the year. It makes managing your business so much simpler.
3. Avoid contracts and get more sales:
If you charge a recurring fee, you can have customers sign up for your services via a subscription-based model. With fewer hoops to jump through, prospects are more willing to sign up for your services.
4. You can offer custom pricing plans:
If your customers pay a lump sum, do they have the option to customize the way they pay for your services? It’s easier to show them what they pay for and what they get when you use recurring billing.
Bill Lodes, TSYS Director of Developer Partnerships
Mobile payments, introduced years ago as the next revolution in payments, might finally be here with the launch of Apple Pay™, and it might just have the best chance for adoption yet.
Why Apple® will succeed.
Apple’s presence in the payments space will pose a tremendous impact on not just businesses and consumers, but also global behavior. Historically, Apple has been a great influencer of consumer behavior – just look at the role the iPod® played in transforming the way we listen to music. Apple is entering the world of payments with the same intention, positioned to change the way we live our lives.
Apple’s mobile payment solution will rise above the rest and is sure to help VARs acquire more customers. Here’s why:
When Apple Pay was announced on Sept. 9, 2014, it brought along a tremendous amount of support behind the new offering. Apple knew mobile payments had been introduced by others previously, and was aware of the adoption obstacles it had experienced. Changing consumer behavior would be a major challenge, but Apple knew they brought a different dynamic to this fight. With Apple’s 800 million iTunes® accounts they felt they had a leg up on the adoption curve, and planned to use that to their advantage. They also knew these accounts were only a piece of the pie, and to ensure success they would need to add brand recognizable players into the mix. Teaming up with several large retailers, established banks, card brands and a select list of proven processors like TSYS, they would be able to hit the ground running.
Apple created a foundation of advantages few before them were able to achieve, and now needed the vehicle to enable this opportunity. The introductions of the iPhone® 6 and iPhone 6 Plus took the launch of Apple Pay above and beyond other efforts. Built on a password-less authentication framework, TouchID™ enables secure payments via Apple ID without the hassle of trying to type in payments details. With the upcoming EMV liability shift in October 2015, Apple has seemingly hit the mark on security.
"Computers in the future may weigh no more than 1.5 tons."
--Popular Mechanics, forecasting the relentless march of science, 1949
"I think there is a world market for maybe five computers."
--Thomas Watson, chairman of IBM, 1943
"I have traveled the length and breadth of this country and talked with the best people, and I can assure you that data processing is a fad that won't last out the year."
--The editor in charge of business books for Prentice Hall, 1957
"But what ... is it good for?"
--Engineer at the Advanced Computing Systems Division of IBM, 1968, commenting on the microchip.
"There is no reason anyone would want a computer in their home."
--Ken Olson, president, chairman and founder of Digital Equipment Corp., 1977
"This 'telephone' has too many shortcomings to be seriously considered as a means of communication. The device is inherently of no value to us."
--Western Union internal memo, 1876.
"The wireless music box has no imaginable commercial value. Who would pay for a message sent to nobody in particular?"
--David Sarnoff's associates in response to his urgings for investment in the radio in the 1920s.
"The concept is interesting and well-formed, but in order to earn better than a 'C,' the idea must be feasible."
--A Yale University management professor in response to Fred Smith's paper proposing reliable overnight delivery service. (Smith went on to found Federal Express Corp.)
Our partners at Halcyon are experts in System i monitoring and alerts.
Their suite provides the majority of the monitoring that is dictated by the PCI. Halcyon products run natively on the IBM AS/400, iSeries, and System i and also support most all other operating systems. This educational webinar covers these and more:
• Lock down the system by monitoring, controlling and securing access from external sources to IBM i
• Prevent users from accessing sensitive data but still enable them to do their jobs
• Be alerted to security breaches in real-time
• Monitor which screens users are accessing and what they are doing while they are there
• Reduce the workload of the help desk team e.g. for password reset requests
• Keep the auditors happy
Contact Curbstone for Scheduling
Why aren't US credit cards as safe as Europe's?
The U.S. credit card industry is losing $18 billion to preventable fraud, according to Brett King, CEO of Moven and best-selling technology futurist. The cause of this loss? The country is failing to adapt to European credit card standards.
King claims that American credit companies are not doing all they can to prevent massive credit card data breeches like recent incidents at Home Depot (HD) where 56 million customer credit and debit card accounts were compromised or Target’s (TGT) breach where 40 million card accounts were breached.
Chip and pin technology helps to prevent this fraud, and many credit card companies are slowly beginning to adopt this instead of magnetic stripes. King, however, believes credit card companies need to employ tokenization. “What we now realize is that the 16-digit number that you have on the front of your card is no longer securable. You can’t protect it,” says King. CVV’s and other security numbers on the back of the card are also failing to protect the consumer from fraud.
Banks are gearing up for a big fight with retailers over who covers the cost of cyber attacks, after they paid most of the bill for breaches that they blamed on retailers’ own security deficiencies.
In a rare show of unity, industry bodies that represent banks are banding together to urge lawmakers to introduce legislation that would force retailers to pay for the clean-up themselves during the new session of Congress next year...
“This is an equity argument,” said Cam Fine, head of the Independent Community Bankers of America, which has about 5,000 members. “If it was Home Depot’s data security system that was breached, shouldn’t they have to reimburse banks for all of the costs since it wasn’t the banks’ fault? That’s just common sense.”
From Financial Times: [Click HERE for the entire article]
By Joe Musitano, Nov 7, 2014 11:47:39 AM
Don’t get intimidated by this new “EMV” term. As an IBM customer, you are likely used to lots of acronyms. Of the AS/400, the AS was for Application System. And with System i, the i stands for... Back to EMV, which stands for Europay, Mastercard, and Visa...
It’s actually pretty simple to understand – even if you’re not a techie. EMV is a fancy jargon term that describes a new payment processing technology. You might also hear about “chip cards,” “chip and PIN,” and “chip and signature” – they all refer to the same thing.
The term “EMV” comes from the developers of this technology – Europay, Mastercard, and Visa. Some credit/debit cards already use this technology (it’s widely used in Europe and Canada). EMV simply uses a small microprocessor that’s embedded into your credit or debit card. Banks and credit card companies want you to use them because they’re more secure than magnetic strip cards.
For now, most cards in the U.S. do not have this embedded microprocessor. Some cards will have both a magnetic strip and microprocessor, and eventually magnetic strips will go away entirely. There is a chargeback liability shift to merchants from the issuing bank for not accepting EMV technology on October 2015. Just keep in mind that this date will come and go for most merchants as they have a low incidence of chargebacks today. But for merchants that are fraud targets or have high ticket items that can be easily resold on the streets, than October 2015 becomes more meaningful.
The PCI has released a brand new document on implementing an awareness program and it is really good.
While the IBM iSeries AS/400 comes out of the box with the industry's best security, employing requires active management. The PCI has developed the World Class "Best Proactices" standards from which you can build your strategy. Take advantage of the FREE resource.
In order for an organization to comply with PCI DSS Requirement 12.6, a formal security awareness program must be in place. There are many aspects to consider when meeting this requirement to develop or revitalize such a program. The best practices included in this information supplement are intended to be a starting point for organizations without a program in place, or as a minimum benchmark for those with existing programs that require revisions to:
- Meet PCI DSS requirements;
- Address the quickly and ever-changing data security threat environment;
- Reinforce the organization’s business culture.
Establishing and maintaining information-security awareness through a security awareness program is vital to an organization’s progress and success. A robust and properly implemented security awareness program assists the organization with the education, monitoring, and ongoing maintenance of security awareness within the organization.
This guidance focuses primarily on the following best practices:
Two-factor authentication is generally seen as the safest bet for protecting your Gmail account. But a harrowing tale from indie developer Grant Blakeman, whose Instagram was hacked through Gmail, reveals how not even two-factor authentication can beat every security threat.
"The attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account."
After the post appeared on Hacker News, more details emerged about how easy it is to bypass security questions through cell providers. As commenter jasonisalive—who works for a provider—put it, service reps often receive commissions based on customer satisfaction, creating "aconstant tension between providing a good customer experience and protecting security and privacy."
Which means a choice between upholding privacy standards and pissing off his customers. "So where do you draw the line between customer support and customer security without either enraging real customers or allowing people to illegally access customer accounts?," asked another reader.
It's a rough start for an app that aims to be a competitor to Apple Pay and Google Wallet.
On Wednesday, those taking part in the CurrentC pilot program received a warning from the consortium of anti-credit-card retailers called MCX, or Merchant Consumer Exchange: The program was hacked in the last 36 hours, and criminals managed to grab the email addresses of anyone who signed up for the program.
MCX confirmed the hack, adding what's become a go-to line for any company that loses your data: "We take the security of our users' information extremely seriously."
Focused on the IBM System i, iSeries, AS/400
Table of Contents
- Who is Curbstone?
- 30 Minute Webinar: TSYS Bumps Your Profits
- Apple Pay
- Comprehensive, Informative Article “PCI for i” at MCPress
- Download our WhitePaper: CAGE THE PCI BEAST
- Selected PCI Download Resources
- Your Personal Webinar on PCI Avoidance With Curbstone
- EMV by 2015
- Monitoring, consider Halcyon
- More Data Breaches
- Not yet a Customer?
- We are Golden, Says TSYS
- CorrectConnect (C3) Updates
Partner TSYS Increases Your Profit Margin .5 to 1.0%
Accept cards for payment of B2B sales? 30 Minute webinar shows a PAINLESS way to decrease charges on Corporate cards
TSYS has been a partner of Curbstone since our inception, and they have an intimate knowledge of transaction processing on the IBM AS/400, iSeries, and Power System on IBM i. Level III Cards are Corporate Purchasing Cards used primarily in B2B purchases, where the cardholder wants a record of the entire purchase electronically. They can create POs after-the-fact, for instance, so they save money and monitor their purchases better. Passing Level III data with Curbstone and partner TSYS can increase the margin on your sales by 0.5% to 1.0% on Corporate, Business, and Purchasing Card transactions.
Curbstone’s 30 minute LEVEL III webinar will cover ALL of the important topics.
TSYS is a Curbstone Partner who has expertise in supporting merchants based on the IBM i and iSeries AS/400.
The cyber criminal ecosystem has a new tool in its arsenal called Voxis
The Voxis Platform is a payment gateway application which can send batches of stolen card charges to multiple gateway processors automating their returns before acquiring banks can catch any illegal activity.
This kind of applications are in demand by the market especially in this moment because the large payment card data breaches at U.S. retailers like Target and Home Depot have flooded the underground market with stolen credit card data that criminals desire to quickly monetize.
The Voxis Platform is an excellent instrument to emulate the human behavior and avoid the detection of anti-fraud systems the are triggered when specific fraud patterns are recognized. In every online transaction we distinguish the following roles the buyer, the seller and the payment gateway.
As explained by InterCrawler, the principal problem for the criminals is time, they have to complete the highest possible number of fraudulent charges before they're detected and their merchant accounts get closed.
Voxis Platform allows to speed up this process, criminals using it can make the highest possible number of fraudulent charges, on specialized forum the Voxis team claims that the software supports 32 different payment gateways and it has been designed to emulate human interaction "to make it look like real humans are sending their credit card information to the payment gateways."
Most people assume a cashier's check or money order is the same as cash, but in the days of Photoshop and color laser printers, that's no longer the case, and crooks can produce very convincing copies of the real thing, from seemingly legitimate U.S. banks. Once the bogus checks are deposited, they must be cleared like any other check. Checks may appear to clear your bank within a couple of days, and those funds may appear "available" in your account, but in reality it may take another month or more for the bank to establish that a check is bogus, return it to you, and debit your account for that amount. By then, the money you transferred out of your account for "shipping" is long gone.
To avoid being a victim of a counterfeit cashier's check, law enforcement recommends the following steps:
- Inspect the cashier's check.
- Ensure the amount of the check matches in figures and words.
- Check to see that the account number is not shiny in appearance.
- Be watchful that the drawer's signature is not traced.
- Official checks are generally perforated on at least one side.
- Inspect the check for additions, deletions, or other alterations.
- Contact the financial institution on which the check was drawn to ensure legitimacy.
- Obtain the bank's telephone number from a reliable source, not from the check itself.
- Be cautious when dealing with individuals outside of your own country.
If you suspect you have received a counterfeit cashier's check, or you are being offered one, you can contact your local police, or you can call the U.S. Secret Service at (202) 406-5850. You can also write to: U.S. Secret Service, Financial Crimes Division, 950 H Street, NW, Washington, D.C. 20223, or file a complaint online at www.secretservice.gov/contact_fcd.shtml
Recently, PayPal has become a target for scammers. The phony buyer will ask for your PayPal ID in order to send you a payment, again for substantially more than the purchase price. Shortly after that, you will receive a fake confirmation from PayPal with your user ID for more than the agreed purchase price, and the buyer will contact you asking you to send the extra money to a shipper. To make the scam look more legit, if you refuse, you'll receive additional fake notices from PayPal threatening to close your account if you don't transfer the extra money as per your "agreement."
Thanks to Bill Hoidas 847-381-3482, our Partner at Matrix Payment Systems
As a huge proponent of Zend and their PHP on the System i, AS/400, Curbstone is pleased to see this report just out from our Zend friends.
Curbstone released the FIRST COMMERCIAL PHP Application for the iSeries, according to our contacts there! That is our Shopping Cart Pipeline (SCP) for the AS/400, and it is our most popular option for Curbstone Card (C2). We are moving the SCP to our CorrectConnect (C3) portal platform to provide the sam epopular Web Services API for our C3 customers. Our new transaction Portal is built on redundant IBM System i computers. As well, the front end of our Portal is coded in PHP for its exceptional scalability with secure conenctions from our customer sites. Our new Isolated Payment Terminal that offloads handling of sensitive card data is being crafted in PHP, as well.
As well, we worked with IBM and Zend on the porting of the Open Source Mantis Bug Tracker to use the DB2/400 database.
"The study found that PHP has evolved from its origins as a specific use language, and is now actively used to build applications of all shapes and sizes. Nearly half of enterprises use PHP in their business integration applications, while 64 percent use PHP in external applications and 62 percent use for internal apps."
No surprise, Zend PHP is enjoying huge interest from "System i" shops.
And our good friend, Timothy Prickett Morgan, Editor at IT Jungle, an AS/400-specific publication, adds quite a bit of background and valuable, first person comments in his article http://www.itjungle.com/tfh/tfh102014-story03.html - One of the most interesting observations realtes to the use of SQL:
"The database portion of the survey brought some surprises. For starters, 43 percent say they're running MySQL, the open source relational database from Oracle that is just the second database officially supported by IBM on the platform. While Oracle ceased developing MySQL running on IBM i a few years ago, Zend works with a company called Percona to do the work of ensuring MySQL continues to run on IBM System i.
But even more surprising is the fact that 67 percent of survey respondents say they're running SQL with DB2 for i, and only 37 percent say they're using the older DDL query engine that was originally developed for RPG (survey respondents could choose multiple databases). That tells Anderson, a database expert, that IBM System i shops are getting serious about modernization."
Download the informative report here: http://www.verizonenterprise.com/DBIR/2014/
Major finding: 92% of security incidents we analyzed are covered by just nine attack patterns
"We find it simply astounding that nine out of ten of all breaches observed by 50 global organizations over a full year can be described by nine distinct patterns.”
Read this comprehensive article at MCPress from our CTO that covers the i-specific considerations of accepting payments.
"Every business that accepts card data in any way is subject to the requirements of the PCI DSS, and the compliance requirements vary widely based on transaction volume, type of business, handling of the card data, and software applications."
"Some aspects of compliance are as simple as never storing magnetic stripe data or the card security code. Others are time-consuming, such as documenting every piece of infrastructure hardware, its firmware revision, and last update, and monitoring the logs of all systems on a periodic basis."
"10 Revealing Payment/Order Application Questions
1. Is your payment app validated to the Payment Application Data Security Standard (PA-DSS)?
2. Is a specific person assigned responsibility for handling all of the security compliance?
Online sales powerhouse, Adorama Camera, says:
"Adorama's newly enhanced order management systems have reduced processing fees by 12 basis points. "We couldn't be happier with the solution. Both Mastercard and Visa have lowered our costs per transaction as an incentive to take part in their authenticated payment programs," said Harry Drummer, special assistant to the president. "In addition, we estimate these programs have reduced fraudulent online purchases by more than five percent; our overall payback period was under five months."
Systems Services Incorporated, SSI, out of Baton Rouge, has been supprting this platform since 1979. As part of their practice, they are proficient in the implementation and operation of Curbstone products.
For additional valuable industry and Security info, connect with us at LinkedIn and Follow us. Just click here! Enjoy links to insights from almost 1000 System i Professionals connected to Curbstone. https://www.linkedin.com/company/curbstone-corporation
Used with permission
One of the oldest integrators of Curbstone Software, and the products before it, is Mark, a TechnoWarrior from Legacy Consulting Services. His history with Curbstone's Founder's original products, ROI Card, JavaCard, and jCharge, make him the most experienced integrator in the country for credit card processing. His specialty is JD Edwards software. Visit him here.
When naming systems at Curbstone, we select names that relate to rocks, stones, or elements. Our name refers to the borders of the streets that control and direct traffic, curbstones, just like our software controls and directs credit card traffic on your IBM iSeries, AS/400, or System i. Researching for a unique name, we found this interesting monetary history.
The official currency of Micronesia is the US dollar, but the island state of Yap uses an additional form of money: limestone discs, some of which weigh more than a car.
Rai, or stone money (Yapese: raay), are large, circular stone disks carved out of limestone formed from aragonite and calcite crystals. Rai stones were quarried on several of the Micronesian islands, mainly Palau, but briefly on Guam as well, and transported for use as money to the island of Yap. They have been used in trade by the Yapese as a form of currency.
From a post in LinkedIn http://lnkd.in/d_hwpWB "IBM i no longer a category for IBM Redbooks"
On the topic of AS/400 population, future of RPG, and migration
What a great exchange above. Lots of wisdom being shared by such well-qualified people. Amazing that we have no independent knowledge about our own ecosystem. You would think that those committed to the platform would band together to speak with one voice. (COMMON??) We do not even know what our own population is, much less what the future holds from IBM. These fragmented "Groups" and forums are fine, but what we really need is a unified presence and a loud voice. Having access to the entire installed population would be a blessing for vendors like us, the users, IBM, consultants, everyone...
Working with an excellent marketing company, we learned that they have about 200K emails of AS/400 related people, and they estimate 80-100K companies with systems in the US. Their business is to manage and refine their list, and I lean toward their numbers.
As an ISV, we have historically delivered licensed, shrink-wrapped software directly to the customer. They install and run it locally. It performs as a Payment Server, talking directly to their card authorization network of choice and storing transactions securely, encrypted - locally.
We are flattered that job boards are listing knowledge of Curbstone Card as an employment requirement! Stumbled on this job listing at http://www.simplyhired.com/job/edi-analyst-job/hitky/sk2idjog3k
J. P. Morgan’s disclosure that hackers compromised the data of more than 76 million of its consumer patrons — and 7 million small business clients — may seem stunning.
But it reflects just a sliver of the withering bombardment the U.S. financial services sector has endured for at least the past three years.
Criminals go where the money is. And in this case, the most sophisticated, well-funded and determined cyber attackers have been relentlessly hammering on banks, fund managers, brokerage houses, stock exchanges and the like since at least 2011.
These cyber attacks against America’s financial infrastructure are sophisticated, well-funded and highly-coordinated. The motive: simple greed, but also ideological fervor – and sometimes both. This is not something the financial sector cares to discuss publicly.
But make no mistake. Wall Street is expending enormous resources just to keep the attackers mostly in check. The result is that disclosures of major breaches, like the one J. P. Morgan was compelled to reveal in this terse SEC filing, occur only sporadically.
Stumbled on a CGIDEV2 (Easy400) forum post that was lauding the benefits of JetPayi5, purportedly "free" credit card software for the IBM AS/400, iSeries, and System i, that I have watched for may years.
Responded to a commercial (and a little inaccurate) post by someone about JetPay, and respectfully addressed the issues and contrasted it to our commercial software.
Was just informed that our post has caused our removal from the Group since we addressed a product that was a sponsor of the admin's site. Quote: "You cannot comment on the Easy400Group about a software owned by the site sponsor." So, read it here!
IMPORTANT NOTE: The web interface and other products on the web site http://Easy400.net are absolutely excellent. CGIDEV2 is legendary in performance, and the rest of the offered software is really great stuff. We have the highest respect for the products and efforts of the managing technician, as he has been a true gift to our platform.
... We are a vendor of native software for the AS/400 System i. The paragraph on JetPay is mostly accurate, except for one statement.
"The software is given free because it is being paid for by principal members of the major card companies."
The card companies do not ever "pay" anything to anyone. The only one who EVER pays for ANYTHING is the merchant. As a merchant, you pay for everything that you get in the rate that you pay. 100% of anything an ISO (Independent Sales Organization) or acquirer (the one you contract with for the processing service, like Jetpay) provides you is paid for in the fees you pay for processing. Nothing is free, and the card organizations are NOT benevolent.
With JetPay you do keep your bank into which the collected card moeny is deposited, but ALL processing networks will deposit the proceeds in the bank of your choice. That is called the "merchant depository bank" and any bank can be designated by any network to receive the funds.
Our software and services, funded directly by the merchant, supports major auth networks. The primary benefit is that you, the merchant, can SELECT the ISO or acquirer who provides the best rates and support.
If you accept a "free" software, you become a CAPTIVE AUDIENCE for that acquirer. Whatever they want to charge you will have to be acceptable, since you have such an investment in the integration and learning curve. Once the original contract expires in a year or two, you would be in a poor position to easily switch acquirers.
We believe this book to be so valuable to ALL iSeries shops that we include it for free with every copy of our software. It is an offical part of our "PCI Implementation Guide" and ghe ultimate step-by-step guide to securing your System i.
Never realized how much software existed for card processing...
$$$ in the Bank (dial), $$$ on the Net (IP/Frame), .netCHARGE, 3 Per Technologies Inc., 911 Software, Ablecommerce.com, ACR 2000, ACR Systems, ADS Retail Systems, Agilysys (LMS/IAD), AJB Software Design, AMPS Descartes, Amps Wireless, Appropriate Solutions, Inc., Apriva Inc., ARC, ARGUS, Arcot Systems Inc., Ariel Technical Services, Inc, ARI-Service, Artema, ASCENT, Ascom Transport Systems, Atomic Gateway/iAuthorizer, Auric Systems, Authorize.Net, AuthPayX, AuthServ, AutoClerk, AutoGas, Beanstream Internet Commerce,
Big Red Wire, Bitel Co., LTD, Bluefin Payment Systems, BNA Smart Payment Systems, BridgePoint Systems, Caledon Computers, Camp Select, Cardinal Commerce, CB Technologies, CC Pay, Celerant Technology, Cerium Component Software, Inc., Charge Anywhere, ChargePort, Checkmate Electronics, Inc., Cheetah Medical Solutions, Citadel, Clarusys Inc, ClearCommerce Corporation, ClearTran, CN Express, Comdata, Compris Technologies, Inc., Compu-Touch, Comstar Interactive Corp, Counter Pro, CounterPoint, CPM, CR Software Inc, Credit OCX, Credit Pro v4.06, CRS Retail Systems, Curbstone Corporation, Cyberseats.com, CyberSource, Data Plane Inc., DataCap, Data tran,
2014 - For the tenth year in a row, IBM selects and recommends Curbstone as the sole native Payment Server for the AS/400 System i in their Developers' Road Atlas for the platform!
Enjoy these attached advisory alerts from Visa USA on the protection of merchant point of sale systems during the holiday season.
They were prepared in collaboration with the Financial Services Information Sharing and Analysis (FS-ISAC), the United States Secret Service (ISSS), and the Retail Cyber Intelligence Sharing Center (R-CISC) and is guided towards retailers or companies processing financial transactions and who manage "personally identifiable information" (PII).
This advisory is not intended to be a robust, all-inclusive list of procedures and the information contained in this advisory does not augment, replace or supersede requirements of PCI-DSS or other applicable security standards or practices.
The Tactics, Techniques, and Procedures discussed in this report include the following:
- Exploiting commercial application vulnerabilities
- Unauthorized access via remote access
- Email phishing
- Unsafe web browsing from computer systems used to collect, process, store or transmit customer information
Curbstone Presents - the American Road
Painting by Carl Rakeman
NOTE: My Father was born in 1899, and was 54 years old when I was born. As a young boy, I heard stories of the "old days". My Father told of how he navigated from New York to California on an Indian motorcylce just after World War I. He explained how they could ride in the rain when it was falling, as the drops seemed to help traction, but had to pull over when the road was just wet, in those areas where they had actual roads. One thing that stuck with me was his reference to all roads as "MACADAM". So I did some research on the subject. This is a compilation of that research, and at the time, I did not collect the sources, as I was just doing for myself. Most of this appears to be gone now. ENJOY, and feel free to use any material you like.
The first macadam surface in the United States was laid on the "Boonsborough Turnpike Road" between Hagerstown and Boonsboro, Maryland. By 1822, this section was the last unimproved gap in the great road leading from Baltimore on the Chesapeake Bay to Wheeling on the Ohio River. Stagecoaches using the road in winter needed 5 to 7 hours of travel to cover 10 miles.