What Can Integrators Do to Enhance Clients' PCI Security?

pci-ssc

PCI-POS

PCI’s Qualified Integrators & Resellers (QIR)™ Program

makes it easier for merchants to confidently deploy new security controls – and it also indicates your commitment to safeguard payment card data on their behalf.     

As a trained PCI QIR you will gain these benefits:       

  • Achieve industry-recognized qualification
  • Differentiate yourself by demonstrating your commitment to payment card security and PCI compliance    
  • Be included on merchants’ go-to global list of qualified integrators and resellers
  • Receive specialized training from PCI SSC experts on guidelines for implementing and maintaining payment applications  
  • Earn CPE credits

The QIR training and qualification program provides you with the training and best practices to ensure a secure installation for your merchants. And it makes it easier for merchants to identify and engage integrators and resellers who are qualified to install their PA-DSS applications in a manner that facilitates PCI DSS compliance.   

As an integrator/reseller you play a key role in the payment ecosystem. Enroll in the QIR eLearning course today!

Keep payment data safe – we can help!

Prior to the 2015 EMV chip and PIN upgrade deadline, cybercriminals are expected to increase the volume of attacks early in 2015, to compromise as much as possible while they still can.

Read these articles for more insights:

Data breach trends for 2015: Credit cards, healthcare records will be vulnerable

10 Predictions About the Data Breach Landscape in 2015 

Help your client secure their data - sign up for the QIR training course.  Enroll in this self-paced eLearning course and become a QIR today!

Learn-more

Everything you wanted to know about Credit Card processing...

Goal

The goal of this document is to help developers seamlessly integrate electronic payment systems (EPS) into their applications correctly. These applications can be traditional thick client solutions or web based n-tier server solutions.

Curbstone specializes in the deployment of very thin client solutions using REMOTE TOKENIZATION for companies based o the IBM Power System running the IBM "i" Operating System.  These three solutions use a locally-run very thin client to send non-sensitive card transaction data to the Curbstone Portal.  Using three different technologies, that non-sensitive data is married with the Card Number, Expiration Date, and Security Code to perform authorizations.

The Primary goal of Curbstone was to remove ALL EXISTING COMPUTING INFRASTRUCTURE FROM THE SCOPE OF PCI REPORTING.  This means that nothing that currently exists can touch sensitive card data.  The reason is that an audit on a very isolated, purpose-built system is WAY easier than auditing the entire computing infrastructure.  The audits are quicker, easier, and more meaningful.  The points of intrusion are reduced exponentially, reducing risk of sensitive data loss.

The Secondary goal of Curbstone was to provide REAL-TIME, SEAMLESS INTEGRATION with Order Entry applications that run on the IBM i operating system.  The very thin client of Curbsotne's CorrectConnect (C3) provides the contact point on the system through which transactions are intiiated.  Since it is native on the IBM Power System, the programs there, with some very easy programming, can talk directly to it and pass the required transaction fields.  Because the client is in real-time communicatio with thC3 Portal, those transactions are processing a matter of seconds, returning the results to the client, and then the Order Entry application.

The Third goal of Curbstone is to process transctions that are well-qualified, and avoid unnecessary downgrades and vulnerability to chargebacks.  This is done by selecting the correct transaction type, populating all of the required fields correctly, and processing the authorizatio and settlement in a timely manner.  While compromises must be made for required business processes, the goal is always to PAY THE LOWEST RATE!

Regardless of the application type, the integration needs to be done in a way that meets the financial industry requirements, the business process requirements, and the needs and usability requirements of the end-user of the application. Ideally, EPS should be done in a way that is invisible to the end-user of the application while providing the merchant the lowest possible processing rates.

There sound obvious goals, but due to the convoluted nature of the payment industry and many developers’ lack of intimate understanding of the payment industry, these goals are seldom easily achieved. Developers often wish they could go back and redo an application knowing what they know after they finish. For this reason, it takes several times to get it right. Many basic, but important errors can be avoided through initial proper planning.  With Curbstone's UNLIMITED Implementation and Technical Support, we work hard to ensure the programmers are doing the correct things from the start.  With MANY hundreds of implementations, we have a mature and effective process to make this happen.

The objective of this guide is to give the developer the basic knowledge of the payment industry needed to augment the Curbstone guidance to “get it right the first time.”

Read more: Everything you wanted to know about Credit Card processing...

What are Carol's Favorite Security Things?

Security Expert, Carol Woodbury, of SkyView Partners, has published her FAVORITES list for 2014.

Favorite IBM i Report

My favorite IBM i report is the one generated from running Print User Profile (PRTUSRPRF) - or from running SkyView's Risk Assessor product.  This report is actually four reports—all in the same spooled file. I use the first report to review users' group membership, special authority assignments, and limited capability setting. The second report lists configuration information such as the users' initial menu and initial program. The third report is useful in determining whether a profile has a password, the password last changed date, and the users' last sign-on date. (This shows when an organization is using the IBM-supplied profiles for inactive sign-on.) The last report is helpful when moving the system between password levels.

Favorite Security Report 

I couldn't choose. I have two favorite reports. Verizon's Data Breach Investigations Report and the Ponemon Institute's Cost of Data Breach Report. Both reports are enlightening and show the trends of hacks and breaches.

[ CLICK HERE to read the rest! ]

 

Halcyon 2014 Best Tips Recap

We hope you've enjoyed the IBM System i (iSeries) Tips and Techniques we've sent out during 2014. In case you missed them - here is a quick refresh of Halcyon's most popular tips.

Quick Wins for Managing IBM i Disk Space

Prevent storage issues impacting the availability of your IBM System i by using Halcyon Software’s flexible alerting.

Although the QSYSOPR message queue provides a valuable warning message once an Auxiliary Storage Pool (ASP) threshold has been breached, in reality it is of limited use. The message only appears hourly and offers no time-based awareness or ability to define multiple warning thresholds.

Halcyon Software has built upon this operating system functionality by introducing 3 powerful features:

  • Threshold Alerting
  • Tiered Threshold Alerting
  • Intelligent Threshold Alerting

Learn More >>

halcyon software 

Read more: Halcyon 2014 Best Tips Recap

Senate focuses on finance industry security

The government is looking to coordinate efforts to better prevent, respond to future finance industry hacks.

In the aftermath of a massive hacking attack on several banks this summer, the Senate Banking Committee will hold a hearing on Wednesday about protecting the finance industry from cyber crime.

High-ranking federal officials from the Federal Bureau of Investigation, the Secret Service, the Treasury Department and the Department of Homeland Security are scheduled to appear. The meeting is expected to focus on ways that the various federal agencies can better coordinate with one another in their efforts to prevent and respond to cyber attacks in the financial sector.

Political leaders are focusing on the issue after news in August that hackers hit JPMorgan Chase JPM 2.15% and several other banks in a massive cyber attack. JPMorgan later revealed that the attack compromised the accounts of 76 million households and 7 million small businesses, though the bank has said it has found no evidence of higher than normal instances of fraud or abuse of customer information.

[CLICK HERE to read the entire story...]

 

Penetration Testing Myths to Surprise You

By: Jennia Hizver, Consulting Practice Security Researcher and Consultant, AT&TPenetrationTest

INTRO: Penetration tests are valuable for several reasons:

  • Determining feasibility of a particular set of attack vectors
  • Identifying higher-risk vulnerabilities resultinfg from combo of lower-risk vulnerabilities exploited in particular sequence
  • Identifying vulnerabilities difficult or impossible to detect with automated network or application vul scanning software
  • Assessing magnitude of business and operational impacts of successful attacks
  • Testing ability of network defenders to successfully detect and respond to attacks
  • Providing evidence to support increased investments in security 

Over the years of my career as a penetration tester,

I have encountered many myths and misconceptions regarding penetration testing, some of which I’d like to share with you:

Myth #1: Vulnerability scanning can identify all vulnerabilities in an organization’s environment, and hence, penetration tests are unnecessary.

Myth #2: Professional penetration testers use expensive commercial tools.

Myth #3: One system compromise has no effect on other systems.

Myth #4: Penetration testing focuses on production networks containing sensitive data.

Myth #5: Penetration testers use the same approach and are likely to uncover the same issues.

CLICK HERE to read the entire article

Key insights

  1. Penetration testing helps companies identify weaknesses in their IT environment.
  2. In spite of many myths, penetration testing provides valuable insight.

FBI warns of 'destructive' malware in wake of Sony attack

malware1

(Reuters) - The Federal Bureau of Investigation warned U.S. businesses that hackers have used malicious software to launch a destructive cyberattack in the United States, following a devastating breach last week at Sony Pictures Entertainment.

Cybersecurity experts said the malicious software described in the alert appeared to describe the one that affected Sony, which would mark first major destructive cyber attack waged against a company on U.S. soil. Such attacks have been launched in Asia and the Middle East, but none have been reported in the United States. The FBI report did not say how many companies had been victims of destructive attacks.

"I believe the coordinated cyberattack with destructive payloads against a corporation in the U.S. represents a watershed event," said Tom Kellermann, chief cybersecurity officer with security software maker Trend Micro Inc. "Geopolitics now serve as harbingers for destructive cyberattacks."

The five-page, confidential "flash" FBI warning issued to businesses late on Monday provided some technical details about the malicious software used in the attack. It provided advice on how to respond to the malware and asked businesses to contact the FBI if they identified similar malware.

http://www.reuters.com/article/2014/12/02/us-sony-cybersecurity-malware-idUSKCN0JF3FE20141202

Managed Security Services - Offload the Burden

Security Market "Truths" for the IBM iSeries System i

  • Security breaches & fear of data loss increased interest in Managed Security Services as a solution for organizations
  • Increasingly complex security requirements and compliance reporting requirements are forcing organizations to outsource reporting and monitoring to experts

Coffee150x180Curbstone has been distributing the authoritative security book by Carol Woodbury of SkyView Partners for the last dozen years.  This organization has proven to be the leader in AS/400 security, and for the absolute proof, review some of the invaluable "Coffee with Carol" sessions [here] 

To do security right requires tools, training, understanding of requirements, staff time and expertise. The problem is that you have limited resources.  Have a qualified, third-party expert handle security monitoring/reporting.

We introduced SkyView Managed Security Services as a turnkey solution for monitoring and reporting on System i, iSeries, AS/400, security.  We do the hard work, and summarize the details for you. You see the exceptions, not all the data.  You leverage SkyView Partners' expertise to keep track of your security for you, without burdening your staff.

I'd like to show you the details. Email me to hear more. I invite you to a webinar why SkyView should do your security work for you.  Our goal is to become a trusted member of your team, dedicated to monitoring your security and reporting on compliance, resulting in valuable, new, insights.

skyview-logo

John Vanderwall
Chairman, CEO and Co-Founder
SkyView Partners Inc.

425-458-4975 xt 718

john.vanderwall@skyviewpartners.com
www.skyviewpartners.com

Call to beta!

Curbstone CorrectConnect™ Beta Program

CLICK HERE for more details:    C3@Curbstone.com

Curbstone is deploying brand new technology that is based on a Internet portal to eliminate the requirement that the merchant store encrypted, tokenized data on their own iSeries, System i, AS/400.  This is part of four years of product planning and development that can ultimately take a Merchant completely out of PCI scope.  Let me re-state that:  

TAKE A MERCHANT COMPLETELY OUT OF PCI SCOPE!  

This means that Curbstone's new technology can offload the "processing, storage, and transmission" of the cardholder data from the existing Merchant infrastructure, based on the IBM System i, iSeries, AS/400.

We are proud to announce that we have completed 14 Beta releases (as of 01/2015) of the client-side software for C3!  Shortly, we will release the first “Release Candidate”.  This tests the client-side software used by you, the Merchant, to connect to the C3 Portal. 

A Release Candidate means that all of the required functionality for release 1.0 is included.  Generally, no additional features will be added to a Release Candidate; only fixes will be performed to those key production features.  This Release Candidate (“RC”) will go out to a select few Beta sites for initial testing, then to a broader Beta population.  Once we have a high confidence in the RC, we will release it to our Independent Software Vendor (ISV) Partners, and they will use it to test their integration.  When their testing is complete, they will announce availability of their software that supports C3.  Curbstone will then schedule upgrade implementations for those customers according to the Master Implementation Queue.  

CLICK HERE for more details:    C3@Curbstone.com

PCI, System i, and Your Corporate Wallet

;uA White Paper about security, and reducing the charges a merchant pays for credit card processing, as it affects users of the IBM Midrange System i, iSeries and AS/400.

Executive Summary

Acceptance of debit and credit cards is a growing requirement for businesses of all sizes.  Our focus here is on merchants accepting payment cards who base their operations on the IBM AS/400, iSeries, and now, System i.

Since 2005, the Payment Card Industry Security Standards Council (PCI) has imposed strict mandates, the Data Security Standards (DSS), to insure the security of the computer systems that PROCESS, TRANSMIT, and/or STORE sensitive credit card data.

Every business that accepts card data in any way is subject to the requirements of the PCI DSS, and the compliance ranges widely based on transaction volume, type of business, handling of the card data, and software applications.  At the top end, a company could be required to have a third-party Qualified Security Auditor (QSA) who has been certified by the PCI, to perform an on-site, extensive analysis of your operation and systems.  Another challenge is to find auditors who are familiar with the strengths of the IBM iSeries AS/400.  The cost of these expensive and time consuming audits can be controlled by partnering with an experienced organization with appropriate expertise.

Meeting these ever-intensifying PCI DSS mandates poses unique challenges to companies whose main business system is the IBM Midrange AS/400, System i.

Read more: PCI, System i, and Your Corporate Wallet

Recurring? An iSeries of 8 Reasons

So many of our customers are MOTO, and B2B, as that is typical for merchants on the IBM iSeries AS/400.  

While recurring charges may be considered more typical of B2C, consider the following 8 points.  

Should you charge one yearly sum, monthly, or even more frequent than that?

Ultimately, you have to make that decision for yourself. But in general, recurring billing works better for businesses than single, lump-sum payments.  Giving your customers this payment option can give you these benefits:

1. Earn more business:

Customers in general are more willing to pay a low-fee multiple times instead of a lump fee a single time. Plus set it and forget it pays in the end, because it is out of sight and out of mind for the consumer.

2. Manage your business more easily:

Instead of riding big waves and fighting through the lean times, you get a more even income stream throughout the year. It makes managing your business so much simpler.

3. Avoid contracts and get more sales:

If you charge a recurring fee, you can have customers sign up for your services via a subscription-based model. With fewer hoops to jump through, prospects are more willing to sign up for your services.

4. You can offer custom pricing plans:

If your customers pay a lump sum, do they have the option to customize the way they pay for your services? It’s easier to show them what they pay for and what they get when you use recurring billing.

Read more: Recurring? An iSeries of 8 Reasons

Apple Pay, Why TSYS Believes

Bill Lodes, TSYS Director of Developer Partnerships

Mobile payments, introduced years ago as the next revolution in payments, might finally be here with the launch of Apple Pay™, and it might just have the best chance for adoption yet.

Why Apple® will succeed.

Apple’s presence in the payments space will pose a tremendous impact on not just businesses and consumers, but also global behavior. Historically, Apple has been a great influencer of consumer behavior – just look at the role the iPod® played in transforming the way we listen to music. Apple is entering the world of payments with the same intention, positioned to change the way we live our lives.

Apple’s mobile payment solution will rise above the rest and is sure to help VARs acquire more customers. Here’s why:

When Apple Pay was announced on Sept. 9, 2014, it brought along a tremendous amount of support behind the new offering. Apple knew mobile payments had been introduced by others previously, and was aware of the adoption obstacles it had experienced. Changing consumer behavior would be a major challenge, but Apple knew they brought a different dynamic to this fight. With Apple’s 800 million iTunes® accounts they felt they had a leg up on the adoption curve, and planned to use that to their advantage. They also knew these accounts were only a piece of the pie, and to ensure success they would need to add brand recognizable players into the mix. Teaming up with several large retailers, established banks, card brands and a select list of proven processors like TSYS, they would be able to hit the ground running.

Apple created a foundation of advantages few before them were able to achieve, and now needed the vehicle to enable this opportunity. The introductions of the iPhone® 6 and iPhone 6 Plus took the launch of Apple Pay above and beyond other efforts. Built on a password-less authentication framework, TouchID™ enables secure payments via Apple ID without the hassle of trying to type in payments details. With the upcoming EMV liability shift in October 2015, Apple has seemingly hit the mark on security.

[Read the rest, Click Here]

When Pigs Fly...

"Computers in the future may weigh no more than 1.5 tons."

--Popular Mechanics, forecasting the relentless march of science, 1949


"I think there is a world market for maybe five computers."

--Thomas Watson, chairman of IBM, 1943


"I have traveled the length and breadth of this country and talked with the best people, and I can assure you that data processing is a fad that won't last out the year."

--The editor in charge of business books for Prentice Hall, 1957


"But what ... is it good for?"

--Engineer at the Advanced Computing Systems Division of IBM, 1968, commenting on the microchip.


"There is no reason anyone would want a computer in their home."

--Ken Olson, president, chairman and founder of Digital Equipment Corp., 1977


 "This 'telephone' has too many shortcomings to be seriously considered as a means of communication. The device is inherently of no value to us."

--Western Union internal memo, 1876.


"The wireless music box has no imaginable commercial value. Who would pay for a message sent to nobody in particular?"

--David Sarnoff's associates in response to his urgings for investment in the radio in the 1920s.


"The concept is interesting and well-formed, but in order to earn better than a 'C,' the idea must be feasible."

--A Yale University management professor in response to Fred Smith's paper proposing reliable overnight delivery service. (Smith went on to found Federal Express Corp.)


Read more: When Pigs Fly...

Intelligent Approach to IBM i Security

Our partners at Halcyon are experts in System i monitoring and alerts.

Their suite provides the majority of the monitoring that is dictated by the PCI.  Halcyon products run natively on the IBM AS/400, iSeries, and System i and also support most all other operating systems.  This educational webinar covers these and more:

• Lock down the system by monitoring, controlling and securing access from external sources to IBM i
• Prevent users from accessing sensitive data but still enable them to do their jobs
• Be alerted to security breaches in real-time
• Monitor which screens users are accessing and what they are doing while they are there
• Reduce the workload of the help desk team e.g. for password reset requests
• Keep the auditors happy

 

Contact Curbstone for Scheduling

 

halcyon-strap-T

halcyon sos

 

Horrifying Chart

From our friends at the Privacy Rights Clearinghouse, as reported by Bloomberg, we can see the scary impact of the data breaches up to the most recent.  This is just a thumbnail, click through to the full article to see the entirety of the horror!

breaches-2014-thunbnail

Read more: Horrifying Chart

Brett King's $18B Question

Why aren't US credit cards as safe as Europe's?

The U.S. credit card industry is losing $18 billion to preventable fraud, according to Brett King, CEO of Moven and best-selling technology futurist. The cause of this loss? The country is failing to adapt to European credit card standards.

King claims that American credit companies are not doing all they can to prevent massive credit card data breeches like recent incidents at Home Depot (HD) where 56 million customer credit and debit card accounts were compromised or Target’s (TGT) breach where 40 million card accounts were breached.

Chip and pin technology helps to prevent this fraud, and many credit card companies are slowly beginning to adopt this instead of magnetic stripes. King, however, believes credit card companies need to employ tokenization. “What we now realize is that the 16-digit number that you have on the front of your card is no longer securable. You can’t protect it,” says King. CVV’s and other security numbers on the back of the card are also failing to protect the consumer from fraud.

[Read more at finance.yahoo.com]

 

Banks vs. Retailers: Who foots cyber attacks bill?

homedepot

Banks are gearing up for a big fight with retailers over who covers the cost of cyber attacks, after they paid most of the bill for breaches that they blamed on retailers’ own security deficiencies.

In a rare show of unity, industry bodies that represent banks are banding together to urge lawmakers to introduce legislation that would force retailers to pay for the clean-up themselves during the new session of Congress next year...

“This is an equity argument,” said Cam Fine, head of the Independent Community Bankers of America, which has about 5,000 members. “If it was Home Depot’s data security system that was breached, shouldn’t they have to reimburse banks for all of the costs since it wasn’t the banks’ fault? That’s just common sense.”

From Financial Times:  [Click HERE for the entire article]

Is EMV Enough?

By Joe Musitano, Nov 7, 2014 11:47:39 AM

Secure-Payment-Credit-Card

Don’t get intimidated by this new “EMV” term. As an IBM customer, you are likely used to lots of acronyms.  Of the AS/400, the AS was for Application System.  And with System i, the i stands for...  Back to EMV, which stands for Europay, Mastercard, and Visa...

It’s actually pretty simple to understand – even if you’re not a techie.  EMV is a fancy jargon term that describes a new payment processing technology. You might also hear about “chip cards,” “chip and PIN,” and “chip and signature” – they all refer to the same thing.

The term “EMV” comes from the developers of this technology – Europay, Mastercard, and Visa. Some credit/debit cards already use this technology (it’s widely used in Europe and Canada). EMV simply uses a small microprocessor that’s embedded into your credit or debit card. Banks and credit card companies want you to use them because they’re more secure than magnetic strip cards. 

For now, most cards in the U.S. do not have this embedded microprocessor. Some cards will have both a magnetic strip and microprocessor, and eventually magnetic strips will go away entirely.  There is a chargeback liability shift to merchants from the issuing bank for not accepting EMV technology on October 2015. Just keep in mind that this date will come and go for most merchants as they have a low incidence of chargebacks today. But for merchants that are fraud targets or have high ticket items that can be easily resold on the streets, than October 2015 becomes more meaningful.

SOLUPAY Webinar Makes Merchants Money

solupay logo

WEBINAR: How Can “Level III” REDUCE you Card Processing Fees?

30 Minute Webinar introduces a new way for Curbstone merchants to save money

WHAT IS LEVEL III AND WHY DO I CARE?

Level I – common transaction - Card number (PAN), Expiration, Amount, Invoice#...

Level II – Level I data + four:  Destination Zip, Customer PO#, Tax, Tax flag

Level III – Full line item detail, basically an entire EDI 850/857 

Level III Cards are Corporate Purchasing Cards used primarily in B2B purchases, where the cardholder wants a record of the entire purchase electronically.

Passing Level III data with Curbstone - and partner Solupay - can PAINLESSLY increase the margin on your sales by 0.5% to 1.00% on Corporate, Business, and Purchasing Card transactions. 

This 30 minute webinar will cover ALL of the important topics.  JOIN US

Click an e-mail address below to request your presentation: 

Tom Clearman 
tom at curbstone dot com
888-874-1212

Bill Peters
bill.peters at solupay dot com
678-248-2283

Solupay is a Curbstone Partner who has expertise in supporting merchants based on the IBM System i and iSeries AS/400. Note that as is the policy for all Curbstone Partners, Curbstone does not receive any fees or commissions from Solupay, so they are able to provide the best pricing and service to Curbstone customers.

Implement an iSeries Security Awareness Program

The PCI has released a brand new document on implementing an awareness program and it is really good.

While the IBM iSeries AS/400 comes out of the box with the industry's best security, employing requires active management.  The PCI has developed the World Class "Best Proactices" standards from which you can build your strategy.  Take advantage of the FREE resource.

In order for an organization to comply with PCI DSS Requirement 12.6, a formal security awareness program must be in place. There are many aspects to consider when meeting this requirement to develop or revitalize such a program. The best practices included in this information supplement are intended to be a starting point for organizations without a program in place, or as a minimum benchmark for those with existing programs that require revisions to:

  • Meet PCI DSS requirements;
  • Address the quickly and ever-changing data security threat environment;
  • Reinforce the organization’s business culture.

Establishing and maintaining information-security awareness through a security awareness program is vital to an organization’s progress and success. A robust and properly implemented security awareness program assists the organization with the education, monitoring, and ongoing maintenance of security awareness within the organization.

This guidance focuses primarily on the following best practices:

Read more: Implement an iSeries Security Awareness Program

Surcharge! Merchants Make More Money

How to Increase Profit Margins with Surcharging

By Jayme Moss, Oct 31, 2014 4:26:10 PM

Profit-Margin-Words

For some businesses and industries, adding credit card surcharges to purchases can prove to be a huge help to the bottom line of that business.  Since we can easily embed these business processes in the code on our iSeries AS/400, merchants on the most popular midrange business platform can easily boost their profits.  

Regulated merchants with already low profit margins, such as liquor stores, have historically preferred or even required cash only for transactions involving liquor.  Why?  For instance, in Ohio, the Department of Commerce, Division of Liquor Control, caps profits for liquor stores at roughly 5%.  Once you add in the expense of credit cards, the margins practically evaporate.  To survive, these businesses need to rely on higher margin items such as beer, wine and even candy bars to operate profitably.

[Read more on surcharging]

Solupay is a Curbstone Partner who has expertise in supporting merchants based on the IBM System i and iSeries AS/400. Note that as the policy for all Curbstone Partners, Curbstone does not receive any fees or commissions from Solupay, so they are able to provide the best pricing and service to Curbstone customers.

Social Engineering Breaks 2FA

Two-factor authentication is generally seen as the safest bet for protecting your Gmail account. But a harrowing tale from indie developer Grant Blakeman, whose Instagram was hacked through Gmail, reveals how not even two-factor authentication can beat every security threat.

"The attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account."

After the post appeared on Hacker News, more details emerged about how easy it is to bypass security questions through cell providers. As commenter jasonisalive—who works for a provider—put it, service reps often receive commissions based on customer satisfaction, creating "aconstant tension between providing a good customer experience and protecting security and privacy."

Which means a choice between upholding privacy standards and pissing off his customers. "So where do you draw the line between customer support and customer security without either enraging real customers or allowing people to illegally access customer accounts?," asked another reader.

From Gizmodo

Just in - CurrentC gets hacked!

currentc

It's a rough start for an app that aims to be a competitor to Apple Pay and Google Wallet.

On Wednesday, those taking part in the CurrentC pilot program received a warning from the consortium of anti-credit-card retailers called MCX, or Merchant Consumer Exchange: The program was hacked in the last 36 hours, and criminals managed to grab the email addresses of anyone who signed up for the program.

MCX confirmed the hack, adding what's become a go-to line for any company that loses your data: "We take the security of our users' information extremely seriously."


[Read more HERE]

 

 

 

Concise, informative Whitepaper

Newsletter 2014-10

Focused on the IBM System i, iSeries, AS/400

Table of Contents

 

Partner SOLUPAY Increases Your Profit Margin .5 to 1.0%

Accept cards for payment of B2B sales?  30 Minute webinar shows a PAINLESS way to decrease charges on Corporate cards

Solupay has been a partner of Curbstone since their inception, and they have an intimate knowledge of transaction processing on the IBM AS/400, iSeries, and System i.  Level III Cards are Corporate Purchasing Cards used primarily in B2B purchases, where the cardholder wants a record of the entire purchase electronically. They can create POs after-the-fact, for instance, so they save money and monitor their purchases better.  Passing Level III data with Curbstone and partner Solupay can increase the margin on your sales by 0.5% to 1.0% on Corporate, Business, and Purchasing Card transactions.

Curbstone’s 30 minute LEVEL III webinar will cover ALL of the important topics.

CLICK HERE to schedule YOUR webinar.

Solupay is a Curbstone Partner who has expertise in supporting merchants based on the IBM System i and iSeries AS/400. Note that as the policy for all Curbstone Partners, Curbstone does not receive any fees or commissions from Solupay, so they are able to provide the best pricing and service to Curbstone customers.

Back to Table of Contents                  Click to Inquire: C3@curbstone.com

Read more: Newsletter 2014-10

What is VOXIS, and why you should be scared, very scared

From: securityaffairs.co

The cyber criminal ecosystem has a new tool in its arsenal called Voxis

The Voxis Platform is a payment gateway application which can send batches of stolen card charges to multiple gateway processors automating their returns before acquiring banks can catch any illegal activity.

This kind of applications are in demand by the market especially in this moment because the large payment card data breaches at U.S. retailers like Target and Home Depot have flooded the underground market with stolen credit card data that criminals desire to quickly monetize.

The Voxis Platform is an excellent instrument to emulate the human behavior and avoid the detection of anti-fraud systems the are triggered when specific fraud patterns are recognized. In every online transaction we distinguish the following roles the buyer, the seller and the payment gateway.

As explained by InterCrawler, the principal problem for the criminals is time, they have to complete the highest possible number of fraudulent charges before they're detected and their merchant accounts get closed.

Voxis Platform allows to speed up this process, criminals using it can make the highest possible number of fraudulent charges, on specialized forum the Voxis team claims that the software supports 32 different payment gateways and it has been designed to emulate human interaction "to make it look like real humans are sending their credit card information to the payment gateways."

[Read more on VOXIS]

Voxis-ad

EMV - 4 Must Reads

Notes from our friend Joe Musitano at Solupay:

emv-chip-card"We reported earlier this week the news that ABI Research has forecasted 575 million U.S. payment cards will feature EMV by 2015, and Global EMV card shipments are expected to total more than 3 billion by 2019. With all the publicity this has garnered, we wanted to share with you 4 must read items regarding EMV and EMV Security:"

Joe has selected 4 great short articles.

Point to Point Encryption

As mentioned in the earlier post this week entitled "The Number One Reason You Need EMV,"  -  CLICK HERE TO CONTINUE READING THIS

Card Present Transactions

The added protection that EMV chip cards brings only effects those merchants that are doing "card present" transactions.  CLICK HERE TO CONTINUE READING THIS

Card Not Present Transactions

For those of you that only do "card not present" transactions (such as e-commerce, mail order, or telephone order), EMV... CLICK HERE TO CONTINUE READING THIS

A New Style of Transaction

An EMV style of credit card transaction (in case you have not done one yet) is very different at the checkout counter.  CLICK HERE TO CONTINUE READING THIS

Solupay is a Curbstone Partner who has expertise in supporting merchants based on the IBM System i and iSeries AS/400. Note that as is the policy for all Curbstone Partners, Curbstone does not receive any fees or commissions from Solupay, so they are able to provide the best pricing and service to Curbstone customers.

Trust a Cashier Check?

scam-warningMost people assume a cashier's check or money order is the same as cash, but in the days of Photoshop and color laser printers, that's no longer the case, and crooks can produce very convincing copies of the real thing, from seemingly legitimate U.S. banks. Once the bogus checks are deposited, they must be cleared like any other check. Checks may appear to clear your bank within a couple of days, and those funds may appear "available" in your account, but in reality it may take another month or more for the bank to establish that a check is bogus, return it to you, and debit your account for that amount. By then, the money you transferred out of your account for "shipping" is long gone.

 

To avoid being a victim of a counterfeit cashier's check, law enforcement recommends the following steps:

  • Inspect the cashier's check.
  • Ensure the amount of the check matches in figures and words.
  • Check to see that the account number is not shiny in appearance.
  • Be watchful that the drawer's signature is not traced.
  • Official checks are generally perforated on at least one side.
  • Inspect the check for additions, deletions, or other alterations.
  • Contact the financial institution on which the check was drawn to ensure legitimacy.
  • Obtain the bank's telephone number from a reliable source, not from the check itself.
  • Be cautious when dealing with individuals outside of your own country.

If you suspect you have received a counterfeit cashier's check, or you are being offered one, you can contact your local police, or you can call the U.S. Secret Service at (202) 406-5850. You can also write to: U.S. Secret Service, Financial Crimes Division, 950 H Street, NW, Washington, D.C. 20223, or file a complaint online at www.secretservice.gov/contact_fcd.shtml 

 

PayPal Variation

Recently, PayPal has become a target for scammers. The phony buyer will ask for your PayPal ID in order to send you a payment, again for substantially more than the purchase price. Shortly after that, you will receive a fake confirmation from PayPal with your user ID for more than the agreed purchase price, and the buyer will contact you asking you to send the extra money to a shipper. To make the scam look more legit, if you refuse, you'll receive additional fake notices from PayPal threatening to close your account if you don't transfer the extra money as per your "agreement."

matrix-logo

 

 

 

 

 

 

Thanks to Bill Hoidas 847-381-3482, our Partner at Matrix Payment Systems  


Adopt a Zend! It's the popular thing...

As a huge proponent of Zend and their PHP on the System i, AS/400, Curbstone is pleased to see this report just out from our Zend friends.  

Curbstone released the FIRST COMMERCIAL PHP Application for the iSeries, according to our contacts there!  That is our Shopping Cart Pipeline (SCP) for the AS/400, and it is our most popular option for Curbstone Card (C2).  We are moving the SCP to our CorrectConnect (C3) portal platform to provide the sam epopular Web Services API for our C3 customers.  Our new transaction Portal is built on redundant IBM System i computers.  As well, the front end of our Portal is coded in PHP for its exceptional scalability with secure conenctions from our customer sites.  Our new Isolated Payment Terminal that offloads handling of sensitive card data is being crafted in PHP, as well.

As well, we worked with IBM and Zend on the porting of the Open Source Mantis Bug Tracker to use the DB2/400 database.

"The study found that PHP has evolved from its origins as a specific use language, and is now actively used to build applications of all shapes and sizes. Nearly half of enterprises use PHP in their business integration applications, while 64 percent use PHP in external applications and 62 percent use for internal apps."

No surprise, Zend PHP is enjoying huge interest from "System i" shops.

And our good friend, Timothy Prickett Morgan, Editor at IT Jungle, an AS/400-specific publication, adds quite a bit of background and valuable, first person comments in his article http://www.itjungle.com/tfh/tfh102014-story03.html - One of the most interesting observations realtes to the use of SQL:

"The database portion of the survey brought some surprises. For starters, 43 percent say they're running MySQL, the open source relational database from Oracle that is just the second database officially supported by IBM on the platform. While Oracle ceased developing MySQL running on IBM i a few years ago, Zend works with a company called Percona to do the work of ensuring MySQL continues to run on IBM System i.

But even more surprising is the fact that 67 percent of survey respondents say they're running SQL with DB2 for i, and only 37 percent say they're using the older DDL query engine that was originally developed for RPG (survey respondents could choose multiple databases). That tells Anderson, a database expert, that IBM System i shops are getting serious about modernization."

zend-logo-big

Click HERE for Report on Zend Adoption in the Enterprise

 

Verizon Data Breach Report 2014

Download the informative report here:  http://www.verizonenterprise.com/DBIR/2014/

Major finding:  92% of security incidents we analyzed are covered by just nine attack patterns

"We find it simply astounding that nine out of ten of all breaches observed by 50 global organizations over a full year can be described by nine distinct patterns.”

Verizon-DBIR-2014

 

 

HarrisData Partner

Many years ago, premier ERP software vendor for over 40 years, HarrisData, selected Curbstone as their sole provider of Credit Card Payment Server.  They interfaced to our software and take advantage of our secure tokenization.

harris data partner

 

IBM Power Systems

 

Are you meeting the PCI Security standards?

Read this comprehensive article at MCPress from our CTO that covers the i-specific considerations of accepting payments.

"Every business that accepts card data in any way is subject to the requirements of the PCI DSS, and the compliance requirements vary widely based on transaction volume, type of business, handling of the card data, and software applications."

"Some aspects of compliance are as simple as never storing magnetic stripe data or the card security code. Others are time-consuming, such as documenting every piece of infrastructure hardware, its firmware revision, and last update, and monitoring the logs of all systems on a periodic basis."

"10 Revealing Payment/Order Application Questions
1. Is your payment app validated to the Payment Application Data Security Standard (PA-DSS)?
2. Is a specific person assigned responsibility for handling all of the security compliance?
..."

<Click here to read the whole article>

Reduce Fees, Fight Fraud like Adorama.com

Online sales powerhouse, Adorama Camera, says:

"Adorama's newly enhanced order management systems have reduced processing fees by 12 basis points. "We couldn't be happier with the solution. Both Mastercard and Visa have lowered our costs per transaction as an incentive to take part in their authenticated payment programs," said Harry Drummer, special assistant to the president. "In addition, we estimate these programs have reduced fraudulent online purchases by more than five percent; our overall payback period was under five months."

[Read more]

adorama-camera

SSI Supports Curbstone

Systems Services Incorporated, SSI, out of Baton Rouge, has been supprting this platform since 1979.  As part of their practice, they are proficient in the implementation and operation of Curbstone products.

ssi-supports-curbstone

Link at LinkedIn

For additional valuable industry and Security info, connect with us at LinkedIn and Follow us.   Just click here!   Enjoy links to insights from almost 1000 System i Professionals connected to Curbstone.  https://www.linkedin.com/company/curbstone-corporation

LinkedIn-Curbstone-Connection

linkedin-curbstone

MINCRON selects Curbstone for Payments

Premier ERP vendor, Mincron, is a full-service provider of complete wholesale distribution software systems. Our smart solutions, highest-quality development and unmatched support give distributors the business-specific tools and services they need to succeed.

mincron-selects-curbstone

Expiration?




comic42
Used with permission

TechnoWarrior!

One of the oldest integrators of Curbstone Software, and the products before it, is Mark, a TechnoWarrior from Legacy Consulting Services.  His history with Curbstone's Founder's original products, ROI Card, JavaCard, and jCharge, make him the most experienced integrator in the country for credit card processing.  His specialty is JD Edwards software.  Visit him here.

legacy

Yap Rai - What's in a name?

When naming systems at Curbstone, we select names that relate to rocks, stones, or elements.  Our name refers to the borders of the streets that control and direct traffic, curbstones, just like our software controls and directs credit card traffic on your IBM iSeries, AS/400, or System i.  Researching for a unique name, we found this interesting monetary history.

Rai on YapThe official currency of Micronesia is the US dollar, but the island state of Yap uses an additional form of money: limestone discs, some of which weigh more than a car.

Rai, or stone money (Yapese: raay), are large, circular stone disks carved out of limestone formed from aragonite and calcite crystals. Rai stones were quarried on several of the Micronesian islands, mainly Palau, but briefly on Guam as well, and transported for use as money to the island of Yap. They have been used in trade by the Yapese as a form of currency.

Read more: Yap Rai - What's in a name?

Future of the AS/400, iSeries, "i", whatever...

From a post in LinkedIn  http://lnkd.in/d_hwpWB  "IBM i no longer a category for IBM Redbooks"

On the topic of AS/400 population, future of RPG, and migration

What a great exchange above. Lots of wisdom being shared by such well-qualified people. Amazing that we have no independent knowledge about our own ecosystem. You would think that those committed to the platform would band together to speak with one voice. (COMMON??) We do not even know what our own population is, much less what the future holds from IBM. These fragmented "Groups" and forums are fine, but what we really need is a unified presence and a loud voice. Having access to the entire installed population would be a blessing for vendors like us, the users, IBM, consultants, everyone...

Working with an excellent marketing company, we learned that they have about 200K emails of AS/400 related people, and they estimate 80-100K companies with systems in the US. Their business is to manage and refine their list, and I lean toward their numbers.

As an ISV, we have historically delivered licensed, shrink-wrapped software directly to the customer. They install and run it locally. It performs as a Payment Server, talking directly to their card authorization network of choice and storing transactions securely, encrypted - locally.

Read more: Future of the AS/400, iSeries, "i", whatever...

Curbstone Preferred in Kentucky!

We are flattered that job boards are listing knowledge of Curbstone Card as an employment requirement!  Stumbled on this job listing at http://www.simplyhired.com/job/edi-analyst-job/hitky/sk2idjog3k

curbstone-preferred-ky

JP Morgan breach part of larger crisis

market-watch-wsj-logo

J. P. Morgan’s disclosure that hackers compromised the data of more than 76 million of its consumer patrons — and 7 million small business clients — may seem stunning.

But it reflects just a sliver of the withering bombardment the U.S. financial services sector has endured for at least the past three years.

Criminals go where the money is. And in this case, the most sophisticated, well-funded and determined cyber attackers have been relentlessly hammering on banks, fund managers, brokerage houses, stock exchanges and the like since at least 2011.

These cyber attacks against America’s financial infrastructure are sophisticated, well-funded and highly-coordinated. The motive: simple greed, but also ideological fervor – and sometimes both. This is not something the financial sector cares to discuss publicly.

But make no mistake. Wall Street is expending enormous resources just to keep the attackers mostly in check. The result is that disclosures of major breaches, like the one J. P. Morgan was compelled to reveal in this terse SEC filing, occur only sporadically.

[Read More at MarketWatch]

 

Thoughts on JetPay, and DRAMA!

Stumbled on a CGIDEV2 (Easy400) forum post that was lauding the benefits of JetPayi5, purportedly "free" credit card software for the IBM AS/400, iSeries, and System i, that I have watched for may years.
https://groups.yahoo.com/neo/groups/Easy400Group/conversations/topics/15124

Responded to a commercial (and a little inaccurate) post by someone about JetPay, and respectfully addressed the issues and contrasted it to our commercial software.  

http://Jetpayi5.com 

Was just informed that our post has caused our removal from the Group since we addressed a product that was a sponsor of the admin's site.  Quote: "You cannot comment on the Easy400Group about a software owned by the site sponsor."  So, read it here!

IMPORTANT NOTE: The web interface and other products on the web site http://Easy400.net are absolutely excellent.  CGIDEV2 is legendary in performance, and the rest of the offered software is really great stuff.  We have the highest respect for the products and efforts of the managing technician, as he has been a true gift to our platform.


... We are a vendor of native software for the AS/400 System i. The paragraph on JetPay is mostly accurate, except for one statement.

"The software is given free because it is being paid for by principal members of the major card companies."

The card companies do not ever "pay" anything to anyone. The only one who EVER pays for ANYTHING is the merchant. As a merchant, you pay for everything that you get in the rate that you pay. 100% of anything an ISO (Independent Sales Organization) or acquirer (the one you contract with for the processing service, like Jetpay) provides you is paid for in the fees you pay for processing. Nothing is free, and the card organizations are NOT benevolent.

With JetPay you do keep your bank into which the collected card moeny is deposited, but ALL processing networks will deposit the proceeds in the bank of your choice. That is called the "merchant depository bank" and any bank can be designated by any network to receive the funds.

Our software and services, funded directly by the merchant, supports major auth networks. The primary benefit is that you, the merchant, can SELECT the ISO or acquirer who provides the best rates and support.

If you accept a "free" software, you become a CAPTIVE AUDIENCE for that acquirer. Whatever they want to charge you will have to be acceptable, since you have such an investment in the integration and learning curve. Once the original contract expires in a year or two, you would be in a poor position to easily switch acquirers.

Read more: Thoughts on JetPay, and DRAMA!

Quintessential Security Book -- Carol Woodbury

We believe this book to be so valuable to ALL iSeries shops that we include it for free with every copy of our software.  It is an offical part of our "PCI Implementation Guide" and ghe ultimate step-by-step guide to securing your System i.  

  • Gain the knowledge you need to secure your IBM i system
  • Discover security best practices
  • Receive a comprehensive introduction to role-based access
  • Learn a methodology for implementing IBM i object-level security
  • Understand the issues your organization needs to address for audit and compliance requirements
  • Learn techniques for more efficiently and effectively administering security
  • Learn about helpful system tools and commands for managing IBM i security

Woodbury Book

http://www.mc-store.com/IBM-i-Security-Administration-Compliance/dp/1583473734

The Software, So Many To Choose...

Never realized how much software existed for card processing...

$$$ in the Bank (dial),   $$$ on the Net (IP/Frame),   .netCHARGE,   3 Per Technologies Inc.,   911 Software,   Ablecommerce.com,   ACR 2000,   ACR Systems,   ADS Retail Systems,   Agilysys (LMS/IAD),   AJB Software Design,   AMPS Descartes,   Amps Wireless,   Appropriate Solutions, Inc.,   Apriva Inc.,   ARC,   ARGUS,   Arcot Systems Inc.,   Ariel Technical Services, Inc,   ARI-Service,   Artema,   ASCENT,   Ascom Transport Systems,   Atomic Gateway/iAuthorizer,   Auric Systems,   Authorize.Net,   AuthPayX,   AuthServ,   AutoClerk,   AutoGas,   Beanstream Internet Commerce,   

cta safe square 400

Big Red Wire,   Bitel Co., LTD,   Bluefin Payment Systems,   BNA Smart Payment Systems,   BridgePoint Systems,   Caledon Computers,   Camp Select,   Cardinal Commerce,   CB Technologies,   CC Pay,   Celerant Technology,   Cerium Component Software, Inc.,   Charge Anywhere,   ChargePort,   Checkmate Electronics, Inc.,   Cheetah Medical Solutions,   Citadel,  Clarusys Inc,   ClearCommerce Corporation,   ClearTran,   CN Express,   Comdata,   Compris Technologies, Inc.,   Compu-Touch,   Comstar Interactive Corp,   Counter Pro,   CounterPoint,   CPM,   CR Software Inc,   Credit OCX,   Credit Pro v4.06,   CRS Retail Systems,   Curbstone Corporation,   Cyberseats.com,   CyberSource,   Data Plane Inc.,   DataCap,   Data tran,   

Read more: The Software, So Many To Choose...

IBM Business Partner App SHOWCASE

Visit us on the IBM site at the Business Partner Application Showcase for details of our most recent products.  Also, more details on the IBM site at the Global Solutions Directory Curbstone listing.

ibm-GSD

 

A Decade of Recognition...

2014 - For the tenth year in a row, IBM selects and recommends Curbstone as the sole native Payment Server for the AS/400 System i in their Developers' Road Atlas for the platform!  

iseries arrow green1

ibm-i-road-atlas

Visa's Holiday Best Practices for POS Merchants

Enjoy these attached advisory alerts from Visa USA on the protection of merchant point of sale systems during the holiday season.

giftsThey were prepared in collaboration with the Financial Services Information Sharing and Analysis (FS-ISAC), the United States Secret Service (ISSS), and the Retail Cyber Intelligence Sharing Center (R-CISC) and is guided towards retailers or companies processing financial transactions and who manage "personally identifiable information" (PII).

This advisory is not intended to be a robust, all-inclusive list of procedures and the information contained in this advisory does not augment, replace or supersede requirements of PCI-DSS or other applicable security standards or practices.

The Tactics, Techniques, and Procedures discussed in this report include the following:

  • Exploiting commercial application vulnerabilities
  • Unauthorized access via remote access
  • Email phishing
  • Unsafe web browsing from computer systems used to collect, process, store or transmit customer information

DOWNLOADS:

Protecting_Merchant_POS_Systems_Holiday.pdf

HolidaySeason-PointOfSale-BestPractices-V2.pdf

 

Macadam Roads

Curbstone Presents - the American Road

1823 - First American Macadam Road
Image: Workers level a road with tools as a supervisor looks on.
Painting by Carl Rakeman

NOTE: As a young boy, whose Father was 55 years old when I was born, I heard stories of the old days. My Father told of how he navigated from New York to California on an Indian motorcylce just after World War I.  He explained how they could ride in the rain when it was falling, as the drops seemed to help traction, but had to pull over when the road was just wet.  One thing that stuck with me was his constant reference to the roads as MACADAM. So I did some research on the subject. This is a compilation of that research, and at the time, I did not collect the sources, as I was jsut doing for myself. Most of this appears to be gone now. ENJOY, and feel free to use any material you like.

The first macadam surface in the United States was laid on the "Boonsborough Turnpike Road" between Hagerstown and Boonsboro, Maryland. By 1822, this section was the last unimproved gap in the great road leading from Baltimore on the Chesapeake Bay to Wheeling on the Ohio River. Stagecoaches using the road in winter needed 5 to 7 hours of travel to cover 10 miles. 

Read more: Macadam Roads