Curbstone Gains PCI Compliance for i OS Payment System

August 26, 2008 Alex Woodie

While the Payment Cardholder Industry (PCI) has been congratulated for publishing clear and concise rules (especially compared to the muddy mess that was Sarbanes-Oxley), the 12-part Data Security Standards (DSS) regulations actually could have made a little more sense. According to Ira Chandler, president of i OS payment software provider Curbstone Software, following the letter of the PCI law is just not practical on some points. To address these concerns, the company launched a new dedicated communication module for its i operating system (i OS) payment software that keeps System i servers off the dangerous Internet.

Make no mistake about it–Chandler is a big fan of PCI. Considering that Chandler has been advocating the use of encryption to protect credit card numbers for the last decade, the fact that retailers and other companies that process credit card transactions are now required by PCI to take security seriously is a validation of sorts. “If they would [follow the PCI DSS], they wouldn’t have these problems,” he says.

It’s just that some of the wording of the PCI DSS requirements doesn’t always make the most sense. The writers of the document meant well, but they didn’t hit the nail on the head as squarely as they could.

The part that irks Chandler is the requirement that computers storing credit card data should not be connected to the Internet. Upon first reading, that sounds like a good idea. After all, the Internet is how all those clever hackers can get into your machine and steal your private data.

But, upon second reading, it’s not such a good idea. Especially when you consider that companies like Curbstone make credit card payment software requiring an Internet connection to obtain credit authorizations from the payment card networks. Not all companies that write payment software use the Internet for authorizations. But many do–including Curbstone, which connects with eight authorization networks–and it results in faster authorizations and less waiting in the check-out line.

“They talk about not storing your card data on a machine that’s connected to the Internet,” Chandler said in a recent interview. “Even if they say that, they don’t mean that, because if they meant that, our software could never be used. On an AS/400 doing green-screen order entry, we connect to the Internet because we have to go out and get the authorization. Well, they’re not talking about that because that’s going to the “auth” network. They’re talking about [using] the Internet on the customer side. If it’s B2B or B2C, having a customer or user access the Internet is what they’re talking about.”

Nonetheless, the PCI requirement about Internet connections is in there, and that makes Chandler’s customers nervous. It doesn’t matter than the Curbstone Card (the name of Curbstone’s native i OS payment software) features something called an application layer firewall that prevents any communication other than known transactions in known formats from traversing the outside network into the System i server.

It doesn’t matter that this firewall adheres to accepted security standards, and the payment software is fully verified by the authorization networks. What matters is that Curbstone’s customers are worried that a small inconsistency could lead to a PCI violation and the hefty fines that follow.

To alleviate his customers’ concerns, Chandler and his team of developers are giving customers the option of moving authorization communications off the System i server, and onto a Linux thin client device, called the Chatter Box.

“We’re moving communications off the AS/400, and putting it on this itty-bitty box, which can go in the DMZ,” Chandler says. “The box never stores any data. It’s merely a protocol conversion device, if you will. We talk to it from the AS/400 using secure sockets. . . . It has the Java code on it, which [allows communication with] whichever one of the eight different networks we want to talk to. It does the communication to the network using their certified protocols, which are all hardened. It gets the response back, and then we get the response back to the AS/400 through the SSL socket.”

Chandler didn’t launch the Chatter Box to suit the letter of the law, “but to suit the merchants who are risk avoidant, and paranoid, as they should be,” he says. “They say ‘I don’t care if you’re validated to work with the AS/400 in the LAN and to go out to the Internet to get authorization. I want it on a second box.’ Well here’s the answer.”

Curbstone, which is based near Atlanta, Georgia, recently had a qualified security assessor, or QSA, verify that its software and development techniques met PCI standards. Chandler–who compared the experience to a certain type of exam performed by a certain type of medical professional–expressed relief that the PCI audit was completed. Getting the new Chatter Box certified for PCI was “part of the reason it was so painful,” he says.

Curbstone officially announced PCI compliance last week in a joint press release with IBM. The companies also shared the story of how Adorama, a retailer of photography and video equipment, used Curbstone Card to secure its payment system.

According to Adorama, the fact that Curbstone is compliant with Visa and MasterCard security programs led those credit card companies to reduce the processing fees they charge Adorama. “In addition, we estimate these programs have reduced fraudulent online purchases by more than five percent,” Harry Drummer, special assistant to Adorama’s president, said in the press release. “We couldn’t be happier with the solution.”

PCI compliant versions of Curbstone Card and its new Chatter Box will be available soon. For more information, visit the company’s Web site at www.curbstone.com.