To a limited extent yes.

Originally when we started taking credit cards for the RPG & DB2 Summit we handled all of the transaction (other than the actual authorization) on the IBM i, but only storing credit card numbers for long enough to perform the authorization. Originally that mainly involved having the right security certs in place and getting a "good guy" certification from Komodo (I think). Over time, as PCI compliance became stricter and stricter, we found ourselves having to "lie" on the self-survey because the questions being asked, while critical to certification, had no meaning in an IBM i environment and/or our business model. But to move away from the self-assessment model would have cost a fortune. At the same time the automated test processes from the certification agent increasingly flagged non-existent errors that we had to spend hours investigating and explaining to them why they were false positives. Not easy when dealing with people who wouldn't know an IBM i if it bit them in the ...

In the end it all became too much work and we just shook our heads and said "no way". So now instead of handling the whole thing ourselves we do something similar to what you are considering. In our case that means re-directing the process to the credit card processing company's landing page (customized to look somewhat like our own pages), letting them handle the card input etc. and then picking up the processing again ourselves once the transaction is completed and they have authorized (or not) the payment. By making this change we no longer have to concern ourselves with PCI compliance audits and expensive time-wasting investigations. Since I am the one who was responsible for making that all work, this change has been a god-send for me! I would never suggest anyone taking credit cards directly on their IBM i - or indeed any other system under their control - it is just not worth the aggravation and expense. The extra I pay the card handling company to have them do it all is a fraction of what it was costing me in time and audit fees.

I see that you are the admin and so the full weight of all this would be on you. Sounds to me like the CC authorizer are offering you a life-line!


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Dec 4, 2018, at 9:06 PM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx> wrote:

Anyone from the group processing credit cards on the i?

Currently, we do NOT use any credit card terminal devices.
Currently, card data is entered either via green screen application, gui application, IVR, WEB.

We were informed by our processer today that going forward we need to consider having ALL card data entered via a wireless device connected to a separate network, (no longer from any PC device, or any device connected to the I, or the I network) that connects to a cloud based authorizer, and then returns a token back to the I, which in turn is then stored in the I application, to keep the I out of PCI scope and to remain PCI compliant.

Going forward, all current credit card touch points (green screen application, gui application, IVR, WEB) would need changes to stay compliant.

Have others in the group had to deal with this issue and what solutions have anyone implemented?

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx
http://www.pencor.com/

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.