This content made possible by our sponsor. It is not written by or reflect the views of MSP TechMedia or IBM Systems Magazine.

Ira Chandler

Ira Chandler


Curbstone Corporation

In 1993, Ira Chandler wrote the first commercial card software for the AS/400. Twenty-four years later, the company is still dedicated to the IBM i.


Being in the credit card processing business, we are audited continually. So, we study the industry and Payment Card Industry (PCI) security mandates constantly.

You see dramatic news items that overshadow other important alerts. Earlier this year, the PCI Security Standards Council (PCI SSC) mandated that all merchants, even the smallest, are now required to complete and submit a Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC).

So what?

Previously, those at "Merchant Level 4," the lowest volume, were not required to. These small merchants do less than a million total transactions and fewer than 20,000 e-commerce transactions per year. You may be one.

Not heard of this?

The people with whom you contract for card processing are banks. The PCI enforces through the card brands (e.g., Visa, MasterCard, American Express, etc.) and the only contract they have with the merchant is through the merchant account that the acquiring bank has signed with the merchant. While banks/acquirers are interested in security, they are ill-equipped to enforce PCI mandates.

What is the task?

As of Jan. 31, 2017, a merchant accepting credit cards is absolutely required to complete an SAQ. If you touch the credit cards with your workstations and servers in any way—regardless of storage—you must complete the SAQ "D". This 500-plus question interrogation into your processes, systems and security can take months to complete. It is accompanied by implementation of dictated policies and procedures.

What is the risk?

Even though your bank may not have demanded it, ignorance is no excuse if you suffer a breach. So, as great as you think your security is, without the submitted SAQ and an AOC signed by an officer of the company, you’re patently in violation of PCI requirements. This exposes a company to huge fines, lawsuits and re-issuance costs for the card numbers stolen.

We present this to alert you not just to the mandate that you likely have not yet been required to fulfill but also to the ever-increasing requirements from the PCI. If you touch credit card data, or even employ remote tokenization technology, make sure someone in your organization is tasked to monitor the PCI mandates. Better yet, find a trusted partner with expertise who can assist. The pcisecuritystandards.org website has a list of qualified security assessors that specialize in providing authoritative guidance on compliance.