Credit Where Credit Is Due

Commerce - Other
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Credit card processing is one of those things that can make or break a business, especially if you're trying to establish a B2C (business-to-consumer) presence on the Internet. Unless you have some sort of monopoly on your particular product, you had better have the ability to take credit cards.

But credit card processing didn't start because of the World Wide Web. Internet sales are hardly the only place where a business might need to take a credit card. On the contrary, in the small-to-medium business space, where the iSeries plays best (are you listening, IBM?), there are perhaps half a dozen different uses of a credit card, and most of them have little to do with the general consumer.

What Is Credit Card Processing?

Being the naive waif that I am, I assumed that credit card processing was pretty much a simple "tell me how much to pay" sort of thing: The vendor sends a message to the credit card company, and it says OK (or not). As it turns out, it's much more complex than that. Two things make up the credit card transaction: the players and the plays.

The Players

The players include the merchant (the one doing the selling, which in this case would be you), the "acquirer" (the one who pays the merchant and gets paid by the credit card company), and the authorization network (somebody you contact electronically to post transactions). There is a bit of paperwork involved, as well as some cost, both up front and annually, to set this all up.

The Plays

Once you have everything set up, there's still the matter of what happens in a credit card transaction. Transactions types come in many forms. Heck, there are two just for selling stuff. The first is a normal sale, which is typically used in point-of-sale (POS) systems such as grocery stores and gas stations. In this case, the consumer has already taken possession of the merchandise or service, and the sale is both authorized and shipped in one swoop. Note the terms "authorized" and "shipped"? Well, that's the second kind of sale: First, the buyer authorizes something to be purchased and the vendor puts a hold on the credit card for that amount. Later, when the actual merchandise ships, the hold is released and the actual amount is booked as a sale. This is typically for things like Internet purchases or hotel rentals.

Two other transaction types are the credit, which simply refunds money to a consumer's account, and the authorization reversal transaction, which is used to back out some money that was on hold before settling the transaction. This latter transaction is typically used when vendors such as hotels or car rental companies over-authorize the amount to handle "incidentals" (like wrecking the car or emptying the minibar).

Finally, there is a batch settlement transaction that runs typically at the end of the day. It verifies all the day's transactions and triggers actual payment into the merchant's bank account.

The Big Decision: Make or Buy

Although this was always a question that needed to be asked in any requirements phase, in the old days (when we wrote code with stone hammers) it was rare that you would find something as complicated as credit card processing in a shrink-wrap package you could purchase.

Today, that's not the case. Quite a few vendors out there sell credit card processing solutions of one kind or another for the iSeries. The vendors for iSeries solutions include folks like Curbstone and ROI Corporation. This is by no means an inclusive list nor an endorsement of any particular vendor; any vendors who would like to promote their solutions are invited to participate in the forum for this article (or better yet, purchase an ad from MC Press, or at least register yourself in the free MC Press Buyer's Guide!). As a disclaimer, I have a business relationship with Curbstone but no affiliation with ROI.

Speaking of business relationships, one of my clients is a company by the name of NBS Consultants, Inc. NBS sells an ERP system called PICS and recently added credit card processing to its base system. Early on in the decision-making process, it became clear to the company's president, Ken Hare, that no one packaged solution would address all the possible requirements of his various clients: "There are at least six different places where credit cards might be used in a given business and dozens of different authorization networks." With that sort of complexity, it became clear that, for NBS, writing their own solution was simply more cost-effective than trying to find a package that fit every conceivable scenario.

Remember that NBS is a software vendor, so its environment almost certainly is more complicated than that of the average shop. You may not need the extra flexibility that a roll-your-own system provides. At the same time, as has been demonstrated so dramatically in our own industry, change is the only constant. Take particular care to think about future requirements when you address the make vs. buy question.

Where Will You Use Credit Cards?

Among the first tasks during the process of enabling credit card support is identifying the areas of your business in which credit cards will be used. If you're like me, the first two things that you think of are POS devices and B2C Internet sales (and their low-tech cousin, the phone sale). As Hare points out, though, numerous other transactions involve credit cards, from paying your A/R balance to making a purchase on a B2B Web site. Then there are will-call sales, which have slightly different rules, depending on whether the purchaser physically has the card at the time of pickup.

Which Cards Will You Accept?

One of the next steps of the process is identifying the cards you will accept. The standards seem to be MasterCard, Visa, and American Express. The American Express Corporate card is a regular addition. The last two players are Discover card and Diner's Club, both of which have a more limited scope.

Also, once you've started accepting credit cards, can checks be far behind? As it turns out, the processing for checks using something like the TeleCheck authorization network is similar to that of standard credit card authorization. Even if you're not taking checks today, you may want to consider the possibility before making a final decision.

Where Will I Interface into My Systems?

This is key. There are perhaps a half dozen places where you'll need to update your system to handle credit card processing. The most obvious are order entry and the downstream functions of invoicing and general ledger. Each of these needs to be tied to the actual process of sending transactions to the authorization network. Determining whether your business is POS or mail order will identify the type of transaction and the timing of it within your order process. And then you have your batch posting, which should also generate the settlement transactions.

But that's not all. There may well be other areas of your system that require additional processing. An example is accounts receivable, where you may need to make provisions for allowing customers to pay their bills via credit card.

And the Answer Is...

The more of these options that you need to enable for your business, the less likely it is that a single vendor package will be able to fit your needs. But if you really don't want to reinvent this particular wheel, there are plenty of products to choose from. Do the research, and then do the math. Just remember that this means adding one more point of failure into your systems. According to Hare, "When problems occur, you now have a three-point triangle of responsibility to manage: your software, the third-party interface software, and the authorization service and associated network."


This is the purely mechanical aspect of transaction processing: getting the transactions to the authorization network and back. This is actually a good place to segment the discussion, because you could theoretically write your own interface to your back-end systems and use a third-party solution for just the communication.

Hybrid Techniques

Let's quickly address these hybrid techniques. In this scenario, custom software modifications and/or business procedures are designed to use either dedicated devices or PC-based solutions. While quick to implement, either of these directions adds an additional point of failure to the system as well as the same third-party complications as just buying a complete solution. A dedicated device is probably less likely to fail but will usually require manual re-keying of data. A PC-based solution, on the other hand, can probably be interfaced programmatically but adds all the extra overhead of an additional computer. Depending on how many locations you have, this can be both expensive and administratively challenging.

Writing Your Own

The other option is to write your own communications subsystem. While today's iSeries is a much better environment for communications than either the AS/400 or S/38 was, this area is hugely (and unnecessarily) complex because of the lack of standardization among vendors. Communications with authorization networks can be via the Internet using HTTPS or VPN or even proprietary protocols. There are also networks that use frame relay or even dial-up connections. This may be the most difficult part of the make vs. buy decision, especially since a requirement to change authorization networks may well require a whole new round of communications programming (and communications programs are still among the most difficult types of programs to debug).

You might think that you can stick with a single network, but that's not always the case. According to Hare: "Businesses have many reasons to switch their credit authorization services over time: change of banking relationship, attempts to reduce associated transaction-processing fees, speed of transaction processing." So the thing to remember here is that if you want to build your own software, be sure to make it flexible.

OK, Now That I Know the "What," How About the "How"?

This column is not meant to be a product review, so let's assume that you've decided to write your own credit card interface. You still have several rather large issues to address.

User Interfaces and Program Interfaces

The obvious requirement is for additional input capabilities. You'll need to be able to enter credit card information. What data is required will depend on the transactions and even on the business type. For example, there are sometimes unique requirements for will-call when the purchasing card is not present, such as when someone buys you tickets on their credit card for you to pick up at show time.

You may also be noticing more often that POS devices are asking for your ZIP code; an example is the self-service line in Home Depot. In order to prevent fraud, more of this sort of information is being required, and your interfaces will have to change accordingly (not to mention that they'll need to be flexible enough to handle the minor differences between applications). But this requirement isn't just to satisfy the security needs of the credit card companies. In some cases, they offer incentives in the form of discounted processing rates for transactions with these extra security checks.

Multiple Authorization Networks, Card Types, and Programs

You really need to plan ahead in this area. Your database needs to be quite flexible. As noted earlier, there are lots of good reasons to switch networks, which means that anything hard-coded has a potential to bite you later, including URLs, login IDs, passwords, merchant IDs, and even transaction history.

Little things like the CVV2 (Card Verification Value) number are different for each card type. Hare says that there are other variations that people are beginning to expect: "Will you need to support debit cards? Gift cards? Loyalty programs? These all require additional database and program support."

Database Security

In these days of identity theft and credit card fraud, it's clear that the integrity and security of your database is of preeminent importance. Certain rules define which pieces of data can be stored and how. For example, as far as I know, you can never store a CVV2 number. Other pieces of information ought to be encrypted; just because you don't need to encrypt data doesn't mean that you shouldn't. The beauty of the iSeries is that you can encrypt data relatively easily, so that's one more weapon in your arsenal if you decide to go the self-written route.

What's the Best Answer?

Ha! Thought you'd trick me into a recommendation, eh? In this very difficult area of business, I couldn't possibly make a suggestion without carefully analyzing your particular business processes. That's what you'll need to do in order to decide which route is best for you. Credit card processing is more and more of a necessity, that's for sure. But choosing the right path is a difficult decision.

I will go out on a little bit of a limb here. If you have only a small number of people who can authorize credit card payments and you don't expect to grow a lot soon, I'd probably recommend that you opt for an all-in-one solution (either PC-based or a dedicated device) that can handle your load at a reasonable expense. But if you plan on handling any sort of Internet business or have a lot of distributed call centers, you're going to need to automate, and then the make vs. buy decision becomes much more involved.

I'd like to thank Ken Hare for taking the time to provide us with his expertise on this subject, and I'll leave you with his final words on the topic: "This stuff must work every day. Money--same as hard cash--is at stake."

Joe Pluta is the founder and chief architect of Pluta Brothers Design, Inc. He has been working in the field since the late 1970s and has made a career of extending the IBM midrange, starting back in the days of the IBM System/3. Joe has used WebSphere extensively, especially as the base for PSC/400, the only product that can move your legacy systems to the Web using simple green-screen commands. Joe is also the author of E-Deployment: The Fastest Path to the Web, Eclipse: Step by Step, and WDSC: Step by Step. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

Joe Pluta

Joe Pluta is the founder and chief architect of Pluta Brothers Design, Inc. He has been extending the IBM midrange since the days of the IBM System/3. Joe uses WebSphere extensively, especially as the base for PSC/400, the only product that can move your legacy systems to the Web using simple green-screen commands. He has written several books, including Developing Web 2.0 Applications with EGL for IBM i, E-Deployment: The Fastest Path to the Web, Eclipse: Step by Step, and WDSC: Step by Step. Joe performs onsite mentoring and speaks at user groups around the country. You can reach him at

MC Press books written by Joe Pluta available now on the MC Press Bookstore.

Developing Web 2.0 Applications with EGL for IBM i Developing Web 2.0 Applications with EGL for IBM i
Joe Pluta introduces you to EGL Rich UI and IBM’s Rational Developer for the IBM i platform.
List Price $39.95

Now On Sale

WDSC: Step by Step WDSC: Step by Step
Discover incredibly powerful WDSC with this easy-to-understand yet thorough introduction.
List Price $74.95

Now On Sale

Eclipse: Step by Step Eclipse: Step by Step
Quickly get up to speed and productivity using Eclipse.
List Price $59.00

Now On Sale



Support MC Press Online





  • White Paper: Node.js for Enterprise IBM i Modernization

    SB Profound WP 5539

    If your business is thinking about modernizing your legacy IBM i (also known as AS/400 or iSeries) applications, you will want to read this white paper first!

    Download this paper and learn how Node.js can ensure that you:
    - Modernize on-time and budget - no more lengthy, costly, disruptive app rewrites!
    - Retain your IBM i systems of record
    - Find and hire new development talent
    - Integrate new Node.js applications with your existing RPG, Java, .Net, and PHP apps
    - Extend your IBM i capabilties to include Watson API, Cloud, and Internet of Things

    Read Node.js for Enterprise IBM i Modernization Now!


  • Profound Logic Solution Guide

    SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation.
    Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects.
    The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the companyare not aligned with the current IT environment.

    Get your copy of this important guide today!


  • 2022 IBM i Marketplace Survey Results

    Fortra2022 marks the eighth edition of the IBM i Marketplace Survey Results. Each year, Fortra captures data on how businesses use the IBM i platform and the IT and cybersecurity initiatives it supports.

    Over the years, this survey has become a true industry benchmark, revealing to readers the trends that are shaping and driving the market and providing insight into what the future may bring for this technology.

  • Brunswick bowls a perfect 300 with LANSA!

    FortraBrunswick is the leader in bowling products, services, and industry expertise for the development and renovation of new and existing bowling centers and mixed-use recreation facilities across the entertainment industry. However, the lifeblood of Brunswick’s capital equipment business was running on a 15-year-old software application written in Visual Basic 6 (VB6) with a SQL Server back-end. The application was at the end of its life and needed to be replaced.
    With the help of Visual LANSA, they found an easy-to-use, long-term platform that enabled their team to collaborate, innovate, and integrate with existing systems and databases within a single platform.
    Read the case study to learn how they achieved success and increased the speed of development by 30% with Visual LANSA.


  • The Power of Coding in a Low-Code Solution

    LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed.
    Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

    • Discover the benefits of Low-code's quick application creation
    • Understand the differences in model-based and language-based Low-Code platforms
    • Explore the strengths of LANSA's Low-Code Solution to Low-Code’s biggest drawbacks



  • Why Migrate When You Can Modernize?

    LANSABusiness users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
    In this white paper, you’ll learn how to think of these issues as opportunities rather than problems. We’ll explore motivations to migrate or modernize, their risks and considerations you should be aware of before embarking on a (migration or modernization) project.
    Lastly, we’ll discuss how modernizing IBM i applications with optimized business workflows, integration with other technologies and new mobile and web user interfaces will enable IT – and the business – to experience time-added value and much more.


  • UPDATED: Developer Kit: Making a Business Case for Modernization and Beyond

    Profound Logic Software, Inc.Having trouble getting management approval for modernization projects? The problem may be you're not speaking enough "business" to them.

    This Developer Kit provides you study-backed data and a ready-to-use business case template to help get your very next development project approved!

  • What to Do When Your AS/400 Talent Retires

    FortraIT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators is small.

    This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:

    • Why IBM i skills depletion is a top concern
    • How leading organizations are coping
    • Where automation will make the biggest impact


  • Node.js on IBM i Webinar Series Pt. 2: Setting Up Your Development Tools

    Profound Logic Software, Inc.Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. In Part 2, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Attend this webinar to learn:

    • Different tools to develop Node.js applications on IBM i
    • Debugging Node.js
    • The basics of Git and tools to help those new to it
    • Using as a pre-built development environment



  • Expert Tips for IBM i Security: Beyond the Basics

    SB PowerTech WC GenericIn this session, IBM i security expert Robin Tatam provides a quick recap of IBM i security basics and guides you through some advanced cybersecurity techniques that can help you take data protection to the next level. Robin will cover:

    • Reducing the risk posed by special authorities
    • Establishing object-level security
    • Overseeing user actions and data access

    Don't miss this chance to take your knowledge of IBM i security beyond the basics.



  • 5 IBM i Security Quick Wins

    SB PowerTech WC GenericIn today’s threat landscape, upper management is laser-focused on cybersecurity. You need to make progress in securing your systems—and make it fast.
    There’s no shortage of actions you could take, but what tactics will actually deliver the results you need? And how can you find a security strategy that fits your budget and time constraints?
    Join top IBM i security expert Robin Tatam as he outlines the five fastest and most impactful changes you can make to strengthen IBM i security this year.
    Your system didn’t become unsecure overnight and you won’t be able to turn it around overnight either. But quick wins are possible with IBM i security, and Robin Tatam will show you how to achieve them.

  • Security Bulletin: Malware Infection Discovered on IBM i Server!

    SB PowerTech WC GenericMalicious programs can bring entire businesses to their knees—and IBM i shops are not immune. It’s critical to grasp the true impact malware can have on IBM i and the network that connects to it. Attend this webinar to gain a thorough understanding of the relationships between:

    • Viruses, native objects, and the integrated file system (IFS)
    • Power Systems and Windows-based viruses and malware
    • PC-based anti-virus scanning versus native IBM i scanning

    There are a number of ways you can minimize your exposure to viruses. IBM i security expert Sandi Moore explains the facts, including how to ensure you're fully protected and compliant with regulations such as PCI.



  • Encryption on IBM i Simplified

    SB PowerTech WC GenericDB2 Field Procedures (FieldProcs) were introduced in IBM i 7.1 and have greatly simplified encryption, often without requiring any application changes. Now you can quickly encrypt sensitive data on the IBM i including PII, PCI, PHI data in your physical files and tables.
    Watch this webinar to learn how you can quickly implement encryption on the IBM i. During the webinar, security expert Robin Tatam will show you how to:

    • Use Field Procedures to automate encryption and decryption
    • Restrict and mask field level access by user or group
    • Meet compliance requirements with effective key management and audit trails


  • Lessons Learned from IBM i Cyber Attacks

    SB PowerTech WC GenericDespite the many options IBM has provided to protect your systems and data, many organizations still struggle to apply appropriate security controls.
    In this webinar, you'll get insight into how the criminals accessed these systems, the fallout from these attacks, and how the incidents could have been avoided by following security best practices.

    • Learn which security gaps cyber criminals love most
    • Find out how other IBM i organizations have fallen victim
    • Get the details on policies and processes you can implement to protect your organization, even when staff works from home

    You will learn the steps you can take to avoid the mistakes made in these examples, as well as other inadequate and misconfigured settings that put businesses at risk.



  • The Power of Coding in a Low-Code Solution

    SB PowerTech WC GenericWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed.
    Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

    • Discover the benefits of Low-code's quick application creation
    • Understand the differences in model-based and language-based Low-Code platforms
    • Explore the strengths of LANSA's Low-Code Solution to Low-Code’s biggest drawbacks



  • The Biggest Mistakes in IBM i Security

    SB Profound WC Generic The Biggest Mistakes in IBM i Security
    Here’s the harsh reality: cybersecurity pros have to get their jobs right every single day, while an attacker only has to succeed once to do incredible damage.
    Whether that’s thousands of exposed records, millions of dollars in fines and legal fees, or diminished share value, it’s easy to judge organizations that fall victim. IBM i enjoys an enviable reputation for security, but no system is impervious to mistakes.
    Join this webinar to learn about the biggest errors made when securing a Power Systems server.
    This knowledge is critical for ensuring integrity of your application data and preventing you from becoming the next Equifax. It’s also essential for complying with all formal regulations, including SOX, PCI, GDPR, and HIPAA
    Watch Now.

  • Comply in 5! Well, actually UNDER 5 minutes!!

    SB CYBRA PPL 5382

    TRY the one package that solves all your document design and printing challenges on all your platforms.

    Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product.

    Request your trial now!

  • Backup and Recovery on IBM i: Your Strategy for the Unexpected

    FortraRobot automates the routine tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
    - Simplified backup procedures
    - Easy data encryption
    - Save media management
    - Guided restoration
    - Seamless product integration
    Make sure your data survives when catastrophe hits. Try the Robot Backup and Recovery Solution FREE for 30 days.

  • Manage IBM i Messages by Exception with Robot

    SB HelpSystems SC 5413Managing messages on your IBM i can be more than a full-time job if you have to do it manually. How can you be sure you won’t miss important system events?
    Automate your message center with the Robot Message Management Solution. Key features include:
    - Automated message management
    - Tailored notifications and automatic escalation
    - System-wide control of your IBM i partitions
    - Two-way system notifications from your mobile device
    - Seamless product integration
    Try the Robot Message Management Solution FREE for 30 days.

  • Easiest Way to Save Money? Stop Printing IBM i Reports

    FortraRobot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing.
    Manage your reports with the Robot Report Management Solution. Key features include:

    - Automated report distribution
    - View online without delay
    - Browser interface to make notes
    - Custom retention capabilities
    - Seamless product integration
    Rerun another report? Never again. Try the Robot Report Management Solution FREE for 30 days.

  • Hassle-Free IBM i Operations around the Clock

    SB HelpSystems SC 5413For over 30 years, Robot has been a leader in systems management for IBM i.
    Manage your job schedule with the Robot Job Scheduling Solution. Key features include:
    - Automated batch, interactive, and cross-platform scheduling
    - Event-driven dependency processing
    - Centralized monitoring and reporting
    - Audit log and ready-to-use reports
    - Seamless product integration
    Scale your software, not your staff. Try the Robot Job Scheduling Solution FREE for 30 days.