-
8/13/2019 3.5 Oracle PCI DataSecurity
1/16
Oracle Solutions forPCI-DSS ComplianceChris Pickett
Principal Solution Architect, Enterprise Information
Management
Oracle Corporation
-
8/13/2019 3.5 Oracle PCI DataSecurity
2/16
PCI-DSS Overview
Oracle Solutions
Demonstration
Case Study
Q & A
Agenda
-
8/13/2019 3.5 Oracle PCI DataSecurity
3/16
Req 12: Maintain a policy that addresses information
securityMaintain an Information
Security Policy
Req 10: Track and monitor all access to network resources
and
cardholder data
Req 11: Regularly test security systems and processes
Regularly Monitor and Test
Networks
Req 7: Restrict access to data by business need-to-know
Req 8: Assign a unique ID to each person with computer
access
Req 9: Restrict physical access to cardholder data
Implement Strong Access
Control Measures
Req 5: Use and regularly update anti-virus software
Req 6: Develop and maintain secure systems and applications
Maintain a Vulnerability
Management Program
Req 3: Protect Stored Data
Req 4: Encrypt transmission of cardholder data and sensitive
information across public networks
Protect Cardholder Data
Req 1: Install and maintain a firewall configuration to protect
data
Req 2: Do not use vendor-supplied defaults for System
Passwordsand Other Security Parameters
Build and Maintain a Secure
Network
PCI Data Security Standard6 Major Control Areas, 12
Requirements
-
8/13/2019 3.5 Oracle PCI DataSecurity
4/16
Req 12: Maintain a policy that addresses information
securityMaintain an Information
Security Policy
Req 10: Track and monitor all access to network resources
and
cardholder data
Req 11: Regularly test security systems and processes
Regularly Monitor and Test
Networks
Req 7: Restrict access to data by business need-to-know
Req 8: Assign a unique ID to each person with computer
access
Req 9: Restrict physical access to cardholder data
Implement Strong Access
Control Measures
Req 5: Use and regularly update anti-virus software
Req 6: Develop and maintain secure systems and applications
Maintain a Vulnerability
Management Program
Req 3: Protect Stored Data
Req 4: Encrypt transmission of cardholder data and sensitive
information across public networks
Protect Cardholder Data
Req 1: Install and maintain a firewall configuration to protect
data
Req 2: Do not use vendor-supplied defaults for System
Passwordsand Other Security Parameters
Build and Maintain a Secure
Network
PCI Data Security StandardRequirements Covered Today
-
8/13/2019 3.5 Oracle PCI DataSecurity
5/16
PCI-DSS Overview
Oracle Solutions
Demonstration
Case Study
Q & A
Agenda
-
8/13/2019 3.5 Oracle PCI DataSecurity
6/16
PCI-DSS Compliance - EncryptionReq 3: Protect Stored Data
Application
End-Users
DBA
Sysadmin
Database
Storage
Confidentiality(on-disk
encryption)Oracle
Advanced
Securi ty
Transparently encrypt dataat a column or tablespacelevel
PCI-DSS key managementrequirements supported byOracle Wallet
HSM appliances alsosupported
-
8/13/2019 3.5 Oracle PCI DataSecurity
7/16
PCI-DSS Compliance SoDReq 7: Restrict access to data by business
need-to-know
Application
End-Users
DBA
Sysadmin
Database
Storage
Segregation
of DutiesOracle
Database
Vault
Enforce Segregation ofDuties for DBA and otherhighly-privileged
users
Enforce access control atthe database level on anyend-user
access attemptsoutside authorisedapplications
-
8/13/2019 3.5 Oracle PCI DataSecurity
8/16
PCI-DSS Compliance Non-Prod EnvsReq 7: Restrict access to data
by business need-to-know
Application
End-Users
DBA
Sysadmin
Database
Storage
Masking Non-
ProductionData
Oracle Data
Masking Pack
Persistently mask cardnumber and any othersensitive information
prior
to instantiation inDevelopment or Testdatabases
D/T Database
-
8/13/2019 3.5 Oracle PCI DataSecurity
9/16
PCI-DSS ComplianceReq 4: Encrypt transmission of cardholder
data
Application
End-Users
DBA
Sysadmin
Database
Storage
Confidentiality
(networkencryption)
Oracle
Advanced
Securi ty
Transparently encrypt allnetwork traffic into and outof Oracle
Database
D/T Database
-
8/13/2019 3.5 Oracle PCI DataSecurity
10/16
PCI-DSS Compliance MonitoringReq 10: Track and monitor all
access
Application
End-Users
DBA
Sysadmin
Data
Audi to r
Database
Storage
Monitoring ofdata accessOracle Aud i t
Vault
D/T Database
Monitor all data access
attempts (successful orotherwise)
Supports fine-grainedauditing rules (e.g.cardholder access
only)
-
8/13/2019 3.5 Oracle PCI DataSecurity
11/16
PCI-DSS Compliance - TestingReq 11: Regularly test security
systems and processes
Application
End-Users
DBA
Sysadmin
Data
Audi to r
Database
PCI-DSS
Audi to r
Tes t Resu lt
Req. 3
Req. 6
etc.
Attestation of
ComplianceOracle
Conf igurat ion
Management
Storage
D/T Database
Test and provecompliance toPCI-DSS
-
8/13/2019 3.5 Oracle PCI DataSecurity
12/16
PCI-DSS Overview
Oracle Solutions
Demonstration
Case Study
Q & A
Agenda
-
8/13/2019 3.5 Oracle PCI DataSecurity
13/16
PCI-DSS Overview
Oracle Solutions
Demonstration
Case Study
Q & A
Agenda
-
8/13/2019 3.5 Oracle PCI DataSecurity
14/16
Case Study PCI-DSS ComplianceAustralian Insurance Company
Business Challenges
Cardholder information being transmitted andstored
Implementing COTS insurance application
changes to the application difficult/impossible
PCI-DSS audit impending
Solution
Oracle Advanced Security to implement column-based encryption
for all cardholder-related columns
No changes to application required
Business Results
Achieved PCI-DSS compliance
No impact to application and minimal impact to
project timelines
-
8/13/2019 3.5 Oracle PCI DataSecurity
15/16
Questions
-
8/13/2019 3.5 Oracle PCI DataSecurity
16/16
