Oracle Solutions for PCI-DSS Compliance

Chris Pickett Principal Solution Architect, Enterprise Information Management Oracle Corporation

Agenda
PCI-DSS Overview Oracle Solutions Demonstration Case Study Q&A

PCI Data Security Standard

6 Major Control Areas, 12 Requirements
Build and Maintain a Secure Network Protect Cardholder Data
Req 1: Install and maintain a firewall configuration to protect data Req 2: Do not use vendor-supplied defaults for System Passwords and Other Security Parameters Req 3: Protect Stored Data Req 4: Encrypt transmission of cardholder data and sensitive information across public networks Req 5: Use and regularly update anti-virus software Req 6: Develop and maintain secure systems and applications Req 7: Restrict access to data by business need-to-know Req 8: Assign a unique ID to each person with computer access Req 9: Restrict physical access to cardholder data Req 10: Track and monitor all access to network resources and cardholder data Req 11: Regularly test security systems and processes Req 12: Maintain a policy that addresses information security

Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks

Maintain an Information Security Policy

PCI Data Security Standard

Requirements Covered Today
Build and Maintain a Secure Network Protect Cardholder Data
Req 1: Install and maintain a firewall configuration to protect data Req 2: Do not use vendor-supplied defaults for System Passwords and Other Security Parameters Req 3: Protect Stored Data Req 4: Encrypt transmission of cardholder data and sensitive information across public networks Req 5: Use and regularly update anti-virus software Req 6: Develop and maintain secure systems and applications Req 7: Restrict access to data by business need-to-know Req 8: Assign a unique ID to each person with computer access Req 9: Restrict physical access to cardholder data Req 10: Track and monitor all access to network resources and cardholder data Req 11: Regularly test security systems and processes Req 12: Maintain a policy that addresses information security

Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks

Maintain an Information Security Policy

Agenda
PCI-DSS Overview Oracle Solutions Demonstration Case Study Q&A

PCI-DSS Compliance - Encryption

Req 3: Protect Stored Data
Confidentiality (on-disk encryption) Oracle Advanced Security

End-Users

Application

DBA

Database

Sysadmin

Storage

Transparently encrypt data at a column or tablespace level PCI-DSS key management requirements supported by Oracle Wallet HSM appliances also supported

PCI-DSS Compliance SoD

Req 7: Restrict access to data by business need-to-know
Segregation of Duties Oracle Database Vault

End-Users

Application

DBA

Database

Sysadmin

Storage

Enforce Segregation of Duties for DBA and other highly-privileged users Enforce access control at the database level on any end-user access attempts outside authorised applications

PCI-DSS Compliance Non-Prod Envs

Req 7: Restrict access to data by business need-to-know
Masking NonProduction Data Oracle Data Masking Pack

End-Users

D/T Database Application

DBA

Database

Sysadmin

Persistently mask card number and any other sensitive information prior to instantiation in Development or Test databases

Storage

PCI-DSS Compliance
Req 4: Encrypt transmission of cardholder data
Confidentiality (network encryption) Oracle Advanced Security

End-Users

D/T Database Application

DBA

Database

Transparently encrypt all network traffic into and out of Oracle Database

Sysadmin

Storage

PCI-DSS Compliance Monitoring

Req 10: Track and monitor all access
Monitoring of data access Oracle Audit Vault
Data Auditor

End-Users

D/T Database Application

DBA

Database

Sysadmin

Storage

Monitor all data access attempts (successful or otherwise) Supports fine-grained auditing rules (e.g. cardholder access only)

PCI-DSS Compliance - Testing

Req 11: Regularly test security systems and processes
Attestation of Compliance Oracle Configuration Management
Data Auditor PCI-DSS Auditor

End-Users

D/T Database Application

DBA

Test
Req. 3

Result

Database

Req. 6 etc.

Sysadmin

Storage

Test and prove compliance to PCI-DSS

Agenda
PCI-DSS Overview Oracle Solutions Demonstration Case Study Q&A

Agenda
PCI-DSS Overview Oracle Solutions Demonstration Case Study Q&A

Case Study PCI-DSS Compliance

Australian Insurance Company

Business Challenges

Cardholder information being transmitted and stored Implementing COTS insurance application
changes to the application difficult/impossible PCI-DSS audit impending

Oracle Advanced Security to implement column-

Solution

based encryption for all cardholder-related columns

No changes to application required Achieved PCI-DSS compliance No impact to application and minimal impact to
project timelines

Business Results

Questions