Oracle E-Business Suite PCI Compliance
The next few blog postings will focus on PCI and the Oracle E-Business Suite. All Oracle E-Business Suite implementations that "store, process, or transmit cardholder data" must comply with Payment Card Industry (PCI) Data Security Standard regardless of size or transaction volume. The PCI Data Security Standard (DSS) is a set of stringent security requirements for networks, network devices, servers, and applications. PCI DSS details specific requirements in terms of security configuration and policies and all the requirements are mandatory. PCI DSS is focused on securely handling credit card data, but also has a significant emphasis on General IT security controls.
To meet PCI DSS requirements for an environment, even though credit card processing may be only one minor feature of the application, the entire application installation and the entire environment must be fully PCI DSS compliant. In a large global implementation that may include financials, manufacturing, projects, sales/CRM or human resources, PCI compliance can be a daunting endeavor and will impact operations and management of the non-card processing modules as well as the underlying supporting environment.
Basic Guidelines for PCI DSS
- Do not store sensitive authentication data
- Do not store cardholder data unless it’s absolutely necessary
- Use strong cryptography to render unreadable cardholder data that you do store
- Do not permit any unauthorized people to access stored cardholder data
- Understand the data flow for the entire transaction process
How do you know if PCI is enabled?
The Oracle E-Business Suite’s standard functionality to help meet PCI compliance is disabled by default. The functionality must be manually enabled. The following is a quick check to confirm if one of the basic E-Business Suite configurations is set for the encryption of credit cards. If the select statement below returns a value of ‘None’ then PCI is not enabled. If you see ‘SCHEDULED’ OR ‘IMMEDIATE’ then PCI, or parts of it, may be enabled. For further information please refer to our whitepaper in the link below.
select cc_encryption_mode from iby.iby_sys_security_options
In the next blog posting we will review a common question with regard to Corporate Cards, PCI compliance and the E-Business Suite.
If you have questions, please contact us at firstname.lastname@example.org
-Michael Miller, CISSP-ISSMP