Oracle E-Business Suite, PCI Compliance and the Secure Payments Repository
Continuing this blog series on PCI compliance and the Oracle E-Business Suite, this posting focuses on the Secure Payments Repository. New with Release 12 of the E-Business Suite, credit card processing and data storage within Oracle Financials, for customer’s and vendor’s card data, is now done within the Secure Payment Data Repository within Oracle Payments. It is through this new standard functionality built into the Secure Payment Data Repository that PCI DSS compliance can be met.
With Release 12, the Oracle E-Business Suite has eleven modules that use Oracle Payments for the processing and storage of cardholder data. Only these eleven products can be configured to meet PCI DSS requirements through the PA DSS functionality provided by Oracle Payments. From the release notes for the Oracle Payment Application Data Security Standard (PA DSS) Consolidated Patch Release 12.1.2 (Doc ID 981033.1), the following list of products now use the Secure Payment Repository –
Oracle Modules using the Secure Payment Repository
Secure Payment Repository
With Release 12, the Trading Community Architecture (TCA) defines party information (e.g. suppliers and customers) and the Secure Payment Data repository stores the payment instruments (credit card and bank accounts) for the parties. It is through this consolidation of payment instruments into the Secure Payment Repository that Oracle Payments offers its new functionality for the encryption and masking of payment instruments to meet the PA DSS requirements.
The key point to note is that only those products identified above make use of the Secure Payment Repository. More importantly, the PA DSS functionality provided by the Secure Payment Repository is NOT enabled by default. The steps to enable it will be reviewed in the next blog posting
For further information on PCI compliance, Corporate Cards and the E-Business Suite please refer to our whitepaper in the link below.
If you have questions, please contact us at email@example.com
-Michael Miller, CISSP-ISSMP