Oracle E-Business Suite PCI DSS Compliance, Requirement 3.4 and Decryption Risk
PCI requirement 3.4 requires PAN data to be unreadable anywhere it is stored unless it is protected. With Release 12 credit cardholder data can be decrypted at any time as easily as it is encrypted by simply running the request set “Decrypt Sensitive Data Request Set” or any of the individual programs.
Integrigy Corporation highly recommends removing the request set, as well as the concurrent programs within it, from all request groups and then disabling (end-date the request set and disable its concurrent programs. If for any reason the programs need to be run at a later date, they can be enabled. This will help prevent accidental decryption along with nefarious attempts to access cardholder data.
It is also highly recommended by Integrigy Corporation to set up special monitoring for these Decrypt Sensitive Data concurrent programs in production (non-production instances cannot have live credit cardholder data per requirement 6.4.3). Oracle Alerts can be configured if other monitoring tools do not exist. Whatever monitoring process is setup it needs to be monitored daily to ensure that these programs are not run.
When not in use remove from all request groups and disable:
Request set (end-date)
- Decrypt Sensitive Data Request Set
Concurrent Programs (disable)
- Decrypt Credit Card Data
- Decrypt External Bank Account Data
- Decrypt Transaction Extension Data
- Decrypt Credit Card Transaction Data
- Payments Scheduled Decryption
For further information on PCI compliance, Corporate Cards and the E-Business Suite please refer to our whitepaper in the link below.
If you have questions, please contact us at firstname.lastname@example.org
-Michael Miller, CISSP-ISSMP