Oracle Applications 11i and PCI Compliance

The recent OAUG "Automating Compliance Survey" (OAUG login required) showed 7% of the organizations surveyed responded as being compliant with the Payment Card Industry (PCI) Data Security Standard (DSS), while 19% were in the process of planning or implementing and 71% were either not planning or not sure about PCI compliance.  Having 71% of the organizations respond "not planning/not sure" seems a little high to me since all Oracle Applications implementations that "store, process, or transmit credit card data" must comply with Payment Card Industry (PCI) Data Security Standard 1.1 regardless of size or transaction volume.  This means 71% of the respondents either don't handle any credit cards in their Oracle Applications environments or there were a lot of "not sure" responses.

Let me step back first and provide a brief background of PCI compliance.  The PCI Data Security Standard (DSS) 1.1 is a set of stringent security requirements for networks, network devices, servers, and applications.  The standard details specific requirements in terms of security configuration and policies and all the requirements are mandatory.  PCI DSS is focused on securely handling credit card data, but also has a significant emphasis on general IT security.  Even if you are not required to have annual on-site audits, perform quarterly scans, complete annual self-assessment questionnaires, or submit compliance documentation, "nevertheless must comply with, and are subject to liability under, all other provisions of" the then-current Payment Card Industry Data Security Standard.

The difficultly with Oracle Applications and achieving PCI compliance is that even though credit card processing may be only a one minor feature of the application, the entire application installation must be fully PCI DSS compliant due to the tight-integration and data model of Oracle Applications.  One of the key requirements is that all credit card numbers are encrypted in the database and only recently has Oracle included such functionality in Oracle Applications.

For those organizations that have completed SOX audits and remediation, the level of difficulty associated with PCI compliance is in the eye-of-the-beholder.  For those IT managers and DBAs who struggled with broadness and poor definition around SOX requirements will welcome PCI as it is a well-defined and documented standard.  On the other hand, it provides for few exceptions related to compensating controls.

To help Oracle Applications implementations sort through PCI compliance issues, we have compiled from some recent work general guidance for each PCI requirement related to the installation and configuration of Oracle Applications.  This whitepaper also provides details on the Oracle Applications Credit Card Encryption Patch (see Metalink Note ID 338756.1).

Whitepaper: Oracle Applications 11i: Credit Cards and PCI Compliance Issues