Oracle E-Business Suite PCI DSS Credit Card Encryption

PCI requirement 3.4 mandates that the Primary Account Number (PAN) is unreadable anywhere it is stored using one-way hashes or strong encryption. The Oracle E-Business Suite Release 12 meets this requirement first by centralizing cardholder data (into the Secure Payments Repository) and then applying strong encryption.

Oracle Payments offers two modes of encryption, full or partial, as well as immediate or scheduled. Which encryption options are selected should be the result of discussions with legal counsel, compliance and risk management. 

Risk of Information Leakage from the Oracle E-Business Suite - Validation Levels

Through parameter and URL tampering an attacker, or nefarious insider, can manipulate and/or construct URLs to expose information and/or attempt to circumnavigate Oracle E-Business Suite functionality - including parts of application security. There are several profile options that provide defense in depth against cross-site scripting (XSS), HTML injection attacks, and parameter and URL tampering. Setting these profile options to the recommended values below will contribute to reducing your information leakage risks.

If you have questions, please contact us.

Risk of Information Leakage from the Oracle E-Business Suite - Diagnostics

It is rare to find customers who are not using Diagnostics to support their Oracle E-Business Suite. However, Diagnostics is commonly overlooked as a source of information leakage. By design, Diagnostics should not be enabled in production, or if it is, it should be enabled only at the user level and for a limited period of time. If your non-production instances have DMZ nodes, then the same advice applies.

Risk of Information Leakage from the Oracle E-Business Suite

The Oracle E-Business Suite provides a large number of diagnostic and monitoring solutions. While these solutions offer comprehensive and in-depth information about your implementation, they can also be the source of serious information leakages. Especially if you have Internet facing applications such iStore, iSupplier or iRecruitment, you need to take steps to secure your implementation against accidental information leakage and provide as little information as possible to anyone who might want to attack you.

CPU, PSU, SPU - Oracle Critical Patch Update Terminology Update

It all started in January 2005 with Critical Patch Updates (CPU).  Then Patch Set Updates (PSU) were added as cumulative patches that included priority fixes as well as security fixes.  As of the October 2012 Critical Patch Update, Oracle has changed the terminology to better differentiate between patch types.  This terminology will be used for the Oracle Database, Enterprise Manager, Fusion Middleware, and WebLogic.