Creating clones and copies of production E-Business Suite databases is a regular occurrence. There are several PCI DSS requirements that apply to non-production instances of the Oracle E-Business Suite.
No Production Cardholder Data
The most important PCI DSS requirement that applies to non-production instances is requirement 6.4.3 which forbids production cardholder data to be used for development, testing, training and/or any other reason or purpose other than supporting business transactions in production. Production cardholder data cannot exist outside production. Non-production instances need to have production cardholder data either removed or scrambled.
Protect Production Encryption Keys
Requirement 3.5 governs the protection and management of encryption keys which when applied to non-production databases means that production encryption keys (specifically the Payment Wallet) cannot be copied to and/or exist in non-production instances. If, for whatever reason, the production wallet is copied to a non-production instance, the production encryption key MUST be rotated and the production wallet MUST be destroyed by a secure wipe (not just deleted from the file system). If the non-production instance is virtualized, depending on how memory is locked or shared to the guest, a secure wipe may be even more critical.
Building Non-Production Instances
The points below highlight the requirements to build non-production instances:
- The production Payment Wallet will need to be rotated and securely wiped if copied from production.
- The location of the Payment Wallet will need to be reset. Do not use SQL to update to table IBY_SYS_SECURITY_OPTIONS directly. The user interface must be used to update the file location.
- Remove, purge and/or scramble production cardholder data. Depending on requirements there are several options for creating and sanitizing cardholder data. These options make use of the fact that cardholder data (the PAN and supplemental data) is separate and different from the related business transaction and that the cardholder data is centralized within the Secure Payment Repository.
For further information on PCI compliance, Corporate Cards and the E-Business Suite please refer to our whitepaper in the link below.
If you have questions, please contact us at firstname.lastname@example.org
-Michael Miller, CISSP-ISSMP
- Oracle E-Business Suite: Credit Cards and PCI Compliance
- PCI DSS 3.0 Compliance and the Oracle E-Business Suite