To help understand the Oracle E-Business Suite’s standard functionality to help meet PCI compliance, it is useful to know the difference between what Oracle deems as external and internal accounts.
A common question we receive is about Corporate Cards and PCI compliance. Corporate Cards, credit cards held by employees for corporate purposes, are not usually subject to the scope of PCI DSS compliance. Corporate Cards are classified as internal accounts and PCI DSS applies only to external accounts. The full definition of internal vs.
The next few blog postings will focus on PCI and the Oracle E-Business Suite.
PCI requirement 3.4 mandates that the Primary Account Number (PAN) is unreadable anywhere it is stored using one-way hashes or strong encryption. The Oracle E-Business Suite Release 12 meets this requirement first by centralizing cardholder data (into the Secure Payments Repository) and then applying strong encryption.
Oracle Payments offers two modes of encryption, full or partial, as well as immediate or scheduled. Which encryption options are selected should be the result of discussions with legal counsel, compliance and risk management.
Through parameter and URL tampering an attacker, or nefarious insider, can manipulate and/or construct URLs to expose information and/or attempt to circumnavigate Oracle E-Business Suite functionality - including parts of application security. There are several profile options that provide defense in depth against cross-site scripting (XSS), HTML injection attacks, and parameter and URL tampering. Setting these profile options to the recommended values below will contribute to reducing your information leakage risks.
If you have questions, please contact us.
Attached files are an information leakage risk for the Oracle E-Business Suite. There are two sources, and the second is not commonly recognized.
It is rare to find customers who are not using Diagnostics to support their Oracle E-Business Suite. However, Diagnostics is commonly overlooked as a source of information leakage. By design, Diagnostics should not be enabled in production, or if it is, it should be enabled only at the user level and for a limited period of time. If your non-production instances have DMZ nodes, then the same advice applies.
The Oracle E-Business Suite provides a large number of diagnostic and monitoring solutions. While these solutions offer comprehensive and in-depth information about your implementation, they can also be the source of serious information leakages. Especially if you have Internet facing applications such iStore, iSupplier or iRecruitment, you need to take steps to secure your implementation against accidental information leakage and provide as little information as possible to anyone who might want to attack you.
As of December 1, 2013, Oracle E-Business Suite 11.5.10 moved into Sustaining Support. Normally, Oracle Sustaining Support does not include security fixes in the form of Critical Patch Updates. However, for 11.5.10, there is an exception until December 2015 and Severity 1 fixes, payroll/1099 updates, and Critical Patch Updates will be available.
It all started in January 2005 with Critical Patch Updates (CPU). Then Patch Set Updates (PSU) were added as cumulative patches that included priority fixes as well as security fixes. As of the October 2012 Critical Patch Update, Oracle has changed the terminology to better differentiate between patch types. This terminology will be used for the Oracle Database, Enterprise Manager, Fusion Middleware, and WebLogic.
Upcoming Webinar: Credit Cards and Oracle E-Business Suite - Security and PCI Compliance Issues
Credit Cards and Oracle E-Business Suite - Security and PCI Compliance Issues
Thursday, August 16, 2:00pm - 3:00pm EDT