SlideShare una empresa de Scribd logo

PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on your Data - Emtec, Inc.

Descargar como PPTX, PDF
Emtec Inc.
Emtec Inc.

This document discusses PCI compliance and real-time analytics using Oracle tools. It provides background on PCI standards and compliance requirements. It then describes how Oracle tools can help with six PCI requirements, including encrypting data, restricting access, and reporting. The document also discusses challenges with native Oracle reporting and interim reporting. It then describes a materialized view solution developed to provide portable data and near real-time analytics on credit card transactions in Oracle E-Business Suite.

Tecnología
1 de 21
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PCI Compliance- How To Remain Compliant And Gain Near Real Time Analytics By: John Gillespie
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. What We Will Cover… • Background • PCI Standards • Compliance Mapping / Tools •Near Real-Time Reporting (Oracle EBS) • Question 2
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. BACKGROUND - WHAT IS PCI DSS •Payment Card Industry Data Security Standard (PCI DSS) –Developed by 5 major payment processing companies to reconcile their individual programs to a single set of payment requirements –Primary reason for PCI DSS is to protect cardholder data and prevent fraud –Version 3.1 of the standard (April 2015) https://www.pcisecuritystandards.org 3
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PCI DSS APPLICABILITY •According to the PCI Security Standards Council, PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. 4 Primary Account Number Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Full Track Data No Cannot store per Requirement 3.2 CAV2/CVC2/CVV2/CID No Cannot store per Requirement 3.2 PIN/PIN Block No Cannot store per Requirement 3.2 Data Element Storage Permitted Render Stored Data Unreadable per Requirement 3.4 Cardholder Data Sensitive Authentication Data AccountData
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. SCOPE OF PCI DSS •Systems that provide security services like firewalls, routers, switches, DNS, etc •Virtualized infrastructure such as hypervisors, virtual services / desktops and virtualized network infrastructure. •Network infrastructure providing end-point connectivity including wireless infrastructure •Server service types hosting up protocols like NTP, DNS, HTTP/HTTPS, FTP, SFTP, Database protocols, Authentication protocols, and mail protocols. •Purchased (COTS) and Custom Applications. •Any other unspecified component existing within or connected to the Cardholder Data Environment (CDE). 5
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. BUSINESS AS USUAL AS A BEST PRACTICE • Organizations that already have an audit and compliance approach to conducting business have an inherent leg up because the control design has already been defined such as companies subject to GLBA, SOX404, JSOX, and HIPAA regulations. • Control is a process for ensuring a function, automated or manual in nature, is operable, effective and reliable. Controls and the design there is are never intended to be absolute, but reasonable commensurate with the inherent risk. • Segregated into: –Monitoring of Security –Detection of Failures and Deficiencies –Configuration Change Management –Organizational Change Management –Periodic Assessment –Periodic Review of Hardware and Software Technologies 6
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. THE TWELVE COMPLIANCE REQUIREMENTS FOR PCI DSS 7
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. AUDIT & COMPLIANCE ASSESSMENT PROGRAM • Define the Scope • Perform the Assessment • Complete the Reports on Compliance (ROC) • Complete the Self Assessment Questionnaires (SAQ) • Compliance Validation Reports (Attestations of Compliance) • Submit the SQA and/or ROC along with he Attestation of Compliance to the Merchant / Service Provider • IMPORTANT NOTE: PCI DSS requirements are not considered to be in place if controls have not yet been implemented or are scheduled to be completed at a future date. After any open or not-in-place items are addressed by the entity, the assessor will then reassess to validate that the remediation is completed and that all requirements are satisfied. 8
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. ORACLE TOOLS FOR COMPLIANCE •Of the 12 PCI DSS Requirements, Oracle tools can assist in fulfilling 6 PCI DSS requirements • Requirement 2: DO NOT USE VENDOR-SUPPLIED DEFAULTS FOR SYSTEM PASSWORDS AND OTHER SECURITY PARAMETERS • Requirement 3: PROTECT STORED CARDHOLDER DATA • Requirement 6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS • Requirement 7: RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED TO KNOW • Requirement 8: IDENTIFY AND AUTHENTICATE ACCESS TO SYSTEM COMPONENTS • Requirement 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND CARDHOLDER DATA 9
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. WHICH ORACLE TOOLS ARE REQUIRED Requirement Oracle Capability Requirement 2 Standard configuration of Oracle Data for User Accounts. Oracle Enterprise Manager provides out-of-the-box configuration scans based on Oracle, customer policy, and industry commonly accepted practices. OEM also provides Oracle Database discovery, provisioning and patching. Oracle Audit Vault and Database Firewall consolidates audit data from across Oracle, Microsoft SQL Server, IBM DB2 for LUW, SAP Sybase ASE and Oracle MySQL databases, in addition to Windows and Linux platforms. Oracle Audit Vault and Database Firewall can report and alert on audit data. Oracle Database Vault separation of duties prevents unauthorized administrative actions in the Oracle Database. Oracle Database custom installation allows specific components to be installed or removed. Oracle Database provides network encryption (SSL/TLS and native) to encrypt all traffic over SQL*Net between the middle tier and the database, between clients and the database, and between databases. Additionally, some administrative tools, such as Enterprise Manager, provide a restricted use SSL license to protect administrative traffic. Requirement 3 Applications can leverage Virtual Private Database (VPD) with a column relevant policy to mask out the entire number. Oracle Advanced Security with Data Redaction can consistently mask displayed data within applications. Oracle Data Masking protects production data used in nonproduction environments for testing and QA. Security controls provided by Oracle Label Security can help determine who should have access to the number. Oracle Database Vault realms can be used to prevent privileged users from accessing application data. In Oracle EBS, Oracle Wallet can be implemented to encrypt IBY transactions. Oracle Advanced Security transparent data encryption (TDE), column encryption, and tablespace encryption can be used to transparently encrypt the Primary Account Number in the database and backed up on storage media. Oracle Advanced Security TDE column encryption provides the ability to independently re-key the master encryption and/or table keys. Starting with Oracle Database 11g Release 2, the master encryption key for TDE tablespace encryption can be re-keyed as well. For PCI compliance, re-keying (rotating) the master encryption key is often sufficient. Oracle RMAN with Oracle Advanced Security can encrypt (and compress) the entire backup when backed up to disk. Oracle Data Pump with Oracle Advanced Security can encrypt (and compress) entire database file. Encryption algorithms supported include AES with 256, 192, or 128 bit key length, as well as 3DES168. Designated individuals like a DBA or Database Security Administrator (DSA) need to know the wallet password or the HSM authentication string and have the 'alter system' privilege in order to open the wallet or HSM and make the master encryption key available to the database. Oracle Advanced Security uses Diffie-Hellman key negotiation algorithm to perform secure key distribution. 10
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. WHICH ORACLE TOOLS ARE REQUIRED (Cont.) Requirement 6 Oracle follows the Common Vulnerability Scoring System (CVSS) when providing severity ratings for bug fixes released in Critical Patch Updates (CPUs). Enterprise User Security, an Oracle Database Enterprise Edition feature, combined with Oracle Identity Management, gives the ability to centrally manage database users and their authorizations in one central place. Part of the Oracle Identity Governance Suite, Oracle Privileged Account Manager enables the separation of privileges, manages self-service requests to privileged accounts, and provides auditing and reporting of password usage. Oracle Database Vault can help to protect DBA access to production data in Oracle Databases Oracle Data Masking de-identifies payment card numbers, and other sensitive information, for testing and development environments. Database change control procedures can be automated with Oracle Change Management. Also BPEL Process Manager can be used for process management of change control, security procedures in general. Requirement 7 Oracle Label Security provides additional security attributes based on need-to-know or “least-privilege” requirements. Oracle Virtual Private Database provides basic runtime masking. Oracle Data Redaction removes or masks sensitive application data fields based on organizational and regulatory policy combined with the requestor’s entitlements. Oracle Database object privileges and database roles provide basic security. Oracle Identity Governance Suite provides enterprise user provisioning only to permitted computing and application resources and data. Oracle Identity Analytics defines roles to provide granular definition of jobs and functions, as well as short-term assignments. Oracle Identity Governance Suite provides enterprise user provisioning only to permitted computing and application resources and data based on role, job function, department, location, and/or other variables. This can be triggered automatically from the HR (HCM) system Requirement 8 Oracle Database authentication supports dedicated user accounts, and strong authentication capabilities, including Kerberos. Oracle Identity Governance Suite provides enterprise user provisioning using an automated workflow and central repository. Users are automatically de-provisioned when they are no longer active. Privileged access should be managed on an exception basis with one-time passwords (OTP). Extensive monitoring of privileged and/or support access provides assurance that personnel are only performing authorized activities. Oracle Access Management Suite provides centralized application layer access control, authorization and authentication. Part of the Oracle Identity Governance Suite, Oracle Privileged Account Manager is a secure password management solution designed to generate, provision, and manage access to passwords. Repeated access attempts can trigger an account lockout and the number of attempts and remediation process is configurable. Oracle Access Management Suite supports strong authentication (tokens, smart cards, X. 509 certificates, forms) as well as passwords. Oracle Access Manager includes self-service password reset with policies that can meet the complexity requirements of PCI DSS 3.1. 11
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. WHICH ORACLE TOOLS ARE REQUIRED (Cont.) Requirement 10 Oracle Audit Vault and Database Firewall collects and centralizes database and system audit data for enterprise reporting and alerting. Oracle Database Vault audit trails can be collected in Oracle Audit Vault and Database Firewall. Oracle Database Fine Grained Auditing (FGA) enables audit policies to be associated with columns in application tables along with conditions necessary for an audit record to be generated. Audit trails can be collected in Oracle Audit Vault and Database Firewall for reporting. Oracle Database Conditional Auditing provides highly selective and effective auditing by creating records based on the context of the database session. Out-of-policy connections can be fully audited while no data will be generated for others. Oracle Database Vault realms and separation of duties for more stringent controls on database administration Oracle Database Vault realm reports Oracle Audit Vault and Database Firewall audit data consolidation for enterprise reports and alerting Oracle Identity Governance Suite Oracle Access Management Suite audit reports Oracle Identity Analytics Customized reports can be generated using Oracle Application Express, Oracle BI Publisher and 3rd party tools. Oracle Access Management Suite and Identity Manager provide logs of all user activity and provisioning/de-provisioning. 12
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. CHALLENGES •Native reporting is difficult and sometimes non-existent or poorly formatted •Interim / Point in time reporting does not exist •IBY / Payments infrastructure is difficult to join due to encryption •Seeded reporting is completely reliant on legacy RDFs •Transaction tracing through the settlement process is difficult without custom extract development or processional services 13
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. HOW HAVE WE SOLVED THIS QUANDARY •Aside from assisting your company comply with the rules and regulations of PCI DSS, we have developed a “Materialized View” for customers leveraging Oracle E-Business Suite that allows for interim reporting of: –Fully accounted transactions in Receivables, Payables, Subledger Accounting and Payments (both Processor and Gateway models) –Partially Accounted credit card transactions that have not been settled by exploiting the ISO8583 payment specification. This method allows for a determination of credit card risk prior to settlement based upon the floor limit pre-authorization –Grouping of the extract by Tender type to determine the interchange rate and discount / fees that are booking on a period basis –Ability to be secured with native Oracle security and RBAC (Role Based Access Controls). –Credit Card transaction errors for root cause analysis (Auth, Pre-Settlement and Post-Settlement) –View leverages Microsoft Excel via XML Publisher to manipulate data. 14
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PORTABLE DATA FOR ANALYTICS 15
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PORTABLE DATA FOR ANALYTICS 16
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PORTABLE DATA FOR ANALYTICS 17
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. 73% YEARS 47serving clients OUR COMPANY 500dedicated associates 17 over years BEST PLACES TO WORK 2012 TECHNOLOGY EMPOWERED BUSINESS SOLUTIONS “right size provider” “client for life” India Pune Bangalore USA IL, PA, NJ, GA, VA, MN, FL Canada Toronto Ottawa GLOBAL DELIVERY OUR SERVICES 87% 14 prior tier 1 consultancies avg. years experience fulltime employees OUR PEOPLE 25+ OTHER PARTNERS - onshore - offshore - nearshore - blended managed services Advisory Applications Cloud Analytics Infrastructure strategy governance process ERP, HCM, CRM, app. development, mobile solutions applications infrastructure enterprise reporting, predictive analytics, big data service management enterprise infrastructure end user computing Business and Technology Empowered
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. An Exciting Year For Emtec… And Or Clients! Vertical Focus • Strategy • Enterprise Solutioning • Management Consulting • Line of Business Expertise Advisory Services Expansion Services GEO Vertical SMAC
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. Emtec Services Align Well with each stakeholder community ENTERPRISE SUITE SALES & MARKETING  360 degree view of the customer  Sales force automation  Customer Service  Marketing Automation  Customer and Product Data Management  BI / Analytics HCM  Workforce Planning  HR Analytics  Talent Management  Employee Self-Service  Performance Management  Total Compensation CFO FINANCE  Budget & Planning  Financial Close Mgmt  Procure to Pay  SEC Reporting  Financial Analytics  Cash Management OPERATIONS  Forecasting  Operational Analytics  ERP  Project Costing TECHNOLOGY  Advisory Services  Application Development & Maintenance services  Business Intelligence & Big Data  Cloud Strategy and Implementation  Independent Verification & Validation  Infrastructure Services  Managed Services  IT Service Management  Procurement Services  Business Strategy  Managed Services & Outsourcing  Advisory Services  Analytics  Governance POWER The of Emtec
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. THANK YOU FOR YOUR TIME Please visit us online at www.emtecinc.com THANK YOU FOR YOUR TIME Please visit us online at www.emtecinc.com

Recomendados

Crm trilogy dynamics marketingwebcast_20140625
Crm trilogy dynamics marketingwebcast_20140625Crm trilogy dynamics marketingwebcast_20140625
Crm trilogy dynamics marketingwebcast_20140625
Emtec Inc.
 
Extending Microsoft Dynamics CRM with Integrations, Customizations and Reporting
Extending Microsoft Dynamics CRM with Integrations, Customizations and ReportingExtending Microsoft Dynamics CRM with Integrations, Customizations and Reporting
Extending Microsoft Dynamics CRM with Integrations, Customizations and Reporting
Emtec Inc.
 
Microsoft Salesforce Partnership: How You Can Take Advantage of this Alliance
Microsoft Salesforce Partnership: How You Can Take Advantage of this AllianceMicrosoft Salesforce Partnership: How You Can Take Advantage of this Alliance
Microsoft Salesforce Partnership: How You Can Take Advantage of this Alliance
Emtec Inc.
 
Crm trilogy webinar day 1 sales with social listening
Crm trilogy webinar day 1 sales with social listeningCrm trilogy webinar day 1 sales with social listening
Crm trilogy webinar day 1 sales with social listening
Emtec Inc.
 
Microsoft CRM Webinar Trilogy Unified Service Desk
Microsoft CRM Webinar Trilogy Unified Service DeskMicrosoft CRM Webinar Trilogy Unified Service Desk
Microsoft CRM Webinar Trilogy Unified Service Desk
Emtec Inc.
 
How Finance is Adopting Analytics, and Reacting to Changes in the Marketplace
How Finance is Adopting Analytics, and Reacting to Changes in the Marketplace How Finance is Adopting Analytics, and Reacting to Changes in the Marketplace
How Finance is Adopting Analytics, and Reacting to Changes in the Marketplace
Emtec Inc.
 
The Power of Allocations for Profitability Analysis - Using Financial Data to...
The Power of Allocations for Profitability Analysis - Using Financial Data to...The Power of Allocations for Profitability Analysis - Using Financial Data to...
The Power of Allocations for Profitability Analysis - Using Financial Data to...
Emtec Inc.
 
Webinar Presentation: Best Practices in QA Testing - Leveraging Open Source T...
Webinar Presentation: Best Practices in QA Testing - Leveraging Open Source T...Webinar Presentation: Best Practices in QA Testing - Leveraging Open Source T...
Webinar Presentation: Best Practices in QA Testing - Leveraging Open Source T...
Emtec Inc.
 

Recomendados

Crm trilogy dynamics marketingwebcast_20140625
Crm trilogy dynamics marketingwebcast_20140625Crm trilogy dynamics marketingwebcast_20140625
Crm trilogy dynamics marketingwebcast_20140625
Emtec Inc.
 
Extending Microsoft Dynamics CRM with Integrations, Customizations and Reporting
Extending Microsoft Dynamics CRM with Integrations, Customizations and ReportingExtending Microsoft Dynamics CRM with Integrations, Customizations and Reporting
Extending Microsoft Dynamics CRM with Integrations, Customizations and Reporting
Emtec Inc.
 
Microsoft Salesforce Partnership: How You Can Take Advantage of this Alliance
Microsoft Salesforce Partnership: How You Can Take Advantage of this AllianceMicrosoft Salesforce Partnership: How You Can Take Advantage of this Alliance
Microsoft Salesforce Partnership: How You Can Take Advantage of this Alliance
Emtec Inc.
 
Crm trilogy webinar day 1 sales with social listening
Crm trilogy webinar day 1 sales with social listeningCrm trilogy webinar day 1 sales with social listening
Crm trilogy webinar day 1 sales with social listening
Emtec Inc.
 
Microsoft CRM Webinar Trilogy Unified Service Desk
Microsoft CRM Webinar Trilogy Unified Service DeskMicrosoft CRM Webinar Trilogy Unified Service Desk
Microsoft CRM Webinar Trilogy Unified Service Desk
Emtec Inc.
 
How Finance is Adopting Analytics, and Reacting to Changes in the Marketplace
How Finance is Adopting Analytics, and Reacting to Changes in the Marketplace How Finance is Adopting Analytics, and Reacting to Changes in the Marketplace
How Finance is Adopting Analytics, and Reacting to Changes in the Marketplace
Emtec Inc.
 
The Power of Allocations for Profitability Analysis - Using Financial Data to...
The Power of Allocations for Profitability Analysis - Using Financial Data to...The Power of Allocations for Profitability Analysis - Using Financial Data to...
The Power of Allocations for Profitability Analysis - Using Financial Data to...
Emtec Inc.
 
Webinar Presentation: Best Practices in QA Testing - Leveraging Open Source T...
Webinar Presentation: Best Practices in QA Testing - Leveraging Open Source T...Webinar Presentation: Best Practices in QA Testing - Leveraging Open Source T...
Webinar Presentation: Best Practices in QA Testing - Leveraging Open Source T...
Emtec Inc.
 
FDM vs FDMEE: What you Need to Know - Emtec, Inc.
FDM vs FDMEE: What you Need to Know - Emtec, Inc.FDM vs FDMEE: What you Need to Know - Emtec, Inc.
FDM vs FDMEE: What you Need to Know - Emtec, Inc.
Emtec Inc.
 
Considering Change? Lawson to Microsoft GP Comparison Webinar
Considering Change? Lawson to Microsoft GP Comparison WebinarConsidering Change? Lawson to Microsoft GP Comparison Webinar
Considering Change? Lawson to Microsoft GP Comparison Webinar
Emtec Inc.
 
COA Design Changes, and the Impact on your Ability to Report and Analyze your...
COA Design Changes, and the Impact on your Ability to Report and Analyze your...COA Design Changes, and the Impact on your Ability to Report and Analyze your...
COA Design Changes, and the Impact on your Ability to Report and Analyze your...
Emtec Inc.
 
CFO ERP Considerations: Cloud, On-Premise, and Beyond - Emtec, Inc.
CFO ERP Considerations: Cloud, On-Premise, and Beyond - Emtec, Inc.CFO ERP Considerations: Cloud, On-Premise, and Beyond - Emtec, Inc.
CFO ERP Considerations: Cloud, On-Premise, and Beyond - Emtec, Inc.
Emtec Inc.
 
Globalizing Your Financial Systems - Emtec, Inc.
Globalizing Your Financial Systems - Emtec, Inc.Globalizing Your Financial Systems - Emtec, Inc.
Globalizing Your Financial Systems - Emtec, Inc.
Emtec Inc.
 
Leveraging Packaged Analytics when Implementing your ERP
Leveraging Packaged Analytics when Implementing your ERPLeveraging Packaged Analytics when Implementing your ERP
Leveraging Packaged Analytics when Implementing your ERP
Emtec Inc.
 
Learn How Herman Miller Modernized Their HR
Learn How Herman Miller Modernized Their HRLearn How Herman Miller Modernized Their HR
Learn How Herman Miller Modernized Their HR
Emtec Inc.
 
Predictive Analytics, A Case Study on Operational Analysis - Emtec, Inc.
Predictive Analytics, A Case Study on Operational Analysis - Emtec, Inc.Predictive Analytics, A Case Study on Operational Analysis - Emtec, Inc.
Predictive Analytics, A Case Study on Operational Analysis - Emtec, Inc.
Emtec Inc.
 
HCM Workforce Compensation Trends and Demo
HCM Workforce Compensation Trends and DemoHCM Workforce Compensation Trends and Demo
HCM Workforce Compensation Trends and Demo
Emtec Inc.
 
Microsoft GP 2016: What You Need to Know Before Upgrading
Microsoft GP 2016: What You Need to Know Before UpgradingMicrosoft GP 2016: What You Need to Know Before Upgrading
Microsoft GP 2016: What You Need to Know Before Upgrading
Emtec Inc.
 
Enterprise Workforce Planning: The Intersection of Finance, HR, and IT - Emt...
Enterprise Workforce Planning: The Intersection of Finance, HR, and IT - Emt...Enterprise Workforce Planning: The Intersection of Finance, HR, and IT - Emt...
Enterprise Workforce Planning: The Intersection of Finance, HR, and IT - Emt...
Emtec Inc.
 
Webinar Presentation: Microsoft Dynamics 2013 Year End Close
Webinar Presentation: Microsoft Dynamics 2013 Year End Close Webinar Presentation: Microsoft Dynamics 2013 Year End Close
Webinar Presentation: Microsoft Dynamics 2013 Year End Close
Emtec Inc.
 
Mious case study presentation (2)
Mious case study presentation (2)Mious case study presentation (2)
Mious case study presentation (2)
Emtec Inc.
 
Data Center Infrastructure Management Powerpoint Presentation Slides
Data Center Infrastructure Management Powerpoint Presentation SlidesData Center Infrastructure Management Powerpoint Presentation Slides
Data Center Infrastructure Management Powerpoint Presentation Slides
SlideTeam
 
Wincere Best Practices
Wincere Best PracticesWincere Best Practices
Wincere Best Practices
Wincere
 
How can insurers benefit from using ISO Electronic Rating Content?
How can insurers benefit from using ISO Electronic Rating Content?How can insurers benefit from using ISO Electronic Rating Content?
How can insurers benefit from using ISO Electronic Rating Content?
ValueMomentum
 
DRM and the Importance of Metadata Management in Finance
DRM and the Importance of Metadata Management in Finance DRM and the Importance of Metadata Management in Finance
DRM and the Importance of Metadata Management in Finance
Emtec Inc.
 
Oracle Fusion v/s Workday
Oracle Fusion v/s WorkdayOracle Fusion v/s Workday
Oracle Fusion v/s Workday
Mayda Barsumyan
 
SmartERP Oracle Cloud Capabilities Presentation 2018
SmartERP Oracle Cloud Capabilities Presentation 2018SmartERP Oracle Cloud Capabilities Presentation 2018
SmartERP Oracle Cloud Capabilities Presentation 2018
Dave Reik
 
Webinar Siebel CRM - The most common license compliance issues seen
Webinar Siebel CRM - The most common license compliance issues seenWebinar Siebel CRM - The most common license compliance issues seen
Webinar Siebel CRM - The most common license compliance issues seen
b.lay
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteOracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Edgar Alejandro Villegas
 
Sustainable Compliance For PCI DSS Standard
Sustainable Compliance For PCI DSS StandardSustainable Compliance For PCI DSS Standard
Sustainable Compliance For PCI DSS Standard
Christian Frahm
 

Más contenido relacionado

La actualidad más candente

Mious case study presentation (2)
Mious case study presentation (2)Mious case study presentation (2)
Mious case study presentation (2)
Emtec Inc.
 
Data Center Infrastructure Management Powerpoint Presentation Slides
Data Center Infrastructure Management Powerpoint Presentation SlidesData Center Infrastructure Management Powerpoint Presentation Slides
Data Center Infrastructure Management Powerpoint Presentation Slides
SlideTeam
 
Wincere Best Practices
Wincere Best PracticesWincere Best Practices
Wincere Best Practices
Wincere
 
Webinar Siebel CRM - The most common license compliance issues seen
Webinar Siebel CRM - The most common license compliance issues seenWebinar Siebel CRM - The most common license compliance issues seen
Webinar Siebel CRM - The most common license compliance issues seen
b.lay
 

La actualidad más candente (20)

FDM vs FDMEE: What you Need to Know - Emtec, Inc.
FDM vs FDMEE: What you Need to Know - Emtec, Inc.FDM vs FDMEE: What you Need to Know - Emtec, Inc.
FDM vs FDMEE: What you Need to Know - Emtec, Inc.
 
Considering Change? Lawson to Microsoft GP Comparison Webinar
Considering Change? Lawson to Microsoft GP Comparison WebinarConsidering Change? Lawson to Microsoft GP Comparison Webinar
Considering Change? Lawson to Microsoft GP Comparison Webinar
 
COA Design Changes, and the Impact on your Ability to Report and Analyze your...
COA Design Changes, and the Impact on your Ability to Report and Analyze your...COA Design Changes, and the Impact on your Ability to Report and Analyze your...
COA Design Changes, and the Impact on your Ability to Report and Analyze your...
 
CFO ERP Considerations: Cloud, On-Premise, and Beyond - Emtec, Inc.
CFO ERP Considerations: Cloud, On-Premise, and Beyond - Emtec, Inc.CFO ERP Considerations: Cloud, On-Premise, and Beyond - Emtec, Inc.
CFO ERP Considerations: Cloud, On-Premise, and Beyond - Emtec, Inc.
 
Globalizing Your Financial Systems - Emtec, Inc.
Globalizing Your Financial Systems - Emtec, Inc.Globalizing Your Financial Systems - Emtec, Inc.
Globalizing Your Financial Systems - Emtec, Inc.
 
Leveraging Packaged Analytics when Implementing your ERP
Leveraging Packaged Analytics when Implementing your ERPLeveraging Packaged Analytics when Implementing your ERP
Leveraging Packaged Analytics when Implementing your ERP
 
Learn How Herman Miller Modernized Their HR
Learn How Herman Miller Modernized Their HRLearn How Herman Miller Modernized Their HR
Learn How Herman Miller Modernized Their HR
 
Predictive Analytics, A Case Study on Operational Analysis - Emtec, Inc.
Predictive Analytics, A Case Study on Operational Analysis - Emtec, Inc.Predictive Analytics, A Case Study on Operational Analysis - Emtec, Inc.
Predictive Analytics, A Case Study on Operational Analysis - Emtec, Inc.
 
HCM Workforce Compensation Trends and Demo
HCM Workforce Compensation Trends and DemoHCM Workforce Compensation Trends and Demo
HCM Workforce Compensation Trends and Demo
 
Microsoft GP 2016: What You Need to Know Before Upgrading
Microsoft GP 2016: What You Need to Know Before UpgradingMicrosoft GP 2016: What You Need to Know Before Upgrading
Microsoft GP 2016: What You Need to Know Before Upgrading
 
Enterprise Workforce Planning: The Intersection of Finance, HR, and IT - Emt...
Enterprise Workforce Planning: The Intersection of Finance, HR, and IT - Emt...Enterprise Workforce Planning: The Intersection of Finance, HR, and IT - Emt...
Enterprise Workforce Planning: The Intersection of Finance, HR, and IT - Emt...
 
Webinar Presentation: Microsoft Dynamics 2013 Year End Close
Webinar Presentation: Microsoft Dynamics 2013 Year End Close Webinar Presentation: Microsoft Dynamics 2013 Year End Close
Webinar Presentation: Microsoft Dynamics 2013 Year End Close
 
Mious case study presentation (2)
Mious case study presentation (2)Mious case study presentation (2)
Mious case study presentation (2)
 
Data Center Infrastructure Management Powerpoint Presentation Slides
Data Center Infrastructure Management Powerpoint Presentation SlidesData Center Infrastructure Management Powerpoint Presentation Slides
Data Center Infrastructure Management Powerpoint Presentation Slides
 
Wincere Best Practices
Wincere Best PracticesWincere Best Practices
Wincere Best Practices
 
How can insurers benefit from using ISO Electronic Rating Content?
How can insurers benefit from using ISO Electronic Rating Content?How can insurers benefit from using ISO Electronic Rating Content?
How can insurers benefit from using ISO Electronic Rating Content?
 
DRM and the Importance of Metadata Management in Finance
DRM and the Importance of Metadata Management in Finance DRM and the Importance of Metadata Management in Finance
DRM and the Importance of Metadata Management in Finance
 
Oracle Fusion v/s Workday
Oracle Fusion v/s WorkdayOracle Fusion v/s Workday
Oracle Fusion v/s Workday
 
SmartERP Oracle Cloud Capabilities Presentation 2018
SmartERP Oracle Cloud Capabilities Presentation 2018SmartERP Oracle Cloud Capabilities Presentation 2018
SmartERP Oracle Cloud Capabilities Presentation 2018
 
Webinar Siebel CRM - The most common license compliance issues seen
Webinar Siebel CRM - The most common license compliance issues seenWebinar Siebel CRM - The most common license compliance issues seen
Webinar Siebel CRM - The most common license compliance issues seen
 

Similar a PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on your Data - Emtec, Inc.

5. 2010 11-03 bucharest oracle-tech_day_security
5. 2010 11-03 bucharest oracle-tech_day_security5. 2010 11-03 bucharest oracle-tech_day_security
5. 2010 11-03 bucharest oracle-tech_day_security
Doina Draganescu
 
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Minh237839
 
EPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber ArkEPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber Ark
Erni Susanti
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
SQL Server 2008 Security Overview
SQL Server 2008 Security OverviewSQL Server 2008 Security Overview
SQL Server 2008 Security Overview
ukdpe
 

Similar a PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on your Data - Emtec, Inc. (20)

Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteOracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
 
Sustainable Compliance For PCI DSS Standard
Sustainable Compliance For PCI DSS StandardSustainable Compliance For PCI DSS Standard
Sustainable Compliance For PCI DSS Standard
 
ppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdfppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdf
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and Masking
 
Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager
 
5. 2010 11-03 bucharest oracle-tech_day_security
5. 2010 11-03 bucharest oracle-tech_day_security5. 2010 11-03 bucharest oracle-tech_day_security
5. 2010 11-03 bucharest oracle-tech_day_security
 
Shield db data security
Shield db data securityShield db data security
Shield db data security
 
Shield db data security
Shield db data securityShield db data security
Shield db data security
 
Shield db data security
Shield db data securityShield db data security
Shield db data security
 
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
 
How to Protect Your Oracle Database from Hackers
How to Protect Your Oracle Database from HackersHow to Protect Your Oracle Database from Hackers
How to Protect Your Oracle Database from Hackers
 
EPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber ArkEPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber Ark
 
7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
SQL Server 2008 Security Overview
SQL Server 2008 Security OverviewSQL Server 2008 Security Overview
SQL Server 2008 Security Overview
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and compliance
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
 
Využijte svou Oracle databázi naplno
Využijte svou Oracle databázi naplnoVyužijte svou Oracle databázi naplno
Využijte svou Oracle databázi naplno
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 

Último

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on your Data - Emtec, Inc.

  • 1. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PCI Compliance- How To Remain Compliant And Gain Near Real Time Analytics By: John Gillespie
  • 2. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. What We Will Cover… • Background • PCI Standards • Compliance Mapping / Tools •Near Real-Time Reporting (Oracle EBS) • Question 2
  • 3. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. BACKGROUND - WHAT IS PCI DSS •Payment Card Industry Data Security Standard (PCI DSS) –Developed by 5 major payment processing companies to reconcile their individual programs to a single set of payment requirements –Primary reason for PCI DSS is to protect cardholder data and prevent fraud –Version 3.1 of the standard (April 2015) https://www.pcisecuritystandards.org 3
  • 4. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PCI DSS APPLICABILITY •According to the PCI Security Standards Council, PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. 4 Primary Account Number Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Full Track Data No Cannot store per Requirement 3.2 CAV2/CVC2/CVV2/CID No Cannot store per Requirement 3.2 PIN/PIN Block No Cannot store per Requirement 3.2 Data Element Storage Permitted Render Stored Data Unreadable per Requirement 3.4 Cardholder Data Sensitive Authentication Data AccountData
  • 5. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. SCOPE OF PCI DSS •Systems that provide security services like firewalls, routers, switches, DNS, etc •Virtualized infrastructure such as hypervisors, virtual services / desktops and virtualized network infrastructure. •Network infrastructure providing end-point connectivity including wireless infrastructure •Server service types hosting up protocols like NTP, DNS, HTTP/HTTPS, FTP, SFTP, Database protocols, Authentication protocols, and mail protocols. •Purchased (COTS) and Custom Applications. •Any other unspecified component existing within or connected to the Cardholder Data Environment (CDE). 5
  • 6. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. BUSINESS AS USUAL AS A BEST PRACTICE • Organizations that already have an audit and compliance approach to conducting business have an inherent leg up because the control design has already been defined such as companies subject to GLBA, SOX404, JSOX, and HIPAA regulations. • Control is a process for ensuring a function, automated or manual in nature, is operable, effective and reliable. Controls and the design there is are never intended to be absolute, but reasonable commensurate with the inherent risk. • Segregated into: –Monitoring of Security –Detection of Failures and Deficiencies –Configuration Change Management –Organizational Change Management –Periodic Assessment –Periodic Review of Hardware and Software Technologies 6
  • 7. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. THE TWELVE COMPLIANCE REQUIREMENTS FOR PCI DSS 7
  • 8. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. AUDIT & COMPLIANCE ASSESSMENT PROGRAM • Define the Scope • Perform the Assessment • Complete the Reports on Compliance (ROC) • Complete the Self Assessment Questionnaires (SAQ) • Compliance Validation Reports (Attestations of Compliance) • Submit the SQA and/or ROC along with he Attestation of Compliance to the Merchant / Service Provider • IMPORTANT NOTE: PCI DSS requirements are not considered to be in place if controls have not yet been implemented or are scheduled to be completed at a future date. After any open or not-in-place items are addressed by the entity, the assessor will then reassess to validate that the remediation is completed and that all requirements are satisfied. 8
  • 9. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. ORACLE TOOLS FOR COMPLIANCE •Of the 12 PCI DSS Requirements, Oracle tools can assist in fulfilling 6 PCI DSS requirements • Requirement 2: DO NOT USE VENDOR-SUPPLIED DEFAULTS FOR SYSTEM PASSWORDS AND OTHER SECURITY PARAMETERS • Requirement 3: PROTECT STORED CARDHOLDER DATA • Requirement 6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS • Requirement 7: RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED TO KNOW • Requirement 8: IDENTIFY AND AUTHENTICATE ACCESS TO SYSTEM COMPONENTS • Requirement 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND CARDHOLDER DATA 9
  • 10. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. WHICH ORACLE TOOLS ARE REQUIRED Requirement Oracle Capability Requirement 2 Standard configuration of Oracle Data for User Accounts. Oracle Enterprise Manager provides out-of-the-box configuration scans based on Oracle, customer policy, and industry commonly accepted practices. OEM also provides Oracle Database discovery, provisioning and patching. Oracle Audit Vault and Database Firewall consolidates audit data from across Oracle, Microsoft SQL Server, IBM DB2 for LUW, SAP Sybase ASE and Oracle MySQL databases, in addition to Windows and Linux platforms. Oracle Audit Vault and Database Firewall can report and alert on audit data. Oracle Database Vault separation of duties prevents unauthorized administrative actions in the Oracle Database. Oracle Database custom installation allows specific components to be installed or removed. Oracle Database provides network encryption (SSL/TLS and native) to encrypt all traffic over SQL*Net between the middle tier and the database, between clients and the database, and between databases. Additionally, some administrative tools, such as Enterprise Manager, provide a restricted use SSL license to protect administrative traffic. Requirement 3 Applications can leverage Virtual Private Database (VPD) with a column relevant policy to mask out the entire number. Oracle Advanced Security with Data Redaction can consistently mask displayed data within applications. Oracle Data Masking protects production data used in nonproduction environments for testing and QA. Security controls provided by Oracle Label Security can help determine who should have access to the number. Oracle Database Vault realms can be used to prevent privileged users from accessing application data. In Oracle EBS, Oracle Wallet can be implemented to encrypt IBY transactions. Oracle Advanced Security transparent data encryption (TDE), column encryption, and tablespace encryption can be used to transparently encrypt the Primary Account Number in the database and backed up on storage media. Oracle Advanced Security TDE column encryption provides the ability to independently re-key the master encryption and/or table keys. Starting with Oracle Database 11g Release 2, the master encryption key for TDE tablespace encryption can be re-keyed as well. For PCI compliance, re-keying (rotating) the master encryption key is often sufficient. Oracle RMAN with Oracle Advanced Security can encrypt (and compress) the entire backup when backed up to disk. Oracle Data Pump with Oracle Advanced Security can encrypt (and compress) entire database file. Encryption algorithms supported include AES with 256, 192, or 128 bit key length, as well as 3DES168. Designated individuals like a DBA or Database Security Administrator (DSA) need to know the wallet password or the HSM authentication string and have the 'alter system' privilege in order to open the wallet or HSM and make the master encryption key available to the database. Oracle Advanced Security uses Diffie-Hellman key negotiation algorithm to perform secure key distribution. 10
  • 11. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. WHICH ORACLE TOOLS ARE REQUIRED (Cont.) Requirement 6 Oracle follows the Common Vulnerability Scoring System (CVSS) when providing severity ratings for bug fixes released in Critical Patch Updates (CPUs). Enterprise User Security, an Oracle Database Enterprise Edition feature, combined with Oracle Identity Management, gives the ability to centrally manage database users and their authorizations in one central place. Part of the Oracle Identity Governance Suite, Oracle Privileged Account Manager enables the separation of privileges, manages self-service requests to privileged accounts, and provides auditing and reporting of password usage. Oracle Database Vault can help to protect DBA access to production data in Oracle Databases Oracle Data Masking de-identifies payment card numbers, and other sensitive information, for testing and development environments. Database change control procedures can be automated with Oracle Change Management. Also BPEL Process Manager can be used for process management of change control, security procedures in general. Requirement 7 Oracle Label Security provides additional security attributes based on need-to-know or “least-privilege” requirements. Oracle Virtual Private Database provides basic runtime masking. Oracle Data Redaction removes or masks sensitive application data fields based on organizational and regulatory policy combined with the requestor’s entitlements. Oracle Database object privileges and database roles provide basic security. Oracle Identity Governance Suite provides enterprise user provisioning only to permitted computing and application resources and data. Oracle Identity Analytics defines roles to provide granular definition of jobs and functions, as well as short-term assignments. Oracle Identity Governance Suite provides enterprise user provisioning only to permitted computing and application resources and data based on role, job function, department, location, and/or other variables. This can be triggered automatically from the HR (HCM) system Requirement 8 Oracle Database authentication supports dedicated user accounts, and strong authentication capabilities, including Kerberos. Oracle Identity Governance Suite provides enterprise user provisioning using an automated workflow and central repository. Users are automatically de-provisioned when they are no longer active. Privileged access should be managed on an exception basis with one-time passwords (OTP). Extensive monitoring of privileged and/or support access provides assurance that personnel are only performing authorized activities. Oracle Access Management Suite provides centralized application layer access control, authorization and authentication. Part of the Oracle Identity Governance Suite, Oracle Privileged Account Manager is a secure password management solution designed to generate, provision, and manage access to passwords. Repeated access attempts can trigger an account lockout and the number of attempts and remediation process is configurable. Oracle Access Management Suite supports strong authentication (tokens, smart cards, X. 509 certificates, forms) as well as passwords. Oracle Access Manager includes self-service password reset with policies that can meet the complexity requirements of PCI DSS 3.1. 11
  • 12. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. WHICH ORACLE TOOLS ARE REQUIRED (Cont.) Requirement 10 Oracle Audit Vault and Database Firewall collects and centralizes database and system audit data for enterprise reporting and alerting. Oracle Database Vault audit trails can be collected in Oracle Audit Vault and Database Firewall. Oracle Database Fine Grained Auditing (FGA) enables audit policies to be associated with columns in application tables along with conditions necessary for an audit record to be generated. Audit trails can be collected in Oracle Audit Vault and Database Firewall for reporting. Oracle Database Conditional Auditing provides highly selective and effective auditing by creating records based on the context of the database session. Out-of-policy connections can be fully audited while no data will be generated for others. Oracle Database Vault realms and separation of duties for more stringent controls on database administration Oracle Database Vault realm reports Oracle Audit Vault and Database Firewall audit data consolidation for enterprise reports and alerting Oracle Identity Governance Suite Oracle Access Management Suite audit reports Oracle Identity Analytics Customized reports can be generated using Oracle Application Express, Oracle BI Publisher and 3rd party tools. Oracle Access Management Suite and Identity Manager provide logs of all user activity and provisioning/de-provisioning. 12
  • 13. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. CHALLENGES •Native reporting is difficult and sometimes non-existent or poorly formatted •Interim / Point in time reporting does not exist •IBY / Payments infrastructure is difficult to join due to encryption •Seeded reporting is completely reliant on legacy RDFs •Transaction tracing through the settlement process is difficult without custom extract development or processional services 13
  • 14. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. HOW HAVE WE SOLVED THIS QUANDARY •Aside from assisting your company comply with the rules and regulations of PCI DSS, we have developed a “Materialized View” for customers leveraging Oracle E-Business Suite that allows for interim reporting of: –Fully accounted transactions in Receivables, Payables, Subledger Accounting and Payments (both Processor and Gateway models) –Partially Accounted credit card transactions that have not been settled by exploiting the ISO8583 payment specification. This method allows for a determination of credit card risk prior to settlement based upon the floor limit pre-authorization –Grouping of the extract by Tender type to determine the interchange rate and discount / fees that are booking on a period basis –Ability to be secured with native Oracle security and RBAC (Role Based Access Controls). –Credit Card transaction errors for root cause analysis (Auth, Pre-Settlement and Post-Settlement) –View leverages Microsoft Excel via XML Publisher to manipulate data. 14
  • 15. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PORTABLE DATA FOR ANALYTICS 15
  • 16. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PORTABLE DATA FOR ANALYTICS 16
  • 17. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PORTABLE DATA FOR ANALYTICS 17
  • 18. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. 73% YEARS 47serving clients OUR COMPANY 500dedicated associates 17 over years BEST PLACES TO WORK 2012 TECHNOLOGY EMPOWERED BUSINESS SOLUTIONS “right size provider” “client for life” India Pune Bangalore USA IL, PA, NJ, GA, VA, MN, FL Canada Toronto Ottawa GLOBAL DELIVERY OUR SERVICES 87% 14 prior tier 1 consultancies avg. years experience fulltime employees OUR PEOPLE 25+ OTHER PARTNERS - onshore - offshore - nearshore - blended managed services Advisory Applications Cloud Analytics Infrastructure strategy governance process ERP, HCM, CRM, app. development, mobile solutions applications infrastructure enterprise reporting, predictive analytics, big data service management enterprise infrastructure end user computing Business and Technology Empowered
  • 19. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. An Exciting Year For Emtec… And Or Clients! Vertical Focus • Strategy • Enterprise Solutioning • Management Consulting • Line of Business Expertise Advisory Services Expansion Services GEO Vertical SMAC
  • 20. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. Emtec Services Align Well with each stakeholder community ENTERPRISE SUITE SALES & MARKETING  360 degree view of the customer  Sales force automation  Customer Service  Marketing Automation  Customer and Product Data Management  BI / Analytics HCM  Workforce Planning  HR Analytics  Talent Management  Employee Self-Service  Performance Management  Total Compensation CFO FINANCE  Budget & Planning  Financial Close Mgmt  Procure to Pay  SEC Reporting  Financial Analytics  Cash Management OPERATIONS  Forecasting  Operational Analytics  ERP  Project Costing TECHNOLOGY  Advisory Services  Application Development & Maintenance services  Business Intelligence & Big Data  Cloud Strategy and Implementation  Independent Verification & Validation  Infrastructure Services  Managed Services  IT Service Management  Procurement Services  Business Strategy  Managed Services & Outsourcing  Advisory Services  Analytics  Governance POWER The of Emtec
  • 21. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. THANK YOU FOR YOUR TIME Please visit us online at www.emtecinc.com THANK YOU FOR YOUR TIME Please visit us online at www.emtecinc.com