This document discusses PCI compliance and real-time analytics using Oracle tools. It provides background on PCI standards and compliance requirements. It then describes how Oracle tools can help with six PCI requirements, including encrypting data, restricting access, and reporting. The document also discusses challenges with native Oracle reporting and interim reporting. It then describes a materialized view solution developed to provide portable data and near real-time analytics on credit card transactions in Oracle E-Business Suite.
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on your Data - Emtec, Inc.
1. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
PCI Compliance- How To Remain Compliant And Gain Near
Real Time Analytics
By: John Gillespie
2. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
What We Will Cover…
• Background
• PCI Standards
• Compliance Mapping / Tools
•Near Real-Time Reporting (Oracle EBS)
• Question
2
3. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
BACKGROUND - WHAT IS PCI DSS
•Payment Card Industry Data Security Standard (PCI DSS)
–Developed by 5 major payment processing companies to reconcile
their individual programs to a single set of payment requirements
–Primary reason for PCI DSS is to protect cardholder data and prevent
fraud
–Version 3.1 of the standard (April 2015)
https://www.pcisecuritystandards.org
3
4. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
PCI DSS APPLICABILITY
•According to the PCI Security Standards Council, PCI DSS applies to all
entities involved in payment card processing—including merchants,
processors, acquirers, issuers, and service providers. PCI DSS also
applies to all other entities that store, process, or transmit cardholder
data and/or sensitive authentication data.
4
Primary Account Number Yes Yes
Cardholder Name Yes No
Service Code Yes No
Expiration Date Yes No
Full Track Data No Cannot store per Requirement 3.2
CAV2/CVC2/CVV2/CID No Cannot store per Requirement 3.2
PIN/PIN Block No Cannot store per Requirement 3.2
Data Element
Storage
Permitted
Render Stored Data Unreadable per
Requirement 3.4
Cardholder
Data
Sensitive
Authentication
Data
AccountData
5. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
SCOPE OF PCI DSS
•Systems that provide security services like firewalls, routers, switches,
DNS, etc
•Virtualized infrastructure such as hypervisors, virtual services / desktops
and virtualized network infrastructure.
•Network infrastructure providing end-point connectivity including
wireless infrastructure
•Server service types hosting up protocols like NTP, DNS, HTTP/HTTPS,
FTP, SFTP, Database protocols, Authentication protocols, and mail
protocols.
•Purchased (COTS) and Custom Applications.
•Any other unspecified component existing within or connected to the
Cardholder Data Environment (CDE).
5
6. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
BUSINESS AS USUAL AS A BEST PRACTICE
• Organizations that already have an audit and compliance approach to conducting
business have an inherent leg up because the control design has already been defined
such as companies subject to GLBA, SOX404, JSOX, and HIPAA regulations.
• Control is a process for ensuring a function, automated or manual in nature, is operable,
effective and reliable. Controls and the design there is are never intended to be absolute,
but reasonable commensurate with the inherent risk.
• Segregated into:
–Monitoring of Security
–Detection of Failures and Deficiencies
–Configuration Change Management
–Organizational Change Management
–Periodic Assessment
–Periodic Review of Hardware and Software Technologies
6
7. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
THE TWELVE COMPLIANCE REQUIREMENTS FOR PCI DSS
7
8. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
AUDIT & COMPLIANCE ASSESSMENT PROGRAM
• Define the Scope
• Perform the Assessment
• Complete the Reports on Compliance (ROC)
• Complete the Self Assessment Questionnaires (SAQ)
• Compliance Validation Reports (Attestations of Compliance)
• Submit the SQA and/or ROC along with he Attestation of Compliance to the Merchant /
Service Provider
• IMPORTANT NOTE: PCI DSS requirements are not considered to be in place if controls
have not yet been implemented or are scheduled to be completed at a future date. After
any open or not-in-place items are addressed by the entity, the assessor will then reassess
to validate that the remediation is completed and that all requirements are satisfied.
8
9. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
ORACLE TOOLS FOR COMPLIANCE
•Of the 12 PCI DSS Requirements, Oracle tools can assist in fulfilling 6 PCI DSS
requirements
• Requirement 2: DO NOT USE VENDOR-SUPPLIED DEFAULTS FOR SYSTEM
PASSWORDS AND OTHER SECURITY PARAMETERS
• Requirement 3: PROTECT STORED CARDHOLDER DATA
• Requirement 6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS
• Requirement 7: RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED TO
KNOW
• Requirement 8: IDENTIFY AND AUTHENTICATE ACCESS TO SYSTEM COMPONENTS
• Requirement 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES
AND CARDHOLDER DATA
9
10. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
WHICH ORACLE TOOLS ARE REQUIRED
Requirement Oracle Capability
Requirement 2
Standard configuration of Oracle Data for User Accounts. Oracle Enterprise Manager provides out-of-the-box configuration
scans based on Oracle, customer policy, and industry commonly accepted practices. OEM also provides Oracle Database
discovery, provisioning and patching.
Oracle Audit Vault and Database Firewall consolidates audit data from across Oracle, Microsoft SQL Server, IBM DB2 for LUW,
SAP Sybase ASE and Oracle MySQL databases, in addition to Windows and Linux platforms.
Oracle Audit Vault and Database Firewall can report and alert on audit data. Oracle Database Vault separation of duties
prevents unauthorized administrative actions in the Oracle Database.
Oracle Database custom installation allows specific components to be installed or removed. Oracle Database provides
network encryption (SSL/TLS and native) to encrypt all traffic over SQL*Net between the middle tier and the database,
between clients and the database, and between databases. Additionally, some administrative tools, such as Enterprise
Manager, provide a restricted use SSL license to protect administrative traffic.
Requirement 3
Applications can leverage Virtual Private Database (VPD) with a column relevant policy to mask out the entire number. Oracle
Advanced Security with Data Redaction can consistently mask displayed data within applications. Oracle Data Masking
protects production data used in nonproduction environments for testing and QA. Security controls provided by Oracle Label
Security can help determine who should have access to the number. Oracle Database Vault realms can be used to prevent
privileged users from accessing application data. In Oracle EBS, Oracle Wallet can be implemented to encrypt IBY
transactions.
Oracle Advanced Security transparent data encryption (TDE), column encryption, and tablespace encryption can be used to
transparently encrypt the Primary Account Number in the database and backed up on storage media. Oracle Advanced
Security TDE column encryption provides the ability to independently re-key the master encryption and/or table keys. Starting
with Oracle Database 11g Release 2, the master encryption key for TDE tablespace encryption can be re-keyed as well. For PCI
compliance, re-keying (rotating) the master encryption key is often sufficient.
Oracle RMAN with Oracle Advanced Security can encrypt (and compress) the entire backup when backed up to disk. Oracle
Data Pump with Oracle Advanced Security can encrypt (and compress) entire database file. Encryption algorithms supported
include AES with 256, 192, or 128 bit key length, as well as 3DES168.
Designated individuals like a DBA or Database Security Administrator (DSA) need to know the wallet password or the HSM
authentication string and have the 'alter system' privilege in order to open the wallet or HSM and make the master encryption
key available to the database. Oracle Advanced Security uses Diffie-Hellman key negotiation algorithm to perform secure key
distribution.
10
11. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
WHICH ORACLE TOOLS ARE REQUIRED (Cont.)
Requirement 6
Oracle follows the Common Vulnerability Scoring System (CVSS) when providing severity ratings for bug fixes released in Critical
Patch Updates (CPUs). Enterprise User Security, an Oracle Database Enterprise Edition feature, combined with Oracle Identity
Management, gives the ability to centrally manage database users and their authorizations in one central place. Part of the Oracle
Identity Governance Suite, Oracle Privileged Account Manager enables the separation of privileges, manages self-service requests
to privileged accounts, and provides auditing and reporting of password usage. Oracle Database Vault can help to protect DBA
access to production data in Oracle Databases
Oracle Data Masking de-identifies payment card numbers, and other sensitive information, for testing and development
environments. Database change control procedures can be automated with Oracle Change Management. Also BPEL Process
Manager can be used for process management of change control, security procedures in general.
Requirement 7
Oracle Label Security provides additional security attributes based on need-to-know or “least-privilege” requirements. Oracle
Virtual Private Database provides basic runtime masking. Oracle Data Redaction removes or masks sensitive application data fields
based on organizational and regulatory policy combined with the requestor’s entitlements. Oracle Database object privileges and
database roles provide basic security. Oracle Identity Governance Suite provides enterprise user provisioning only to permitted
computing and application resources and data. Oracle Identity Analytics defines roles to provide granular definition of jobs and
functions, as well as short-term assignments.
Oracle Identity Governance Suite provides enterprise user provisioning only to permitted computing and application resources
and data based on role, job function, department, location, and/or other variables. This can be triggered automatically from the
HR (HCM) system
Requirement 8
Oracle Database authentication supports dedicated user accounts, and strong authentication capabilities, including Kerberos.
Oracle Identity Governance Suite provides enterprise user provisioning using an automated workflow and central repository.
Users are automatically de-provisioned when they are no longer active. Privileged access should be managed on an exception
basis with one-time passwords (OTP). Extensive monitoring of privileged and/or support access provides assurance that personnel
are only performing authorized activities.
Oracle Access Management Suite provides centralized application layer access control, authorization and authentication. Part of
the Oracle Identity Governance Suite, Oracle Privileged Account Manager is a secure password management solution designed to
generate, provision, and manage access to passwords. Repeated access attempts can trigger an account lockout and the number
of attempts and remediation process is configurable. Oracle Access Management Suite supports strong authentication (tokens,
smart cards, X. 509 certificates, forms) as well as passwords.
Oracle Access Manager includes self-service password reset with policies that can meet the complexity requirements of PCI DSS
3.1.
11
12. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
WHICH ORACLE TOOLS ARE REQUIRED (Cont.)
Requirement 10
Oracle Audit Vault and Database Firewall collects and centralizes database and system audit data for enterprise reporting and
alerting. Oracle Database Vault audit trails can be collected in Oracle Audit Vault and Database Firewall. Oracle Database Fine
Grained Auditing (FGA) enables audit policies to be associated with columns in application tables along with conditions
necessary for an audit record to be generated. Audit trails can be collected in Oracle Audit Vault and Database Firewall for
reporting.
Oracle Database Conditional Auditing provides highly selective and effective auditing by creating records based on the
context of the database session. Out-of-policy connections can be fully audited while no data will be generated for others.
Oracle Database Vault realms and separation of duties for more stringent controls on database administration
Oracle Database Vault realm reports
Oracle Audit Vault and Database Firewall audit data consolidation for enterprise reports and alerting
Oracle Identity Governance Suite
Oracle Access Management Suite audit reports
Oracle Identity Analytics
Customized reports can be generated using Oracle Application Express, Oracle BI Publisher and 3rd party tools. Oracle Access
Management Suite and Identity Manager provide logs of all user activity and provisioning/de-provisioning.
12
13. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
CHALLENGES
•Native reporting is difficult and sometimes non-existent or
poorly formatted
•Interim / Point in time reporting does not exist
•IBY / Payments infrastructure is difficult to join due to
encryption
•Seeded reporting is completely reliant on legacy RDFs
•Transaction tracing through the settlement process is
difficult without custom extract development or processional
services
13
14. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
HOW HAVE WE SOLVED THIS QUANDARY
•Aside from assisting your company comply with the rules and regulations of PCI
DSS, we have developed a “Materialized View” for customers leveraging Oracle
E-Business Suite that allows for interim reporting of:
–Fully accounted transactions in Receivables, Payables, Subledger Accounting
and Payments (both Processor and Gateway models)
–Partially Accounted credit card transactions that have not been settled by
exploiting the ISO8583 payment specification. This method allows for a
determination of credit card risk prior to settlement based upon the floor limit
pre-authorization
–Grouping of the extract by Tender type to determine the interchange rate and
discount / fees that are booking on a period basis
–Ability to be secured with native Oracle security and RBAC (Role Based
Access Controls).
–Credit Card transaction errors for root cause analysis (Auth, Pre-Settlement
and Post-Settlement)
–View leverages Microsoft Excel via XML Publisher to manipulate data.
14
15. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
PORTABLE DATA FOR ANALYTICS
15
16. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
PORTABLE DATA FOR ANALYTICS
16
17. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
PORTABLE DATA FOR ANALYTICS
17
18. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
73%
YEARS
47serving clients
OUR COMPANY
500dedicated
associates
17
over
years
BEST
PLACES
TO WORK
2012
TECHNOLOGY
EMPOWERED
BUSINESS
SOLUTIONS
“right size provider”
“client for life”
India
Pune
Bangalore
USA
IL, PA, NJ,
GA, VA, MN,
FL
Canada
Toronto
Ottawa
GLOBAL
DELIVERY
OUR SERVICES
87% 14
prior tier 1
consultancies
avg. years
experience
fulltime
employees
OUR PEOPLE
25+
OTHER
PARTNERS
- onshore
- offshore
- nearshore
- blended
managed services
Advisory Applications Cloud Analytics Infrastructure
strategy
governance
process
ERP, HCM, CRM,
app. development,
mobile solutions
applications
infrastructure
enterprise reporting,
predictive analytics,
big data
service management
enterprise infrastructure
end user computing
Business and Technology Empowered
19. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
An Exciting Year For Emtec… And Or Clients!
Vertical Focus
• Strategy
• Enterprise
Solutioning
• Management
Consulting
• Line of Business
Expertise
Advisory Services Expansion
Services
GEO
Vertical
SMAC
20. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
Emtec Services Align Well
with each stakeholder community
ENTERPRISE
SUITE
SALES &
MARKETING
360 degree view of the customer
Sales force automation
Customer Service
Marketing Automation
Customer and Product Data
Management
BI / Analytics
HCM
Workforce Planning
HR Analytics
Talent Management
Employee Self-Service
Performance Management
Total Compensation
CFO
FINANCE
Budget & Planning
Financial Close Mgmt
Procure to Pay
SEC Reporting
Financial Analytics
Cash Management
OPERATIONS
Forecasting
Operational Analytics
ERP
Project Costing
TECHNOLOGY
Advisory Services
Application Development &
Maintenance services
Business Intelligence & Big
Data
Cloud Strategy and
Implementation
Independent Verification &
Validation
Infrastructure Services
Managed Services
IT Service Management
Procurement Services
Business Strategy
Managed Services & Outsourcing
Advisory Services
Analytics
Governance
POWER
The
of Emtec
21. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
THANK YOU FOR YOUR TIME
Please visit us online at www.emtecinc.com
THANK YOU FOR YOUR TIME
Please visit us online at www.emtecinc.com