PCI DSS v 3.0 and Oracle Security Mapping

1. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.1 Helping Customers Comply with PCI DSS v3.0 Payment Card Industry Data Security Standards Troy Kitch Principal Director Security Software Product Marketing

3. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.4 9000-6000 BC CATTLE 500 BC SILVER COINS 806 PAPER CURRENCY 1891 AMERICAN EXPRESS TRAVELER’S CHECKS 1946 FIRST BANK CARD 1966 MODERN CREDIT CARD 1983 RADIO FREQUENCY IDENTIFICATION (RFID) 1997 1st MOBILE PAYMENT 1999 PAYPAL 2004 NEAR FIELD COMMUNICATION FORUM 2007 MOBILE PAYMENT DEVELOPED 2010 SQUARE FUTURE IMPLANTS & MUCH MORE A BRIEF HISTORY OF THE PAYMENT INDUSTRY PAYMENTS DEPEND ON TRUST

4. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.5 WHY IS PCI $11B LOST IN 20120 2 4 6 8 10 12 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 GLOBAL PAYMENT CARD INDUSTRY LOSSES $BILLIONS

5. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.6 Merchant .5 " Issuing Bank (Consumer Bank) Card Holder (Consumer) .5 " Payment Card Processors TranUnion Equifax Experian Wm Morrison Amazon Wal Mart Credit Bureaus Deutsche Bank Barclays Royal Bank of Scotland PNC BluePay PayPal Merchant One Credit Agricole Group BNP Paribas HSBC Holdings Banco Santander Collection Agency SquareTwo Euler Hermes Atradius Payment Card Industry Acquiring Bank (Merchant Bank) PAYMENT CARD THE FLOW OF CREDIT

6. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.7 Attacker phishes third party contractor Malware sends credit card data to internal server; sends custom ping to notify Malware scrapes RAM for clear text credit card stripe data Finds and infects internal Windows file server Attacker uses stolen credentials to access contractor portal Stolen data exfiltrated to FTP Servers Finds & infects point of sale systems with malware ANATOMY OF A MILLIONS OF CONSUMERS EFFECTED PERIMETER

8. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.9 LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 SIZE MATTERS BY TRANSACTION VOLUME ANNUAL ONSITE ASSESSMENT QTRLY NETWORKS SCANS ANNUAL SELF ASSESSMENT QTRLY NETWORKS SCANS ANNUAL SELF ASSESSMENT QTRLY NETWORKS SCANS ANNUAL SELF ASSESSMENT QTRLY NETWORKS SCANS 6M+ 1M-6M 20K-1M 0K-20K

9. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.10  Clarifications  Change all default passwords  Mask displayed data  Encryption key storage  Detect/prevent web-based attack  Guidance  Business as Usual Source: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf IN PCI DSS v3.0

10. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.11 TWELVE PCI REQUIREMENTS Identify and authenticate access to system components Regularly test security systems and processes Restrict access to cardholder data by business need to know Develop and maintain secure systems and applications Protect stored cardholder data Remove vendor defaults for passwords and security configs Maintain a policy that addresses infosec for all personnel Track, monitor access to network resources and cardholder data Restrict physical access to cardholder data Encrypt transmission of cardholder data across open, public networks Protect systems against malware and update anti-virus software Install firewall configuration to protect cardholder data

11. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.12 Identify and authenticate access to system components Regularly test security systems and processes Restrict access to cardholder data by business need to know Develop and maintain secure systems and applications Protect stored cardholder data Remove vendor defaults for passwords and security configs Maintain a policy that addresses infosec for all personnel Track, monitor access to network resources and cardholder data Restrict physical access to cardholder data Encrypt transmission of cardholder data across open, public networks Protect systems against malware and update anti-virus software Install firewall configuration to protect cardholder data REQUIREMENTS ORACLE ADDRESSES

13. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.14 CAPABILITIES PASSWORDS SECURITY CONFIGS 2. REMOVE DEFAULT AND  Forced password reset  Configuration scans  Database lifecycle mgmt.  SSL/TLS network encryption EXAMPLES Change vendor-supplied PASSWORD DEFAULTS Develop CONFIGURATION STANDARDS for all system components ENCRYPT non-console administrative access

14. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.15 CAPABILITIES STORED DATA 3. PROTECT CARDHOLDER  Transparent Data Encryption  Data Redaction  Data Masking  Secure Backup  Privileged Access Control EXAMPLES ENCRYPT cardholder data at rest and REDACT on display REDUCE PRIVILEGED ACCESS to card holder information MASK non-production card data

15. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.16 CAPABILITIES SECURE SYSTEMS APPLICATIONS 6. DEVELOP AND MAINTAIN AND  Follow Oracle Critical Patch Updates  Mask PII in nonproduction  Monitor and block SQL injection attacks EXAMPLES Apply PATCHES within 1 month MASK live PANs in TEST and DEVELOPMENT Address SQL INJECTIONS Enforce SEPARATION of TEST and DEVELOPMENT

16. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.17 CAPABILITIES CARDHOLDER DATA BY BUSINESS 7. RESTRICT NEED TO KNOW  Privilege user access controls  Privilege analysis EXAMPLES Limit ACCESS based on NEED TO KNOW and JOB Employ LEAST PRIVILEGE and SEPARATION of DUTIES ACCESS TO

17. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.18 CAPABILITIES AUTHENTICATE 8. IDENTIFYAND ACCESS TO SYS COMPONENTS  Multifactor authentication  Strong authentication  Single sign-on  Provision Unique-ID’s EXAMPLES Assign a UNIQUE ID to each person with access STRONG AUTHENTICATION for all administrators Set PASSWORD POLICIES MONITOR and ALERT on all suspicious activity

18. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.19 CAPABILITIES ACCESS 10. TRACK AND MONITOR RESOURCES AND CARD HOLDER DATA  Database and system audit  Database activity monitoring  Alerting and Blocking SQL  Conditional auditing EXAMPLES Implement AUDIT TRAILS REDUCE PRIVILEGED ACCESS to card holder information TO NETWORK

19. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.20 SquareTwo Financial is an asset and recovery management organization that secures more than two million individuals and small businesses using Oracle • Minimal customer disruption – 5.9 million accounts • Quickly scale security – 37% company growth • Addressed compliance – PCI, GLBA, HIPAA, and SOX SquareTwo Financial SECURING CARDHOLDER DATA

20. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.21 TransUnion provides credit information and information management services to 45,000 businesses and 500 million consumers worldwide. • Oracle Advanced Security – zero downtime, no application changes • Seamless key rotation – no impact to performance • Audit Vault and Database Firewall – 10k transactions/sec • PCI DSS Compliant – satisfies all auditor requirements TransUnion SECURING CARDHOLDER DATA

21. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.22 Learn More  Sustainable Compliance for the Payment Card Industry Data Security Standard  http://www.oracle.com/us/products/database/security-pci-dss-wp-078843.pdf PCI Compliance Whitepaper