pci compliance: how to remain compliant and gain near real-time analytics on your data - emtec, inc

Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.

PCI Compliance- How To Remain Compliant And Gain Near

Real Time Analytics

By: John Gillespie


What We Will Cover…

• Background

• PCI Standards

• Compliance Mapping / Tools

•Near Real-Time Reporting (Oracle EBS)

• Question

2


BACKGROUND - WHAT IS PCI DSS

•Payment Card Industry Data Security Standard (PCI DSS)

–Developed by 5 major payment processing companies to reconcile

their individual programs to a single set of payment requirements

–Primary reason for PCI DSS is to protect cardholder data and prevent

fraud

–Version 3.1 of the standard (April 2015)

https://www.pcisecuritystandards.org

3

https://www.pcisecuritystandards.org/


PCI DSS APPLICABILITY

•According to the PCI Security Standards Council, PCI DSS applies to all

entities involved in payment card processing—including merchants,

processors, acquirers, issuers, and service providers. PCI DSS also

applies to all other entities that store, process, or transmit cardholder

data and/or sensitive authentication data.

4

Primary Account Number Yes Yes

Cardholder Name Yes No

Service Code Yes No

Expiration Date Yes No

Full Track Data No Cannot store per Requirement 3.2

CAV2/CVC2/CVV2/CID No Cannot store per Requirement 3.2

PIN/PIN Block No Cannot store per Requirement 3.2

Data ElementStorage

Permitted

Render Stored Data Unreadable per

Requirement 3.4

Cardholder

Data

Sensitive

Authentication

Data

Acc

ou

nt

Da

ta


SCOPE OF PCI DSS

•Systems that provide security services like firewalls, routers, switches,

DNS, etc

•Virtualized infrastructure such as hypervisors, virtual services / desktops

and virtualized network infrastructure.

•Network infrastructure providing end-point connectivity including

wireless infrastructure

•Server service types hosting up protocols like NTP, DNS, HTTP/HTTPS,

FTP, SFTP, Database protocols, Authentication protocols, and mail

protocols.

•Purchased (COTS) and Custom Applications.

•Any other unspecified component existing within or connected to the

Cardholder Data Environment (CDE).

5


BUSINESS AS USUAL AS A BEST PRACTICE

• Organizations that already have an audit and compliance approach to conducting

business have an inherent leg up because the control design has already been defined

such as companies subject to GLBA, SOX404, JSOX, and HIPAA regulations.

• Control is a process for ensuring a function, automated or manual in nature, is operable,

effective and reliable. Controls and the design there is are never intended to be absolute,

but reasonable commensurate with the inherent risk.

• Segregated into:

–Monitoring of Security

–Detection of Failures and Deficiencies

–Configuration Change Management

–Organizational Change Management

–Periodic Assessment

–Periodic Review of Hardware and Software Technologies

6


THE TWELVE COMPLIANCE REQUIREMENTS FOR PCI DSS

7


AUDIT & COMPLIANCE ASSESSMENT PROGRAM

• Define the Scope

• Perform the Assessment

• Complete the Reports on Compliance (ROC)

• Complete the Self Assessment Questionnaires (SAQ)

• Compliance Validation Reports (Attestations of Compliance)

• Submit the SQA and/or ROC along with he Attestation of Compliance to the Merchant /

Service Provider

• IMPORTANT NOTE: PCI DSS requirements are not considered to be in place if controls

have not yet been implemented or are scheduled to be completed at a future date. After

any open or not-in-place items are addressed by the entity, the assessor will then reassess

to validate that the remediation is completed and that all requirements are satisfied.

8


ORACLE TOOLS FOR COMPLIANCE

• Of the 12 PCI DSS Requirements, Oracle tools can assist in fulfilling 6 PCI DSS

requirements

• Requirement 2: DO NOT USE VENDOR-SUPPLIED DEFAULTS FOR SYSTEM

PASSWORDS AND OTHER SECURITY PARAMETERS

• Requirement 3: PROTECT STORED CARDHOLDER DATA

• Requirement 6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS

• Requirement 7: RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED TO

KNOW

• Requirement 8: IDENTIFY AND AUTHENTICATE ACCESS TO SYSTEM COMPONENTS

• Requirement 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES

AND CARDHOLDER DATA

9


WHICH ORACLE TOOLS ARE REQUIRED

Requirement Oracle Capability

Requirement 2

Standard configuration of Oracle Data for User Accounts. Oracle Enterprise Manager provides out-of-the-box configuration scans based on Oracle, customer policy, and industry commonly accepted practices. OEM also provides Oracle Database discovery, provisioning and patching.

Oracle Audit Vault and Database Firewall consolidates audit data from across Oracle, Microsoft SQL Server, IBM DB2 for LUW, SAP Sybase ASE and Oracle MySQL databases, in addition to Windows and Linux platforms.Oracle Audit Vault and Database Firewall can report and alert on audit data. Oracle Database Vault separation of duties prevents unauthorized administrative actions in the Oracle Database.Oracle Database custom installation allows specific components to be installed or removed. Oracle Database provides network encryption (SSL/TLS and native) to encrypt all traffic over SQL*Net between the middle tier and the database, between clients and the database, and between databases. Additionally, some administrative tools, such as Enterprise Manager, provide a restricted use SSL license to protect administrative traffic.

Requirement 3

Applications can leverage Virtual Private Database (VPD) with a column relevant policy to mask out the entire number. Oracle Advanced Security with Data Redaction can consistently mask displayed data within applications. Oracle Data Masking protects production data used in nonproduction environments for testing and QA. Security controls provided by Oracle Label Security can help determine who should have access to the number. Oracle Database Vault realms can be used to prevent privileged users from accessing application data. In Oracle EBS, Oracle Wallet can be implemented to encrypt IBY transactions.Oracle Advanced Security transparent data encryption (TDE), column encryption, and tablespace encryption can be used to transparently encrypt the Primary Account Number in the database and backed up on storage media. Oracle Advanced Security TDE column encryption provides the ability to independently re-key the master encryption and/or table keys. Starting with Oracle Database 11g Release 2, the master encryption key for TDE tablespace encryption can be re-keyed as well. For PCI compliance, re-keying (rotating) the master encryption key is often sufficient.Oracle RMAN with Oracle Advanced Security can encrypt (and compress) the entire backup when backed up to disk. Oracle Data Pump with Oracle Advanced Security can encrypt (and compress) entire database file. Encryption algorithms supported include AES with 256, 192, or 128 bit key length, as well as 3DES168.Designated individuals like a DBA or Database Security Administrator (DSA) need to know the wallet password or the HSM authentication string and have the 'alter system' privilege in order to open the wallet or HSM and make the master encryptionkey available to the database. Oracle Advanced Security uses Diffie-Hellman key negotiation algorithm to perform secure key distribution.

10


WHICH ORACLE TOOLS ARE REQUIRED (Cont.)

Requirement 6

Oracle follows the Common Vulnerability Scoring System (CVSS) when providing severity ratings for bug fixes released in CriticalPatch Updates (CPUs). Enterprise User Security, an Oracle Database Enterprise Edition feature, combined with Oracle Identity Management, gives the ability to centrally manage database users and their authorizations in one central place. Part of the Oracle Identity Governance Suite, Oracle Privileged Account Manager enables the separation of privileges, manages self-service requeststo privileged accounts, and provides auditing and reporting of password usage. Oracle Database Vault can help to protect DBA access to production data in Oracle Databases

Oracle Data Masking de-identifies payment card numbers, and other sensitive information, for testing and development environments. Database change control procedures can be automated with Oracle Change Management. Also BPEL Process Manager can be used for process management of change control, security procedures in general.

Requirement 7

Oracle Label Security provides additional security attributes based on need-to-know or “least-privilege” requirements. Oracle Virtual Private Database provides basic runtime masking. Oracle Data Redaction removes or masks sensitive application data fields based on organizational and regulatory policy combined with the requestor’s entitlements. Oracle Database object privileges and database roles provide basic security. Oracle Identity Governance Suite provides enterprise user provisioning only to permitted computing and application resources and data. Oracle Identity Analytics defines roles to provide granular definition of jobs andfunctions, as well as short-term assignments.

Oracle Identity Governance Suite provides enterprise user provisioning only to permitted computing and application resources and data based on role, job function, department, location, and/or other variables. This can be triggered automatically from theHR (HCM) system

Requirement 8

Oracle Database authentication supports dedicated user accounts, and strong authentication capabilities, including Kerberos. Oracle Identity Governance Suite provides enterprise user provisioning using an automated workflow and central repository. Users are automatically de-provisioned when they are no longer active. Privileged access should be managed on an exception basis with one-time passwords (OTP). Extensive monitoring of privileged and/or support access provides assurance that personnel are only performing authorized activities.

Oracle Access Management Suite provides centralized application layer access control, authorization and authentication. Part of the Oracle Identity Governance Suite, Oracle Privileged Account Manager is a secure password management solution designed to generate, provision, and manage access to passwords. Repeated access attempts can trigger an account lockout and the number of attempts and remediation process is configurable. Oracle Access Management Suite supports strong authentication (tokens, smart cards, X. 509 certificates, forms) as well as passwords.

Oracle Access Manager includes self-service password reset with policies that can meet the complexity requirements of PCI DSS 3.1.

11


WHICH ORACLE TOOLS ARE REQUIRED (Cont.)

Requirement 10

Oracle Audit Vault and Database Firewall collects and centralizes database and system audit data for enterprise reporting andalerting. Oracle Database Vault audit trails can be collected in Oracle Audit Vault and Database Firewall. Oracle Database FineGrained Auditing (FGA) enables audit policies to be associated with columns in application tables along with conditions necessary for an audit record to be generated. Audit trails can be collected in Oracle Audit Vault and Database Firewall for reporting.

Oracle Database Conditional Auditing provides highly selective and effective auditing by creating records based on the context of the database session. Out-of-policy connections can be fully audited while no data will be generated for others.

Oracle Database Vault realms and separation of duties for more stringent controls on database administrationOracle Database Vault realm reportsOracle Audit Vault and Database Firewall audit data consolidation for enterprise reports and alertingOracle Identity Governance SuiteOracle Access Management Suite audit reportsOracle Identity Analytics

Customized reports can be generated using Oracle Application Express, Oracle BI Publisher and 3rd party tools. Oracle Access Management Suite and Identity Manager provide logs of all user activity and provisioning/de-provisioning.

12


CHALLENGES

•Native reporting is difficult and sometimes non-existent or

poorly formatted

•Interim / Point in time reporting does not exist

•IBY / Payments infrastructure is difficult to join due to

encryption

•Seeded reporting is completely reliant on legacy RDFs

•Transaction tracing through the settlement process is

difficult without custom extract development or processional

services

13


HOW HAVE WE SOLVED THIS QUANDARY

• Aside from assisting your company comply with the rules and regulations of PCI DSS, we have developed a “Materialized View” for customers leveraging Oracle E-Business Suite that allows for interim reporting of:

–Fully accounted transactions in Receivables, Payables, Subledger Accounting and Payments (both Processor and Gateway models)

–Partially Accounted credit card transactions that have not been settled by exploiting the ISO8583 payment specification. This method allows for a determination of credit card risk prior to settlement based upon the floor limit pre-authorization

–Grouping of the extract by Tender type to determine the interchange rate and discount / fees that are booking on a period basis

–Ability to be secured with native Oracle security and RBAC (Role Based Access Controls).

–Credit Card transaction errors for root cause analysis (Auth, Pre-Settlement and Post-Settlement)

–View leverages Microsoft Excel via XML Publisher to manipulate data.

14


PORTABLE DATA FOR ANALYTICS

15



16



17


73%

YEARS

47serving clients

OUR COMPANY

500dedicated

associates17

over

years

BESTPLACES

TO WORK2012

TECHNOLOGYEMPOWERED

BUSINESSSOLUTIONS

“right size provider”

“client for life”

IndiaPune

Bangalore

USAIL, PA, NJ,

GA, VA, MN,

FL

CanadaToronto

Ottawa GLOBAL

DELIVERYOUR SERVICES

87% 14prior tier 1

consultancies

avg. years

experience

fulltime

employees

OUR PEOPLE

25+

OTHER

PARTNERS

- onshore

- offshore

- nearshore

- blended

managed services

Advisory Applications Cloud Analytics Infrastructure

strategy

governance

process

ERP, HCM, CRM,

app. development,

mobile solutions

applications

infrastructureenterprise reporting,

predictive analytics,

big data

service management

enterprise infrastructure

end user computing

Business and Technology Empowered


An Exciting Year For Emtec… And Or Clients!

Vertical Focus

• Strategy

• Enterprise

Solutioning

• Management

Consulting

• Line of Business

Expertise

Advisory Services Expansion

Services

GEO

Vertical

SMAC


Emtec Services Align Well with each stakeholder community

ENTERPRISESUITE

SALES & MARKETING

360 degree view of the customer

Sales force automation

Customer Service

Marketing Automation

Customer and Product Data

Management

BI / Analytics

HCM

Workforce Planning

HR Analytics

Talent Management

Employee Self-Service

Performance Management

Total Compensation

CFO

FINANCE

Budget & Planning

Financial Close Mgmt

Procure to Pay

SEC Reporting

Financial Analytics

Cash Management

OPERATIONS

Forecasting

Operational Analytics

ERP

Project Costing

TECHNOLOGY

Advisory Services

Application Development &

Maintenance services

Business Intelligence & Big

Data

Cloud Strategy and

Implementation

Independent Verification &

Validation

Infrastructure Services

Managed Services

IT Service Management

Procurement Services

Business Strategy

Managed Services & Outsourcing

Advisory Services

Analytics

Governance

POWERThe

of Emtec


THANK YOU FOR YOUR TIME

Please visit us online at www.emtecinc.com

THANK YOU FOR YOUR TIME

Please visit us online at www.emtecinc.com

http://www.emtecinc.com/

http://www.emtecinc.com/

pci compliance: how to remain compliant and gain near real-time analytics on your data - emtec, inc

Technology

rights reserved

pci dss requirements

pci dss7 emtec

pci security standards

compliance requirements

scope of pci dsssystems

compliance roccomplete

attestation of compliance