Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
PCI Compliance- How To Remain Compliant And Gain Near
Real Time Analytics
By: John Gillespie
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
What We Will Cover…
• Background
• PCI Standards
• Compliance Mapping / Tools
•Near Real-Time Reporting (Oracle EBS)
• Question
2
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
BACKGROUND - WHAT IS PCI DSS
•Payment Card Industry Data Security Standard (PCI DSS)
–Developed by 5 major payment processing companies to reconcile
their individual programs to a single set of payment requirements
–Primary reason for PCI DSS is to protect cardholder data and prevent
fraud
–Version 3.1 of the standard (April 2015)
https://www.pcisecuritystandards.org
3
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
PCI DSS APPLICABILITY
•According to the PCI Security Standards Council, PCI DSS applies to all
entities involved in payment card processing—including merchants,
processors, acquirers, issuers, and service providers. PCI DSS also
applies to all other entities that store, process, or transmit cardholder
data and/or sensitive authentication data.
4
Primary Account Number Yes Yes
Cardholder Name Yes No
Service Code Yes No
Expiration Date Yes No
Full Track Data No Cannot store per Requirement 3.2
CAV2/CVC2/CVV2/CID No Cannot store per Requirement 3.2
PIN/PIN Block No Cannot store per Requirement 3.2
Data ElementStorage
Permitted
Render Stored Data Unreadable per
Requirement 3.4
Cardholder
Data
Sensitive
Authentication
Data
Acc
ou
nt
Da
ta
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
SCOPE OF PCI DSS
•Systems that provide security services like firewalls, routers, switches,
DNS, etc
•Virtualized infrastructure such as hypervisors, virtual services / desktops
and virtualized network infrastructure.
•Network infrastructure providing end-point connectivity including
wireless infrastructure
•Server service types hosting up protocols like NTP, DNS, HTTP/HTTPS,
FTP, SFTP, Database protocols, Authentication protocols, and mail
protocols.
•Purchased (COTS) and Custom Applications.
•Any other unspecified component existing within or connected to the
Cardholder Data Environment (CDE).
5
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
BUSINESS AS USUAL AS A BEST PRACTICE
• Organizations that already have an audit and compliance approach to conducting
business have an inherent leg up because the control design has already been defined
such as companies subject to GLBA, SOX404, JSOX, and HIPAA regulations.
• Control is a process for ensuring a function, automated or manual in nature, is operable,
effective and reliable. Controls and the design there is are never intended to be absolute,
but reasonable commensurate with the inherent risk.
• Segregated into:
–Monitoring of Security
–Detection of Failures and Deficiencies
–Configuration Change Management
–Organizational Change Management
–Periodic Assessment
–Periodic Review of Hardware and Software Technologies
6
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
THE TWELVE COMPLIANCE REQUIREMENTS FOR PCI DSS
7
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
AUDIT & COMPLIANCE ASSESSMENT PROGRAM
• Define the Scope
• Perform the Assessment
• Complete the Reports on Compliance (ROC)
• Complete the Self Assessment Questionnaires (SAQ)
• Compliance Validation Reports (Attestations of Compliance)
• Submit the SQA and/or ROC along with he Attestation of Compliance to the Merchant /
Service Provider
• IMPORTANT NOTE: PCI DSS requirements are not considered to be in place if controls
have not yet been implemented or are scheduled to be completed at a future date. After
any open or not-in-place items are addressed by the entity, the assessor will then reassess
to validate that the remediation is completed and that all requirements are satisfied.
8
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
ORACLE TOOLS FOR COMPLIANCE
• Of the 12 PCI DSS Requirements, Oracle tools can assist in fulfilling 6 PCI DSS
requirements
• Requirement 2: DO NOT USE VENDOR-SUPPLIED DEFAULTS FOR SYSTEM
PASSWORDS AND OTHER SECURITY PARAMETERS
• Requirement 3: PROTECT STORED CARDHOLDER DATA
• Requirement 6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS
• Requirement 7: RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED TO
KNOW
• Requirement 8: IDENTIFY AND AUTHENTICATE ACCESS TO SYSTEM COMPONENTS
• Requirement 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES
AND CARDHOLDER DATA
9
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
WHICH ORACLE TOOLS ARE REQUIRED
Requirement Oracle Capability
Requirement 2
Standard configuration of Oracle Data for User Accounts. Oracle Enterprise Manager provides out-of-the-box configuration scans based on Oracle, customer policy, and industry commonly accepted practices. OEM also provides Oracle Database discovery, provisioning and patching.
Oracle Audit Vault and Database Firewall consolidates audit data from across Oracle, Microsoft SQL Server, IBM DB2 for LUW, SAP Sybase ASE and Oracle MySQL databases, in addition to Windows and Linux platforms.Oracle Audit Vault and Database Firewall can report and alert on audit data. Oracle Database Vault separation of duties prevents unauthorized administrative actions in the Oracle Database.Oracle Database custom installation allows specific components to be installed or removed. Oracle Database provides network encryption (SSL/TLS and native) to encrypt all traffic over SQL*Net between the middle tier and the database, between clients and the database, and between databases. Additionally, some administrative tools, such as Enterprise Manager, provide a restricted use SSL license to protect administrative traffic.
Requirement 3
Applications can leverage Virtual Private Database (VPD) with a column relevant policy to mask out the entire number. Oracle Advanced Security with Data Redaction can consistently mask displayed data within applications. Oracle Data Masking protects production data used in nonproduction environments for testing and QA. Security controls provided by Oracle Label Security can help determine who should have access to the number. Oracle Database Vault realms can be used to prevent privileged users from accessing application data. In Oracle EBS, Oracle Wallet can be implemented to encrypt IBY transactions.Oracle Advanced Security transparent data encryption (TDE), column encryption, and tablespace encryption can be used to transparently encrypt the Primary Account Number in the database and backed up on storage media. Oracle Advanced Security TDE column encryption provides the ability to independently re-key the master encryption and/or table keys. Starting with Oracle Database 11g Release 2, the master encryption key for TDE tablespace encryption can be re-keyed as well. For PCI compliance, re-keying (rotating) the master encryption key is often sufficient.Oracle RMAN with Oracle Advanced Security can encrypt (and compress) the entire backup when backed up to disk. Oracle Data Pump with Oracle Advanced Security can encrypt (and compress) entire database file. Encryption algorithms supported include AES with 256, 192, or 128 bit key length, as well as 3DES168.Designated individuals like a DBA or Database Security Administrator (DSA) need to know the wallet password or the HSM authentication string and have the 'alter system' privilege in order to open the wallet or HSM and make the master encryptionkey available to the database. Oracle Advanced Security uses Diffie-Hellman key negotiation algorithm to perform secure key distribution.
10
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
WHICH ORACLE TOOLS ARE REQUIRED (Cont.)
Requirement 6
Oracle follows the Common Vulnerability Scoring System (CVSS) when providing severity ratings for bug fixes released in CriticalPatch Updates (CPUs). Enterprise User Security, an Oracle Database Enterprise Edition feature, combined with Oracle Identity Management, gives the ability to centrally manage database users and their authorizations in one central place. Part of the Oracle Identity Governance Suite, Oracle Privileged Account Manager enables the separation of privileges, manages self-service requeststo privileged accounts, and provides auditing and reporting of password usage. Oracle Database Vault can help to protect DBA access to production data in Oracle Databases
Oracle Data Masking de-identifies payment card numbers, and other sensitive information, for testing and development environments. Database change control procedures can be automated with Oracle Change Management. Also BPEL Process Manager can be used for process management of change control, security procedures in general.
Requirement 7
Oracle Label Security provides additional security attributes based on need-to-know or “least-privilege” requirements. Oracle Virtual Private Database provides basic runtime masking. Oracle Data Redaction removes or masks sensitive application data fields based on organizational and regulatory policy combined with the requestor’s entitlements. Oracle Database object privileges and database roles provide basic security. Oracle Identity Governance Suite provides enterprise user provisioning only to permitted computing and application resources and data. Oracle Identity Analytics defines roles to provide granular definition of jobs andfunctions, as well as short-term assignments.
Oracle Identity Governance Suite provides enterprise user provisioning only to permitted computing and application resources and data based on role, job function, department, location, and/or other variables. This can be triggered automatically from theHR (HCM) system
Requirement 8
Oracle Database authentication supports dedicated user accounts, and strong authentication capabilities, including Kerberos. Oracle Identity Governance Suite provides enterprise user provisioning using an automated workflow and central repository. Users are automatically de-provisioned when they are no longer active. Privileged access should be managed on an exception basis with one-time passwords (OTP). Extensive monitoring of privileged and/or support access provides assurance that personnel are only performing authorized activities.
Oracle Access Management Suite provides centralized application layer access control, authorization and authentication. Part of the Oracle Identity Governance Suite, Oracle Privileged Account Manager is a secure password management solution designed to generate, provision, and manage access to passwords. Repeated access attempts can trigger an account lockout and the number of attempts and remediation process is configurable. Oracle Access Management Suite supports strong authentication (tokens, smart cards, X. 509 certificates, forms) as well as passwords.
Oracle Access Manager includes self-service password reset with policies that can meet the complexity requirements of PCI DSS 3.1.
11
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
WHICH ORACLE TOOLS ARE REQUIRED (Cont.)
Requirement 10
Oracle Audit Vault and Database Firewall collects and centralizes database and system audit data for enterprise reporting andalerting. Oracle Database Vault audit trails can be collected in Oracle Audit Vault and Database Firewall. Oracle Database FineGrained Auditing (FGA) enables audit policies to be associated with columns in application tables along with conditions necessary for an audit record to be generated. Audit trails can be collected in Oracle Audit Vault and Database Firewall for reporting.
Oracle Database Conditional Auditing provides highly selective and effective auditing by creating records based on the context of the database session. Out-of-policy connections can be fully audited while no data will be generated for others.
Oracle Database Vault realms and separation of duties for more stringent controls on database administrationOracle Database Vault realm reportsOracle Audit Vault and Database Firewall audit data consolidation for enterprise reports and alertingOracle Identity Governance SuiteOracle Access Management Suite audit reportsOracle Identity Analytics
Customized reports can be generated using Oracle Application Express, Oracle BI Publisher and 3rd party tools. Oracle Access Management Suite and Identity Manager provide logs of all user activity and provisioning/de-provisioning.
12
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
CHALLENGES
•Native reporting is difficult and sometimes non-existent or
poorly formatted
•Interim / Point in time reporting does not exist
•IBY / Payments infrastructure is difficult to join due to
encryption
•Seeded reporting is completely reliant on legacy RDFs
•Transaction tracing through the settlement process is
difficult without custom extract development or processional
services
13
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
HOW HAVE WE SOLVED THIS QUANDARY
• Aside from assisting your company comply with the rules and regulations of PCI DSS, we have developed a “Materialized View” for customers leveraging Oracle E-Business Suite that allows for interim reporting of:
–Fully accounted transactions in Receivables, Payables, Subledger Accounting and Payments (both Processor and Gateway models)
–Partially Accounted credit card transactions that have not been settled by exploiting the ISO8583 payment specification. This method allows for a determination of credit card risk prior to settlement based upon the floor limit pre-authorization
–Grouping of the extract by Tender type to determine the interchange rate and discount / fees that are booking on a period basis
–Ability to be secured with native Oracle security and RBAC (Role Based Access Controls).
–Credit Card transaction errors for root cause analysis (Auth, Pre-Settlement and Post-Settlement)
–View leverages Microsoft Excel via XML Publisher to manipulate data.
14
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
PORTABLE DATA FOR ANALYTICS
15
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
PORTABLE DATA FOR ANALYTICS
16
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
PORTABLE DATA FOR ANALYTICS
17
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
73%
YEARS
47serving clients
OUR COMPANY
500dedicated
associates17
over
years
BESTPLACES
TO WORK2012
TECHNOLOGYEMPOWERED
BUSINESSSOLUTIONS
“right size provider”
“client for life”
IndiaPune
Bangalore
USAIL, PA, NJ,
GA, VA, MN,
FL
CanadaToronto
Ottawa GLOBAL
DELIVERYOUR SERVICES
87% 14prior tier 1
consultancies
avg. years
experience
fulltime
employees
OUR PEOPLE
25+
OTHER
PARTNERS
- onshore
- offshore
- nearshore
- blended
managed services
Advisory Applications Cloud Analytics Infrastructure
strategy
governance
process
ERP, HCM, CRM,
app. development,
mobile solutions
applications
infrastructureenterprise reporting,
predictive analytics,
big data
service management
enterprise infrastructure
end user computing
Business and Technology Empowered
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
An Exciting Year For Emtec… And Or Clients!
Vertical Focus
• Strategy
• Enterprise
Solutioning
• Management
Consulting
• Line of Business
Expertise
Advisory Services Expansion
Services
GEO
Vertical
SMAC
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
Emtec Services Align Well with each stakeholder community
ENTERPRISESUITE
SALES & MARKETING
360 degree view of the customer
Sales force automation
Customer Service
Marketing Automation
Customer and Product Data
Management
BI / Analytics
HCM
Workforce Planning
HR Analytics
Talent Management
Employee Self-Service
Performance Management
Total Compensation
CFO
FINANCE
Budget & Planning
Financial Close Mgmt
Procure to Pay
SEC Reporting
Financial Analytics
Cash Management
OPERATIONS
Forecasting
Operational Analytics
ERP
Project Costing
TECHNOLOGY
Advisory Services
Application Development &
Maintenance services
Business Intelligence & Big
Data
Cloud Strategy and
Implementation
Independent Verification &
Validation
Infrastructure Services
Managed Services
IT Service Management
Procurement Services
Business Strategy
Managed Services & Outsourcing
Advisory Services
Analytics
Governance
POWERThe
of Emtec
Emtec, Inc. Proprietary & Confidential. All rights reserved 2015.
THANK YOU FOR YOUR TIME
Please visit us online at www.emtecinc.com
THANK YOU FOR YOUR TIME
Please visit us online at www.emtecinc.com