Popular in Course
verified elite notetaker
Popular in Business
This 23 page Document was uploaded by an elite notetaker on Monday December 21, 2015. The Document belongs to a course at a university taught by a professor in Fall. Since its upload, it has received 24 views.
Reviews for Integrigy-Oracle-Apps-PCI-Compliance
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 12/21/15
NCOAUG TrainingDay 2007 Oracle Applications and Credit Cards: Security and PCI Compliance Issues Stephen Kost Chief Technology Officer Integrigy Corporation Agenda PaymentCard IndustryOverview − What is PCI? − Data Security Standard (DSS) Oracle Applicationsand Credit Cards − What is stored where − Credit Card Encryption Patch Oracle Applicationsand PCI Compliance Presentationis based on Integrigy whitepaper available at http://www.integrigy.com About Integrigy Integrigy is only firm that is dedicated to Oracle Applications security Oracle Applications security assessments AppSentry – only security auditing tool available for Oracle Applications Integrigy assists companies and assessors in identifying and remediating PCI compliance issues in Oracle Applications Disclaimer: Integrigy is not a PCI Qualified Security Assessor (QSA) nor Approved Scanning Vendor (ASV) Payment Card Industry PCI Security Standards Council is a single organization that consolidated the multiple credit card security programs − American Express, Discover, JCB, MasterCard, Visa Publishes “Data Security Standard” and related documents Manages third-party “Qualified Security Assessors (QSA)” and “Approved Scanning Vendors (ASV)” PCI Data Security Standard 1.1 A set of 12 stringent security requirements for networks, network devices, servers, and applications Specific requirements in terms of security configuration and policies and all the requirements are mandatory Focused on securing credit card data Significant emphasis on general IT security and controls PCI DSS PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) PCI Data Security Standard 1.1 Audit Scanning Self-Assessment Procedures Requirements Questionnaire American Express MasterCard Visa PCI Compliance Compliance is dependent on card brand, merchant type (ecommerce), and transactions − On-site assessment − Quarterly external scans − Self-assessment questionnaire − Depending on card brand, may be required to submit documentation In case of a data breach, compliance is assessed by team of forensic auditors − Audit result determines liability Oracle Applications and Credit Cards Storage of credit card data is by module Card number stored un-encrypted Masking of card numbers controlled by module specific profile options Default installation is NOT PCI compliant iPayment is payment gateway − Oracle Payments in R12 Oracle Applications and Credit Cards Collections ap_bank_accounts_all oks_k_headers_* oks_k_lines_* aso_payments oe_order_headers_all Service Oracle Oracle AR Contracts Capture Mgmt iStore iPayment iby_trxn_summaries_all iby_credit_card Not pictured: InternetExpenses (AP) Lease Management (AP) Credit Card Encryption Patch Metalink Note ID 338756.1, Patch 4607647 − Consolidates card numbers into IBY_SECURITY_SEGMENTS table − Encrypts card numbers in IBY_SECURITY_SEGMENTS − Uniform masking of card numbers − Significant functional pre-requisites (18.104.22.168) Oracle Student System (IGS) − Available in 11i.IGS.M Rollup 1 No encryption for Oracle Internet Expenses − Available in R12 Credit Card Encryption Patch iby_security_segments ap_bank_accounts_all Collections oks_k_headers_* oks_k_lines_* aso_payments oe_order_headers_all Service Oracle Oracle AR Contracts Capture Mgmt iStore iPayment iby_trxn_summaries_all iby_credit_card Not pictured: InternetExpenses (AP) – R12 Lease Management (AP) – same as AR PCI and Oracle Applications All Oracle Applications implementations that "store, process, or transmit cardholder data" must comply with the Data Security Standard 1.1 regardless of size or transaction volume. PCI Scope and Oracle Applications PCI Scope GL AP HR CE OIE AR PER FA PO WIP OM IBE INV IBY Credit card processing and storage Diagramis for illustration only and module integration points are not technically accurate PCI Requirements # Requirement NetworkServeDatabasOracle 1Policy 1 UseFirewall to protect data 2 Do not use vendor-supplieddefults 3 Protectstored cardholder data 4 Encryptacross open, public neworks 5 UseAnti-virus software 6 Developand maintain secure aplicatons 7 Restrictaccessto cardholder data 8 Assignedunique IDs for access 9 Restrictphysicalaccess to dat 10 Trackand monitor access 11 Regularlytest security 12 Maintain information security policy #2 - Do not use vendor-supplied defaults Change all default database passwords and seeded application account passwords Implement all recommendations in Oracle Metalink Note ID 189367.1 “Best Practices for Securing Oracle E-Business Suite” All administrator network traffic must be encrypted, consequently, all network traffic must be encrypted − SSL, SSH, SQL*Net encryption #3 - Protect stored cardholder data Must apply Credit Card Encryption Patch (4607647) − Review all masking profile options to determine if functionally appropriate and PCI compliant − Key management policies and procedures are critical Storing of card data in logs is a major issue − iPayment is tricky to configure, so debugging and/or logging often is enabled − Look at other log files such as Apache and OAF Review existing data archiving and purging #6 - Develop and maintain secure apps Oracle Critical Patch Updates (CPU) should be applied within 30 days! “Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release.” All sensitive data must be scrambled or removed during cloning, including encrypted and hashed data #8 - Assigned unique IDs for access No generic accounts or all usage must be tied to an individual − How to handle APPS, ORACLE, APPLMGR? − No generic accounts for concurrentmanager − No APPS_READ accounts Strong password controls must be implemented for database and application − Length => 7, hard to guess, expire every 90 days, no reuse > 450 days, failure limit <= 6 − Need to use database profiles to enforce database passwords Session time-out = 15 minutes #10 - Track and monitor access PCI has strong focus on logging, auditing, and monitoring − Need to have logs and audit trails to forensically determine what happened in case of an incident − Daily review of critical logs required Auditing and logging is problematic for Oracle Applications due to the design and complexity − Use of the privileged accounts (APPS, etc.) − DBA can manipulate the audit trail − High volume of audit data with limited value − Many key audit fields can be spoofed #11 - Regularly test security Oracle Applications penetration tests should be performed annually, especially for Internet-facing modules “Deploy file integrity monitoring software” − With 750,000+ files and configuration files in multiple locations, deploying file integrity monitoring can be challenging Oracle Apps and Quarterly Scanning External Oracle Applications protected by reverse proxy, so – − Scanning IP address might not include Oracle Applications in the scan − Should provide URL to the scanning vendor − Apache version may register false positives Oracle HTTP Server is really Apache 1.3.19 with patches − Very few, if any, checks for Oracle Applications are included in the scanning Many scanning vendors use Nessus-based scanners Questions? Integrigy Contact Information StephenKost E-mail:email@example.com Chief Technology Officer Phone:312-961-0215 IntegrigyCorporation Website:www.integrigy.com IntegrigyCorporation P.O.Box 81545 Sales:firstname.lastname@example.org Chicago, Illinois 60681 Development:email@example.com Support: firstname.lastname@example.org 888/542-4802 Security Alerts: email@example.com Copyright© 2007 Integrigy Corporation. Al. rights reserved
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'