PCI DSS v 3.0 and Oracle Security Mapping

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.1

Helping Customers Comply with PCI DSS v3.0Payment Card Industry Data Security Standards

Troy KitchPrincipal DirectorSecurity Software Product Marketing


INTERNATIONAL

STANDARDSSECURE

CARD DATAGLOBAL

CARD BRANDSPCI SECURITY

COUNCIL

PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS


9000-6000 BCCATTLE

500 BCSILVER COINS

806PAPER

CURRENCY

1891AMERICAN EXPRESS

TRAVELER’S CHECKS

1946FIRST BANK CARD

1966MODERN CREDIT CARD

1983RADIO FREQUENCY

IDENTIFICATION (RFID)

19971st MOBILE PAYMENT

1999PAYPAL

2004NEAR FIELD

COMMUNICATION FORUM

2007MOBILE PAYMENT DEVELOPED

2010SQUARE

FUTUREIMPLANTS & MUCH MORE

A BRIEF HISTORY OF THE PAYMENT INDUSTRY

PAYMENTS DEPEND ON TRUST


WHY IS PCI COMPLIANCE IMPORTANT?

$11BLOST IN 2012

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 20120

2

4

6

8

10

12

GLOBAL PAYMENT CARD INDUSTRY LOSSES $BILLIONS


Merchant

.5 "

Issuing Bank(Consumer Bank)

Card Holder(Consumer)

.5"

Payment Card

Processors

TranUnionEquifaxExperian

Wm MorrisonAmazonWal Mart

Credit Bureaus

Deutsche BankBarclaysRoyal Bank of Scotland

PNCBluePayPayPalMerchant One

Credit Agricole GroupBNP ParibasHSBC HoldingsBanco Santander

Collection Agency

SquareTwoEuler HermesAtradius

Payment Card IndustryAcquiring Bank

(Merchant Bank)

PAYMENT CARD ECOSYSTEMTHE FLOW OF CREDIT


Attacker phishes third party contractor

1

Malware sends credit card data to internal server; sends custom ping to notify

5

Malware scrapes RAM for clear text credit card stripe data

4b

Finds and infects internal Windows file server

3Attacker uses stolen credentials to access contractor portal

2

Stolen data exfiltrated to FTP Servers

6

Finds & infects point of sale systems with malware

4a

ANATOMY OF A BREACHMILLIONS OF CONSUMERS EFFECTED

PERIMETER


N O T P A S S E D A L LREQUIREMENTS

89%Source: Verizon 2014 PCI Compliance Report


LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4

SIZE MATTERS BY TRANSACTION VOLUME

ANNUAL ONSITEASSESSMENT

QTRLY NETWORKSSCANS

ANNUAL SELFASSESSMENT

QTRLY NETWORKSSCANS


QTRLY NETWORKSSCANS


QTRLY NETWORKSSCANS

6M+ 1M-6M 20K-1M 0K-20K


Clarifications Change all default passwords Mask displayed data Encryption key storage Detect/prevent web-based attack

Guidance Business as Usual

Source: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf

v2

v3

WHAT’S NEW IN PCI DSS v3.0


TWELVE PCI REQUIREMENTS

Identify and authenticate access to system components

Regularly test security systems and processes

Restrict access to cardholder data by business need to know

Develop and maintain secure systems and applications

Protect stored cardholder data

Remove vendor defaults for passwords and security configs

Maintain a policy that addresses infosec for all personnel

Track, monitor access to network resources and cardholder data

Restrict physical access to cardholder data

Encrypt transmission of cardholder data across open, public networks Protect systems against malware and update anti-virus software

Install firewall configuration to protect cardholder data


Identify and authenticate access to system components

Regularly test security systems and processes

Restrict access to cardholder data by business need to know

Develop and maintain secure systems and applications

Protect stored cardholder data

Remove vendor defaults for passwords and security configs

Maintain a policy that addresses infosec for all personnel

Track, monitor access to network resources and cardholder data

Restrict physical access to cardholder data

Encrypt transmission of cardholder data across open, public networks Protect systems against malware and update anti-virus software

Install firewall configuration to protect cardholder data

REQUIREMENTS ORACLE ADDRESSES


PCI ROCK

http://www.youtube.com/watch?v=xpfCr4By71U

IF YOU CAN’T REMEMBER ALL 12HERE’S A HANDY VIDEO


CAPABILITIES

PASSWORDSSECURITY CONFIGS

2. REMOVE DEFAULT

AND

Forced password reset Configuration scans Database lifecycle mgmt. SSL/TLS network encryption

EXAMPLESChange vendor-supplied PASSWORD DEFAULTS

Develop CONFIGURATION STANDARDS for all system components

ENCRYPT non-console administrative access


CAPABILITIES

STOREDDATA

3. PROTECT

CARDHOLDER

Transparent Data Encryption Data Redaction Data Masking Secure Backup Privileged Access Control

EXAMPLESENCRYPT cardholder data at rest and REDACT on display

REDUCE PRIVILEGED ACCESS to card holder information

MASK non-production card data


CAPABILITIES

SECURE SYSTEMSAPPLICATIONS

6. DEVELOP AND MAINTAIN

AND

Follow Oracle Critical Patch Updates

Mask PII in nonproduction Monitor and block SQL

injection attacks

EXAMPLESApply PATCHES within 1 month

MASK live PANs in TEST and DEVELOPMENT

Address SQL INJECTIONS

Enforce SEPARATION of TEST and DEVELOPMENT


CAPABILITIES

CARDHOLDER DATA BY BUSINESS

7. RESTRICT

NEED TO KNOW

Privilege user access controls

Privilege analysis

EXAMPLES

Limit ACCESS based on NEED TO KNOW and JOB

Employ LEAST PRIVILEGE and SEPARATION of DUTIES

ACCESS TO


CAPABILITIES

AUTHENTICATE8. IDENTIFY AND

ACCESS TO SYS COMPONENTS

Multifactor authentication Strong authentication Single sign-on Provision Unique-ID’s

EXAMPLESAssign a UNIQUE ID to each person with access

STRONG AUTHENTICATION for all administrators

Set PASSWORD POLICIES

MONITOR and ALERT on all suspicious activity


CAPABILITIES

ACCESS10. TRACK AND MONITOR

RESOURCES AND CARDHOLDER DATA

Database and system audit Database activity monitoring Alerting and Blocking SQL Conditional auditing

EXAMPLES

Implement AUDIT TRAILS

REDUCE PRIVILEGED ACCESS to card holder information

TO NETWORK


SquareTwo Financial is an asset and

recovery management organization that

secures more than two million individuals

and small businesses using Oracle

• Minimal customer disruption – 5.9

million accounts

• Quickly scale security – 37% company

growth

• Addressed compliance – PCI, GLBA,

HIPAA, and SOX

SquareTwo Financial

SECURING CARDHOLDER DATA


TransUnion provides credit information

and information management services to

45,000 businesses and 500 million

consumers worldwide.

• Oracle Advanced Security – zero

downtime, no application changes

• Seamless key rotation – no impact

to performance

• Audit Vault and Database Firewall

– 10k transactions/sec

• PCI DSS Compliant – satisfies all

auditor requirements

TransUnion

SECURING CARDHOLDER DATA


Learn More

Sustainable Compliance for the Payment Card Industry Data Security Standard http://www.oracle.com/us/products/database/security-pci-dss-wp-078843.pdf

PCI Compliance Whitepaper

http://www.oracle.com/us/products/database/security-pci-dss-wp-078843.pdf

http://www.oracle.com/us/products/database/security-pci-dss-wp-078843.pdf


PCI DSS v 3.0 and Oracle Security Mapping

Retail

install firewall

remove vendor

qtrly networksscansannual

pci dss v3

restrict physical

maintain secure

protect cardholder

protect systems