Secure Payments, PCI DSS, Regulatory Compliance Blog

Whitepaper: Oracle Applications 11i - Credit Cards and PCI Compliance Issues

March 11th, 2007 by datasecurity Posted in Database, PCI DSS, Vendors

whitepaper.jpgIntegrity has a very comprehensive whitepaper on “Oracle Applications 11i: Credit Cards and PCI Compliance Issues” [PDF] (added to Resources page)

It covers each of the 12 PCI DSS requirements as they relate to the Oracle database software. It’s really nice! Of course the true test is how the address encryption and audit logging - both very difficult items for databases. Does this paper address these items properly?

They have some great recommendations for audit logging (requirement 10) third-party tools, but their coverage of encryption (requirement 3) is a little lacking. (Granted this whitepaper is sometimes specific to their application, so oh well.)

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 5 Responses to “Whitepaper: Oracle Applications 11i - Credit Cards and PCI Compliance Issues”

  2. By Rob again... on Mar 12, 2007

    Hi again,

    I don’t think a database vendor can ever address encryption inside their own databases effectively. What about the passwords, config files, etc. outside the database application, they will still be open to attack and ultimately database compromise unless they are secured from outside.

    What you need is something that encrypts all the files and applies access controls from the outside. Most database vendors will also tell you that they do not support databases which have been encrypted at the row and column level unless they have tight partnerships with the encryption manufacturers involved, or have applied the encryption themselves.

    It still doesn’t address the integrity issue either. In my view there is still nothing that can do that in the way which PCI 10 intends, but anything which is controlled from within a database, by the very fact that it is internal to the database itself, is nowhere near the mark.

    Rob.

  3. By Integrigy on Mar 12, 2007

    I just wanted to clarify a point regarding Oracle and the whitepaper. This whitepaper focuses exclusively on Oracle Applications 11i, which is Oracle’s highly-integrated ERP suite of applications including financials, manufacturing, HR, and CRM. The application runs on the Oracle Database and Oracle Application Server, so all references to the database are directly dependent on the application. Any recommendations for the database are only in the context to running Oracle Applications 11i, not any other application or any other use of the database (e.g., data warehouse).

    The issue with large ERP applications (like Oracle Applications, PeopleSoft, SAP, etc.) is that the merchant has limited options in terms PCI compliance. Take card number encryption in Oracle Applications 11i for example. Even though there are many encryption solutions available for the Oracle Database, most of these solutions simply don’t work with the application, are not effective due to the application design, or are not supported by Oracle. Oracle provides a fully-supported internal encryption mechanism (and free), which is really the most practical solution for 3.4. As with most encryption answers to 3.4, only the card number is encrypted and key management is a significant issue. Requirement 10 is a significant challenge for most Oracle Applications 11i implementations as it is a highly integrated suite in a single database, any such auditing and logging may impact all functions (e.g., HR) and without significant work or expensive third-party products the auditing and logging can be manipulated by the database administrator.

    Keep in mind that most of the merchants running Oracle Applications 11i and processing credit cards through the application will be Level 4 with maybe some being Level 3. The credit card processing in the application is just one minor ancillary functions (such as processing a small percentage of receivables payments), not a core function as found in a POS application. PCI compliance becomes a major challenge in such an environment where the entire application must be compliant due to the nature of PCI and the tight integration of the application.

  4. By datasecurity on Mar 12, 2007

    I’m happy that people are writing white papers related to PCI. Our goal is to increase awareness and understanding of PCI compliance.

  5. By anupamsk on Feb 7, 2008

    How about next level of PCI compliance in Oracle ERP? Does anybody know how we can remove the requirement of storing CC data info within Oracle 11i? What level of customization is required? I am looking for a token based Credit card processing for Oracle 11i via iPayment where I do not have to store CC data within Oracle 11i; instead I will use a service provider virtual terminal to capture Credit card data and in return will receive a token from the service provide and Oracle 11i should use this token for sub sequent Credit Card processing thru iPayment.

    Any input will be greatly appreciated!

  6. By Don Parret on Jun 7, 2008

    The Encryption Wizard for Oracle is an easy-to-use graphical solution that allows for column, table and schema level encryption using both dbms_obfuscation_toolkit and dbms_crypto.

    Free downloads are available at:

    http://www.relationalwizards.com

Sorry, comments for this entry are closed at this time.