Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on your Data - Emtec, Inc.

2,544 views

Published on

Emtec Finance and Technology Summit Presentation with Jon Gillespie

Published in: Technology
  • Be the first to comment

  • Be the first to like this

PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on your Data - Emtec, Inc.

  1. 1. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PCI Compliance- How To Remain Compliant And Gain Near Real Time Analytics By: John Gillespie
  2. 2. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. What We Will Cover… • Background • PCI Standards • Compliance Mapping / Tools •Near Real-Time Reporting (Oracle EBS) • Question 2
  3. 3. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. BACKGROUND - WHAT IS PCI DSS •Payment Card Industry Data Security Standard (PCI DSS) –Developed by 5 major payment processing companies to reconcile their individual programs to a single set of payment requirements –Primary reason for PCI DSS is to protect cardholder data and prevent fraud –Version 3.1 of the standard (April 2015) https://www.pcisecuritystandards.org 3
  4. 4. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PCI DSS APPLICABILITY •According to the PCI Security Standards Council, PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. 4 Primary Account Number Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Full Track Data No Cannot store per Requirement 3.2 CAV2/CVC2/CVV2/CID No Cannot store per Requirement 3.2 PIN/PIN Block No Cannot store per Requirement 3.2 Data Element Storage Permitted Render Stored Data Unreadable per Requirement 3.4 Cardholder Data Sensitive Authentication Data AccountData
  5. 5. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. SCOPE OF PCI DSS •Systems that provide security services like firewalls, routers, switches, DNS, etc •Virtualized infrastructure such as hypervisors, virtual services / desktops and virtualized network infrastructure. •Network infrastructure providing end-point connectivity including wireless infrastructure •Server service types hosting up protocols like NTP, DNS, HTTP/HTTPS, FTP, SFTP, Database protocols, Authentication protocols, and mail protocols. •Purchased (COTS) and Custom Applications. •Any other unspecified component existing within or connected to the Cardholder Data Environment (CDE). 5
  6. 6. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. BUSINESS AS USUAL AS A BEST PRACTICE • Organizations that already have an audit and compliance approach to conducting business have an inherent leg up because the control design has already been defined such as companies subject to GLBA, SOX404, JSOX, and HIPAA regulations. • Control is a process for ensuring a function, automated or manual in nature, is operable, effective and reliable. Controls and the design there is are never intended to be absolute, but reasonable commensurate with the inherent risk. • Segregated into: –Monitoring of Security –Detection of Failures and Deficiencies –Configuration Change Management –Organizational Change Management –Periodic Assessment –Periodic Review of Hardware and Software Technologies 6
  7. 7. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. THE TWELVE COMPLIANCE REQUIREMENTS FOR PCI DSS 7
  8. 8. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. AUDIT & COMPLIANCE ASSESSMENT PROGRAM • Define the Scope • Perform the Assessment • Complete the Reports on Compliance (ROC) • Complete the Self Assessment Questionnaires (SAQ) • Compliance Validation Reports (Attestations of Compliance) • Submit the SQA and/or ROC along with he Attestation of Compliance to the Merchant / Service Provider • IMPORTANT NOTE: PCI DSS requirements are not considered to be in place if controls have not yet been implemented or are scheduled to be completed at a future date. After any open or not-in-place items are addressed by the entity, the assessor will then reassess to validate that the remediation is completed and that all requirements are satisfied. 8
  9. 9. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. ORACLE TOOLS FOR COMPLIANCE •Of the 12 PCI DSS Requirements, Oracle tools can assist in fulfilling 6 PCI DSS requirements • Requirement 2: DO NOT USE VENDOR-SUPPLIED DEFAULTS FOR SYSTEM PASSWORDS AND OTHER SECURITY PARAMETERS • Requirement 3: PROTECT STORED CARDHOLDER DATA • Requirement 6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS • Requirement 7: RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED TO KNOW • Requirement 8: IDENTIFY AND AUTHENTICATE ACCESS TO SYSTEM COMPONENTS • Requirement 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND CARDHOLDER DATA 9
  10. 10. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. WHICH ORACLE TOOLS ARE REQUIRED Requirement Oracle Capability Requirement 2 Standard configuration of Oracle Data for User Accounts. Oracle Enterprise Manager provides out-of-the-box configuration scans based on Oracle, customer policy, and industry commonly accepted practices. OEM also provides Oracle Database discovery, provisioning and patching. Oracle Audit Vault and Database Firewall consolidates audit data from across Oracle, Microsoft SQL Server, IBM DB2 for LUW, SAP Sybase ASE and Oracle MySQL databases, in addition to Windows and Linux platforms. Oracle Audit Vault and Database Firewall can report and alert on audit data. Oracle Database Vault separation of duties prevents unauthorized administrative actions in the Oracle Database. Oracle Database custom installation allows specific components to be installed or removed. Oracle Database provides network encryption (SSL/TLS and native) to encrypt all traffic over SQL*Net between the middle tier and the database, between clients and the database, and between databases. Additionally, some administrative tools, such as Enterprise Manager, provide a restricted use SSL license to protect administrative traffic. Requirement 3 Applications can leverage Virtual Private Database (VPD) with a column relevant policy to mask out the entire number. Oracle Advanced Security with Data Redaction can consistently mask displayed data within applications. Oracle Data Masking protects production data used in nonproduction environments for testing and QA. Security controls provided by Oracle Label Security can help determine who should have access to the number. Oracle Database Vault realms can be used to prevent privileged users from accessing application data. In Oracle EBS, Oracle Wallet can be implemented to encrypt IBY transactions. Oracle Advanced Security transparent data encryption (TDE), column encryption, and tablespace encryption can be used to transparently encrypt the Primary Account Number in the database and backed up on storage media. Oracle Advanced Security TDE column encryption provides the ability to independently re-key the master encryption and/or table keys. Starting with Oracle Database 11g Release 2, the master encryption key for TDE tablespace encryption can be re-keyed as well. For PCI compliance, re-keying (rotating) the master encryption key is often sufficient. Oracle RMAN with Oracle Advanced Security can encrypt (and compress) the entire backup when backed up to disk. Oracle Data Pump with Oracle Advanced Security can encrypt (and compress) entire database file. Encryption algorithms supported include AES with 256, 192, or 128 bit key length, as well as 3DES168. Designated individuals like a DBA or Database Security Administrator (DSA) need to know the wallet password or the HSM authentication string and have the 'alter system' privilege in order to open the wallet or HSM and make the master encryption key available to the database. Oracle Advanced Security uses Diffie-Hellman key negotiation algorithm to perform secure key distribution. 10
  11. 11. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. WHICH ORACLE TOOLS ARE REQUIRED (Cont.) Requirement 6 Oracle follows the Common Vulnerability Scoring System (CVSS) when providing severity ratings for bug fixes released in Critical Patch Updates (CPUs). Enterprise User Security, an Oracle Database Enterprise Edition feature, combined with Oracle Identity Management, gives the ability to centrally manage database users and their authorizations in one central place. Part of the Oracle Identity Governance Suite, Oracle Privileged Account Manager enables the separation of privileges, manages self-service requests to privileged accounts, and provides auditing and reporting of password usage. Oracle Database Vault can help to protect DBA access to production data in Oracle Databases Oracle Data Masking de-identifies payment card numbers, and other sensitive information, for testing and development environments. Database change control procedures can be automated with Oracle Change Management. Also BPEL Process Manager can be used for process management of change control, security procedures in general. Requirement 7 Oracle Label Security provides additional security attributes based on need-to-know or “least-privilege” requirements. Oracle Virtual Private Database provides basic runtime masking. Oracle Data Redaction removes or masks sensitive application data fields based on organizational and regulatory policy combined with the requestor’s entitlements. Oracle Database object privileges and database roles provide basic security. Oracle Identity Governance Suite provides enterprise user provisioning only to permitted computing and application resources and data. Oracle Identity Analytics defines roles to provide granular definition of jobs and functions, as well as short-term assignments. Oracle Identity Governance Suite provides enterprise user provisioning only to permitted computing and application resources and data based on role, job function, department, location, and/or other variables. This can be triggered automatically from the HR (HCM) system Requirement 8 Oracle Database authentication supports dedicated user accounts, and strong authentication capabilities, including Kerberos. Oracle Identity Governance Suite provides enterprise user provisioning using an automated workflow and central repository. Users are automatically de-provisioned when they are no longer active. Privileged access should be managed on an exception basis with one-time passwords (OTP). Extensive monitoring of privileged and/or support access provides assurance that personnel are only performing authorized activities. Oracle Access Management Suite provides centralized application layer access control, authorization and authentication. Part of the Oracle Identity Governance Suite, Oracle Privileged Account Manager is a secure password management solution designed to generate, provision, and manage access to passwords. Repeated access attempts can trigger an account lockout and the number of attempts and remediation process is configurable. Oracle Access Management Suite supports strong authentication (tokens, smart cards, X. 509 certificates, forms) as well as passwords. Oracle Access Manager includes self-service password reset with policies that can meet the complexity requirements of PCI DSS 3.1. 11
  12. 12. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. WHICH ORACLE TOOLS ARE REQUIRED (Cont.) Requirement 10 Oracle Audit Vault and Database Firewall collects and centralizes database and system audit data for enterprise reporting and alerting. Oracle Database Vault audit trails can be collected in Oracle Audit Vault and Database Firewall. Oracle Database Fine Grained Auditing (FGA) enables audit policies to be associated with columns in application tables along with conditions necessary for an audit record to be generated. Audit trails can be collected in Oracle Audit Vault and Database Firewall for reporting. Oracle Database Conditional Auditing provides highly selective and effective auditing by creating records based on the context of the database session. Out-of-policy connections can be fully audited while no data will be generated for others. Oracle Database Vault realms and separation of duties for more stringent controls on database administration Oracle Database Vault realm reports Oracle Audit Vault and Database Firewall audit data consolidation for enterprise reports and alerting Oracle Identity Governance Suite Oracle Access Management Suite audit reports Oracle Identity Analytics Customized reports can be generated using Oracle Application Express, Oracle BI Publisher and 3rd party tools. Oracle Access Management Suite and Identity Manager provide logs of all user activity and provisioning/de-provisioning. 12
  13. 13. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. CHALLENGES •Native reporting is difficult and sometimes non-existent or poorly formatted •Interim / Point in time reporting does not exist •IBY / Payments infrastructure is difficult to join due to encryption •Seeded reporting is completely reliant on legacy RDFs •Transaction tracing through the settlement process is difficult without custom extract development or processional services 13
  14. 14. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. HOW HAVE WE SOLVED THIS QUANDARY •Aside from assisting your company comply with the rules and regulations of PCI DSS, we have developed a “Materialized View” for customers leveraging Oracle E-Business Suite that allows for interim reporting of: –Fully accounted transactions in Receivables, Payables, Subledger Accounting and Payments (both Processor and Gateway models) –Partially Accounted credit card transactions that have not been settled by exploiting the ISO8583 payment specification. This method allows for a determination of credit card risk prior to settlement based upon the floor limit pre-authorization –Grouping of the extract by Tender type to determine the interchange rate and discount / fees that are booking on a period basis –Ability to be secured with native Oracle security and RBAC (Role Based Access Controls). –Credit Card transaction errors for root cause analysis (Auth, Pre-Settlement and Post-Settlement) –View leverages Microsoft Excel via XML Publisher to manipulate data. 14
  15. 15. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PORTABLE DATA FOR ANALYTICS 15
  16. 16. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PORTABLE DATA FOR ANALYTICS 16
  17. 17. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. PORTABLE DATA FOR ANALYTICS 17
  18. 18. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. 73% YEARS 47serving clients OUR COMPANY 500dedicated associates 17 over years BEST PLACES TO WORK 2012 TECHNOLOGY EMPOWERED BUSINESS SOLUTIONS “right size provider” “client for life” India Pune Bangalore USA IL, PA, NJ, GA, VA, MN, FL Canada Toronto Ottawa GLOBAL DELIVERY OUR SERVICES 87% 14 prior tier 1 consultancies avg. years experience fulltime employees OUR PEOPLE 25+ OTHER PARTNERS - onshore - offshore - nearshore - blended managed services Advisory Applications Cloud Analytics Infrastructure strategy governance process ERP, HCM, CRM, app. development, mobile solutions applications infrastructure enterprise reporting, predictive analytics, big data service management enterprise infrastructure end user computing Business and Technology Empowered
  19. 19. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. An Exciting Year For Emtec… And Or Clients! Vertical Focus • Strategy • Enterprise Solutioning • Management Consulting • Line of Business Expertise Advisory Services Expansion Services GEO Vertical SMAC
  20. 20. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. Emtec Services Align Well with each stakeholder community ENTERPRISE SUITE SALES & MARKETING  360 degree view of the customer  Sales force automation  Customer Service  Marketing Automation  Customer and Product Data Management  BI / Analytics HCM  Workforce Planning  HR Analytics  Talent Management  Employee Self-Service  Performance Management  Total Compensation CFO FINANCE  Budget & Planning  Financial Close Mgmt  Procure to Pay  SEC Reporting  Financial Analytics  Cash Management OPERATIONS  Forecasting  Operational Analytics  ERP  Project Costing TECHNOLOGY  Advisory Services  Application Development & Maintenance services  Business Intelligence & Big Data  Cloud Strategy and Implementation  Independent Verification & Validation  Infrastructure Services  Managed Services  IT Service Management  Procurement Services  Business Strategy  Managed Services & Outsourcing  Advisory Services  Analytics  Governance POWER The of Emtec
  21. 21. Emtec, Inc. Proprietary & Confidential. All rights reserved 2015. THANK YOU FOR YOUR TIME Please visit us online at www.emtecinc.com THANK YOU FOR YOUR TIME Please visit us online at www.emtecinc.com

×