SlideShare une entreprise Scribd logo

Helping Customers Comply with PCI DSS v3.0

Télécharger en tant que PPTX, PDF
T
Troy Kitch

This document discusses helping customers comply with PCI DSS v3.0 requirements for payment card security. It provides an overview of the history of payments, reasons for PCI standards due to losses from security breaches, details of PCI requirements and levels based on transaction volume, and capabilities of Oracle products to address key requirements such as encrypting stored data and restricting access. Real-world examples of Oracle customers SquareTwo Financial and TransUnion are also presented that secured cardholder data and addressed compliance needs using Oracle technologies.

Commerce de détailTechnologieBusiness
1  sur  22
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.1 Helping Customers Comply with PCI DSS v3.0 Payment Card Industry Data Security Standards Troy Kitch Principal Director Security Software Product Marketing
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.2 INTERNATIONAL SECURE GLOBALPCI SECURITY PAYMENT CARD INDUSTRY
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.4 9000-6000 BC CATTLE 500 BC SILVER COINS 806 PAPER CURRENCY 1891 AMERICAN EXPRESS TRAVELER’S CHECKS 1946 FIRST BANK CARD 1966 MODERN CREDIT CARD 1983 RADIO FREQUENCY IDENTIFICATION (RFID) 1997 1st MOBILE PAYMENT 1999 PAYPAL 2004 NEAR FIELD COMMUNICATION FORUM 2007 MOBILE PAYMENT DEVELOPED 2010 SQUARE FUTURE IMPLANTS & MUCH MORE A BRIEF HISTORY OF THE PAYMENT INDUSTRY PAYMENTS DEPEND ON TRUST
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.5 WHY IS PCI $11B LOST IN 20120 2 4 6 8 10 12 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 GLOBAL PAYMENT CARD INDUSTRY LOSSES $BILLIONS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.6 Merchant .5 " Issuing Bank (Consumer Bank) Card Holder (Consumer) .5 " Payment Card Processors TranUnion Equifax Experian Wm Morrison Amazon Wal Mart Credit Bureaus Deutsche Bank Barclays Royal Bank of Scotland PNC BluePay PayPal Merchant One Credit Agricole Group BNP Paribas HSBC Holdings Banco Santander Collection Agency SquareTwo Euler Hermes Atradius Payment Card Industry Acquiring Bank (Merchant Bank) PAYMENT CARD THE FLOW OF CREDIT
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.7 Attacker phishes third party contractor Malware sends credit card data to internal server; sends custom ping to notify Malware scrapes RAM for clear text credit card stripe data Finds and infects internal Windows file server Attacker uses stolen credentials to access contractor portal Stolen data exfiltrated to FTP Servers Finds & infects point of sale systems with malware ANATOMY OF A MILLIONS OF CONSUMERS EFFECTED PERIMETER
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.8 N O T P A S S E D A L L REQUIREMENTS Source: Verizon 2014 PCI Compliance Report
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.9 LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 SIZE MATTERS BY TRANSACTION VOLUME ANNUAL ONSITE ASSESSMENT QTRLY NETWORKS SCANS ANNUAL SELF ASSESSMENT QTRLY NETWORKS SCANS ANNUAL SELF ASSESSMENT QTRLY NETWORKS SCANS ANNUAL SELF ASSESSMENT QTRLY NETWORKS SCANS 6M+ 1M-6M 20K-1M 0K-20K
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.10  Clarifications  Change all default passwords  Mask displayed data  Encryption key storage  Detect/prevent web-based attack  Guidance  Business as Usual Source: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf IN PCI DSS v3.0
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.11 TWELVE PCI REQUIREMENTS Identify and authenticate access to system components Regularly test security systems and processes Restrict access to cardholder data by business need to know Develop and maintain secure systems and applications Protect stored cardholder data Remove vendor defaults for passwords and security configs Maintain a policy that addresses infosec for all personnel Track, monitor access to network resources and cardholder data Restrict physical access to cardholder data Encrypt transmission of cardholder data across open, public networks Protect systems against malware and update anti-virus software Install firewall configuration to protect cardholder data
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.12 Identify and authenticate access to system components Regularly test security systems and processes Restrict access to cardholder data by business need to know Develop and maintain secure systems and applications Protect stored cardholder data Remove vendor defaults for passwords and security configs Maintain a policy that addresses infosec for all personnel Track, monitor access to network resources and cardholder data Restrict physical access to cardholder data Encrypt transmission of cardholder data across open, public networks Protect systems against malware and update anti-virus software Install firewall configuration to protect cardholder data REQUIREMENTS ORACLE ADDRESSES
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.13 ROCK http://www.youtube.com/watch?v=xpfCr4By71U IF YOU ALL 12 HERE’S A HANDY VIDEO
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.14 CAPABILITIES PASSWORDS SECURITY CONFIGS 2. REMOVE DEFAULT AND  Forced password reset  Configuration scans  Database lifecycle mgmt.  SSL/TLS network encryption EXAMPLES Change vendor-supplied PASSWORD DEFAULTS Develop CONFIGURATION STANDARDS for all system components ENCRYPT non-console administrative access
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.15 CAPABILITIES STORED DATA 3. PROTECT CARDHOLDER  Transparent Data Encryption  Data Redaction  Data Masking  Secure Backup  Privileged Access Control EXAMPLES ENCRYPT cardholder data at rest and REDACT on display REDUCE PRIVILEGED ACCESS to card holder information MASK non-production card data
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.16 CAPABILITIES SECURE SYSTEMS APPLICATIONS 6. DEVELOP AND MAINTAIN AND  Follow Oracle Critical Patch Updates  Mask PII in nonproduction  Monitor and block SQL injection attacks EXAMPLES Apply PATCHES within 1 month MASK live PANs in TEST and DEVELOPMENT Address SQL INJECTIONS Enforce SEPARATION of TEST and DEVELOPMENT
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.17 CAPABILITIES CARDHOLDER DATA BY BUSINESS 7. RESTRICT NEED TO KNOW  Privilege user access controls  Privilege analysis EXAMPLES Limit ACCESS based on NEED TO KNOW and JOB Employ LEAST PRIVILEGE and SEPARATION of DUTIES ACCESS TO
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.18 CAPABILITIES AUTHENTICATE 8. IDENTIFYAND ACCESS TO SYS COMPONENTS  Multifactor authentication  Strong authentication  Single sign-on  Provision Unique-ID’s EXAMPLES Assign a UNIQUE ID to each person with access STRONG AUTHENTICATION for all administrators Set PASSWORD POLICIES MONITOR and ALERT on all suspicious activity
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.19 CAPABILITIES ACCESS 10. TRACK AND MONITOR RESOURCES AND CARD HOLDER DATA  Database and system audit  Database activity monitoring  Alerting and Blocking SQL  Conditional auditing EXAMPLES Implement AUDIT TRAILS REDUCE PRIVILEGED ACCESS to card holder information TO NETWORK
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.20 SquareTwo Financial is an asset and recovery management organization that secures more than two million individuals and small businesses using Oracle • Minimal customer disruption – 5.9 million accounts • Quickly scale security – 37% company growth • Addressed compliance – PCI, GLBA, HIPAA, and SOX SquareTwo Financial SECURING CARDHOLDER DATA
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.21 TransUnion provides credit information and information management services to 45,000 businesses and 500 million consumers worldwide. • Oracle Advanced Security – zero downtime, no application changes • Seamless key rotation – no impact to performance • Audit Vault and Database Firewall – 10k transactions/sec • PCI DSS Compliant – satisfies all auditor requirements TransUnion SECURING CARDHOLDER DATA
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.22 Learn More  Sustainable Compliance for the Payment Card Industry Data Security Standard  http://www.oracle.com/us/products/database/security-pci-dss-wp-078843.pdf PCI Compliance Whitepaper
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.23

Recommandé

Backups And Recovery
Backups And RecoveryBackups And Recovery
Backups And Recoveryasifmalik110
 
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallIntroducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallTroy Kitch
 
Ppt dbsec-oow2013-avdf
Ppt dbsec-oow2013-avdfPpt dbsec-oow2013-avdf
Ppt dbsec-oow2013-avdfMelody Liu
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19cMaria Colgan
 
Oracle Cloud is Best for Oracle Database - High Availability
Oracle Cloud is Best for Oracle Database - High AvailabilityOracle Cloud is Best for Oracle Database - High Availability
Oracle Cloud is Best for Oracle Database - High AvailabilityMarkus Michalewicz
 
Dataguard presentation
Dataguard presentationDataguard presentation
Dataguard presentationVimlendu Kumar
 
Hyper-Converged Infrastructure Vx Rail
Hyper-Converged Infrastructure Vx Rail Hyper-Converged Infrastructure Vx Rail
Hyper-Converged Infrastructure Vx Rail Jürgen Ambrosi
 
Object storage의 이해와 활용
Object storage의 이해와 활용Object storage의 이해와 활용
Object storage의 이해와 활용Seoro Kim
 

Recommandé

Backups And Recovery
Backups And RecoveryBackups And Recovery
Backups And Recoveryasifmalik110
 
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallIntroducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallTroy Kitch
 
Ppt dbsec-oow2013-avdf
Ppt dbsec-oow2013-avdfPpt dbsec-oow2013-avdf
Ppt dbsec-oow2013-avdfMelody Liu
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19cMaria Colgan
 
Oracle Cloud is Best for Oracle Database - High Availability
Oracle Cloud is Best for Oracle Database - High AvailabilityOracle Cloud is Best for Oracle Database - High Availability
Oracle Cloud is Best for Oracle Database - High AvailabilityMarkus Michalewicz
 
Dataguard presentation
Dataguard presentationDataguard presentation
Dataguard presentationVimlendu Kumar
 
Hyper-Converged Infrastructure Vx Rail
Hyper-Converged Infrastructure Vx Rail Hyper-Converged Infrastructure Vx Rail
Hyper-Converged Infrastructure Vx Rail Jürgen Ambrosi
 
Object storage의 이해와 활용
Object storage의 이해와 활용Object storage의 이해와 활용
Object storage의 이해와 활용Seoro Kim
 
6. Live VM migration
6. Live VM migration6. Live VM migration
6. Live VM migrationHwanju Kim
 
Big Data technology Landscape
Big Data technology LandscapeBig Data technology Landscape
Big Data technology LandscapeShivanandaVSeeri
 
Convert single instance to RAC
Convert single instance to RACConvert single instance to RAC
Convert single instance to RACSatishbabu Gunukula
 
Backup and recovery in oracle
Backup and recovery in oracleBackup and recovery in oracle
Backup and recovery in oraclesadegh salehi
 
Storage Basics
Storage BasicsStorage Basics
Storage BasicsMurali Rajesh
 
Hadoop Distributed File System
Hadoop Distributed File SystemHadoop Distributed File System
Hadoop Distributed File SystemRutvik Bapat
 
My First 90 days with Vitess
My First 90 days with VitessMy First 90 days with Vitess
My First 90 days with VitessMorgan Tocker
 
Optimizing Performance in Rust for Low-Latency Database Drivers
Optimizing Performance in Rust for Low-Latency Database DriversOptimizing Performance in Rust for Low-Latency Database Drivers
Optimizing Performance in Rust for Low-Latency Database DriversScyllaDB
 
Building a redundant CloudStack management cluster - Vladimir Melnik
Building a redundant CloudStack management cluster - Vladimir MelnikBuilding a redundant CloudStack management cluster - Vladimir Melnik
Building a redundant CloudStack management cluster - Vladimir MelnikShapeBlue
 
InnoDb Vs NDB Cluster
InnoDb Vs NDB ClusterInnoDb Vs NDB Cluster
InnoDb Vs NDB ClusterMark Swarbrick
 
MySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationMySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationFrederic Descamps
 
Oracle Tablespace - Basic
Oracle Tablespace - BasicOracle Tablespace - Basic
Oracle Tablespace - BasicEryk Budi Pratama
 
Vmware training presentation
Vmware training presentationVmware training presentation
Vmware training presentationAmit Kapadia
 
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...xKinAnx
 
State of the Dolphin - May 2022
State of the Dolphin - May 2022State of the Dolphin - May 2022
State of the Dolphin - May 2022Frederic Descamps
 
Understanding and controlling transaction logs
Understanding and controlling transaction logsUnderstanding and controlling transaction logs
Understanding and controlling transaction logsRed Gate Software
 
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13cClone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13cAlfredo Krieg
 
MongoDB Tick Data Presentation
MongoDB Tick Data PresentationMongoDB Tick Data Presentation
MongoDB Tick Data PresentationMongoDB
 
MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting Mydbops
 
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceNetwork Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
 
Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009Dira Sabrina
 
Mann india sap-banking & finance
Mann india sap-banking & financeMann india sap-banking & finance
Mann india sap-banking & financeEkanshee Saxena
 

Contenu connexe

Tendances

6. Live VM migration
6. Live VM migration6. Live VM migration
6. Live VM migrationHwanju Kim
 
Big Data technology Landscape
Big Data technology LandscapeBig Data technology Landscape
Big Data technology LandscapeShivanandaVSeeri
 
Backup and recovery in oracle
Backup and recovery in oracleBackup and recovery in oracle
Backup and recovery in oraclesadegh salehi
 
Hadoop Distributed File System
Hadoop Distributed File SystemHadoop Distributed File System
Hadoop Distributed File SystemRutvik Bapat
 
My First 90 days with Vitess
My First 90 days with VitessMy First 90 days with Vitess
My First 90 days with VitessMorgan Tocker
 
Optimizing Performance in Rust for Low-Latency Database Drivers
Optimizing Performance in Rust for Low-Latency Database DriversOptimizing Performance in Rust for Low-Latency Database Drivers
Optimizing Performance in Rust for Low-Latency Database DriversScyllaDB
 
Building a redundant CloudStack management cluster - Vladimir Melnik
Building a redundant CloudStack management cluster - Vladimir MelnikBuilding a redundant CloudStack management cluster - Vladimir Melnik
Building a redundant CloudStack management cluster - Vladimir MelnikShapeBlue
 
MySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationMySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationFrederic Descamps
 
Vmware training presentation
Vmware training presentationVmware training presentation
Vmware training presentationAmit Kapadia
 
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...xKinAnx
 
State of the Dolphin - May 2022
State of the Dolphin - May 2022State of the Dolphin - May 2022
State of the Dolphin - May 2022Frederic Descamps
 
Understanding and controlling transaction logs
Understanding and controlling transaction logsUnderstanding and controlling transaction logs
Understanding and controlling transaction logsRed Gate Software
 
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13cClone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13cAlfredo Krieg
 
MongoDB Tick Data Presentation
MongoDB Tick Data PresentationMongoDB Tick Data Presentation
MongoDB Tick Data PresentationMongoDB
 
MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting Mydbops
 
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceNetwork Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
 

Tendances (20)

6. Live VM migration
6. Live VM migration6. Live VM migration
6. Live VM migration
 
Big Data technology Landscape
Big Data technology LandscapeBig Data technology Landscape
Big Data technology Landscape
 
Convert single instance to RAC
Convert single instance to RACConvert single instance to RAC
Convert single instance to RAC
 
Backup and recovery in oracle
Backup and recovery in oracleBackup and recovery in oracle
Backup and recovery in oracle
 
Storage Basics
Storage BasicsStorage Basics
Storage Basics
 
Hadoop Distributed File System
Hadoop Distributed File SystemHadoop Distributed File System
Hadoop Distributed File System
 
My First 90 days with Vitess
My First 90 days with VitessMy First 90 days with Vitess
My First 90 days with Vitess
 
Optimizing Performance in Rust for Low-Latency Database Drivers
Optimizing Performance in Rust for Low-Latency Database DriversOptimizing Performance in Rust for Low-Latency Database Drivers
Optimizing Performance in Rust for Low-Latency Database Drivers
 
Building a redundant CloudStack management cluster - Vladimir Melnik
Building a redundant CloudStack management cluster - Vladimir MelnikBuilding a redundant CloudStack management cluster - Vladimir Melnik
Building a redundant CloudStack management cluster - Vladimir Melnik
 
InnoDb Vs NDB Cluster
InnoDb Vs NDB ClusterInnoDb Vs NDB Cluster
InnoDb Vs NDB Cluster
 
MySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationMySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group Replication
 
Oracle Tablespace - Basic
Oracle Tablespace - BasicOracle Tablespace - Basic
Oracle Tablespace - Basic
 
Vmware training presentation
Vmware training presentationVmware training presentation
Vmware training presentation
 
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
 
State of the Dolphin - May 2022
State of the Dolphin - May 2022State of the Dolphin - May 2022
State of the Dolphin - May 2022
 
Understanding and controlling transaction logs
Understanding and controlling transaction logsUnderstanding and controlling transaction logs
Understanding and controlling transaction logs
 
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13cClone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
 
MongoDB Tick Data Presentation
MongoDB Tick Data PresentationMongoDB Tick Data Presentation
MongoDB Tick Data Presentation
 
MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting
 
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceNetwork Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
 

En vedette

Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009Dira Sabrina
 
Mann india sap-banking & finance
Mann india sap-banking & financeMann india sap-banking & finance
Mann india sap-banking & financeEkanshee Saxena
 
BI Forum 2009 - Business Intelligence use cases in France, Retail and Communi...
BI Forum 2009 - Business Intelligence use cases in France, Retail and Communi...BI Forum 2009 - Business Intelligence use cases in France, Retail and Communi...
BI Forum 2009 - Business Intelligence use cases in France, Retail and Communi...OKsystem
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...amadhireddy
 
A Profitability and Cost Management Strategy for Healthcare Providers
A Profitability and Cost Management Strategy for Healthcare ProvidersA Profitability and Cost Management Strategy for Healthcare Providers
A Profitability and Cost Management Strategy for Healthcare ProvidersPerficient, Inc.
 
E-Business Suite 1 | Nadia Bendiedou | Oracle E-Business Suite Technology rel...
E-Business Suite 1 | Nadia Bendiedou | Oracle E-Business Suite Technology rel...E-Business Suite 1 | Nadia Bendiedou | Oracle E-Business Suite Technology rel...
E-Business Suite 1 | Nadia Bendiedou | Oracle E-Business Suite Technology rel...InSync2011
 
Idg banking vietnam2010 customercentricplatform-100527-l-tay-v07
Idg banking vietnam2010 customercentricplatform-100527-l-tay-v07Idg banking vietnam2010 customercentricplatform-100527-l-tay-v07
Idg banking vietnam2010 customercentricplatform-100527-l-tay-v07lance slides
 
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Paymetric, Inc.
 
Automotive Industry Analysis of the Big 3
Automotive Industry Analysis of the Big 3Automotive Industry Analysis of the Big 3
Automotive Industry Analysis of the Big 3Matt Blair
 
Retail Industry Enterprise Architecture Review
Retail Industry Enterprise Architecture ReviewRetail Industry Enterprise Architecture Review
Retail Industry Enterprise Architecture ReviewLakshmana Kattula
 

En vedette (10)

Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009
 
Mann india sap-banking & finance
Mann india sap-banking & financeMann india sap-banking & finance
Mann india sap-banking & finance
 
BI Forum 2009 - Business Intelligence use cases in France, Retail and Communi...
BI Forum 2009 - Business Intelligence use cases in France, Retail and Communi...BI Forum 2009 - Business Intelligence use cases in France, Retail and Communi...
BI Forum 2009 - Business Intelligence use cases in France, Retail and Communi...
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
 
A Profitability and Cost Management Strategy for Healthcare Providers
A Profitability and Cost Management Strategy for Healthcare ProvidersA Profitability and Cost Management Strategy for Healthcare Providers
A Profitability and Cost Management Strategy for Healthcare Providers
 
E-Business Suite 1 | Nadia Bendiedou | Oracle E-Business Suite Technology rel...
E-Business Suite 1 | Nadia Bendiedou | Oracle E-Business Suite Technology rel...E-Business Suite 1 | Nadia Bendiedou | Oracle E-Business Suite Technology rel...
E-Business Suite 1 | Nadia Bendiedou | Oracle E-Business Suite Technology rel...
 
Idg banking vietnam2010 customercentricplatform-100527-l-tay-v07
Idg banking vietnam2010 customercentricplatform-100527-l-tay-v07Idg banking vietnam2010 customercentricplatform-100527-l-tay-v07
Idg banking vietnam2010 customercentricplatform-100527-l-tay-v07
 
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
 
Automotive Industry Analysis of the Big 3
Automotive Industry Analysis of the Big 3Automotive Industry Analysis of the Big 3
Automotive Industry Analysis of the Big 3
 
Retail Industry Enterprise Architecture Review
Retail Industry Enterprise Architecture ReviewRetail Industry Enterprise Architecture Review
Retail Industry Enterprise Architecture Review
 

Similaire à Helping Customers Comply with PCI DSS v3.0

IMS WebRTC Workshop Oracle
IMS WebRTC Workshop OracleIMS WebRTC Workshop Oracle
IMS WebRTC Workshop OracleAlan Quayle
 
Internet of Everything: The CIO's Point of View
Internet of Everything: The CIO's Point of ViewInternet of Everything: The CIO's Point of View
Internet of Everything: The CIO's Point of ViewCisco Canada
 
Autonomous Database Security Features
Autonomous Database Security FeaturesAutonomous Database Security Features
Autonomous Database Security FeaturesSinanPetrusToma
 
Cisco Connect Halifax 2018 Cisco dna - network intuitive
Cisco Connect Halifax 2018 Cisco dna - network intuitiveCisco Connect Halifax 2018 Cisco dna - network intuitive
Cisco Connect Halifax 2018 Cisco dna - network intuitiveCisco Canada
 
B4 the identity of things-securing the internet of everything
B4 the identity of things-securing the internet of everythingB4 the identity of things-securing the internet of everything
B4 the identity of things-securing the internet of everythingDr. Wilfred Lin (Ph.D.)
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
Cisco Connect Ottawa 2018 consuming public and private clouds
Cisco Connect Ottawa 2018 consuming public and private cloudsCisco Connect Ottawa 2018 consuming public and private clouds
Cisco Connect Ottawa 2018 consuming public and private cloudsCisco Canada
 
A rede como um sensor de segurança
A rede como um sensor de segurança A rede como um sensor de segurança
A rede como um sensor de segurança Cisco do Brasil
 
Will Your Cloud Be Compliant? OpenStack Security
Will Your Cloud Be Compliant? OpenStack SecurityWill Your Cloud Be Compliant? OpenStack Security
Will Your Cloud Be Compliant? OpenStack SecurityScott Carlson
 
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate CloudEngineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate CloudMarketingArrowECS_CZ
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesCisco Canada
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Cisco ucs overview ibm team 2014 v.2 - handout
Cisco ucs overview ibm team 2014 v.2 - handoutCisco ucs overview ibm team 2014 v.2 - handout
Cisco ucs overview ibm team 2014 v.2 - handoutSarmad Ibrahim
 
During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...Cisco Canada
 
The Changing Data Center Landscape
The Changing Data Center LandscapeThe Changing Data Center Landscape
The Changing Data Center LandscapeCisco Canada
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 

Similaire à Helping Customers Comply with PCI DSS v3.0 (20)

David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
 
Understanding AWS security
Understanding AWS securityUnderstanding AWS security
Understanding AWS security
 
IMS WebRTC Workshop Oracle
IMS WebRTC Workshop OracleIMS WebRTC Workshop Oracle
IMS WebRTC Workshop Oracle
 
Internet of Everything: The CIO's Point of View
Internet of Everything: The CIO's Point of ViewInternet of Everything: The CIO's Point of View
Internet of Everything: The CIO's Point of View
 
Autonomous Database Security Features
Autonomous Database Security FeaturesAutonomous Database Security Features
Autonomous Database Security Features
 
Cisco Connect Halifax 2018 Cisco dna - network intuitive
Cisco Connect Halifax 2018 Cisco dna - network intuitiveCisco Connect Halifax 2018 Cisco dna - network intuitive
Cisco Connect Halifax 2018 Cisco dna - network intuitive
 
B4 the identity of things-securing the internet of everything
B4 the identity of things-securing the internet of everythingB4 the identity of things-securing the internet of everything
B4 the identity of things-securing the internet of everything
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
Cisco Connect Ottawa 2018 consuming public and private clouds
Cisco Connect Ottawa 2018 consuming public and private cloudsCisco Connect Ottawa 2018 consuming public and private clouds
Cisco Connect Ottawa 2018 consuming public and private clouds
 
A rede como um sensor de segurança
A rede como um sensor de segurança A rede como um sensor de segurança
A rede como um sensor de segurança
 
Webinar hiware
Webinar hiwareWebinar hiware
Webinar hiware
 
Will Your Cloud Be Compliant? OpenStack Security
Will Your Cloud Be Compliant? OpenStack SecurityWill Your Cloud Be Compliant? OpenStack Security
Will Your Cloud Be Compliant? OpenStack Security
 
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate CloudEngineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
Cisco ucs overview ibm team 2014 v.2 - handout
Cisco ucs overview ibm team 2014 v.2 - handoutCisco ucs overview ibm team 2014 v.2 - handout
Cisco ucs overview ibm team 2014 v.2 - handout
 
During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...
 
The Changing Data Center Landscape
The Changing Data Center LandscapeThe Changing Data Center Landscape
The Changing Data Center Landscape
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 

Helping Customers Comply with PCI DSS v3.0

  • 1. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.1 Helping Customers Comply with PCI DSS v3.0 Payment Card Industry Data Security Standards Troy Kitch Principal Director Security Software Product Marketing
  • 2. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.2 INTERNATIONAL SECURE GLOBALPCI SECURITY PAYMENT CARD INDUSTRY
  • 3. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.4 9000-6000 BC CATTLE 500 BC SILVER COINS 806 PAPER CURRENCY 1891 AMERICAN EXPRESS TRAVELER’S CHECKS 1946 FIRST BANK CARD 1966 MODERN CREDIT CARD 1983 RADIO FREQUENCY IDENTIFICATION (RFID) 1997 1st MOBILE PAYMENT 1999 PAYPAL 2004 NEAR FIELD COMMUNICATION FORUM 2007 MOBILE PAYMENT DEVELOPED 2010 SQUARE FUTURE IMPLANTS & MUCH MORE A BRIEF HISTORY OF THE PAYMENT INDUSTRY PAYMENTS DEPEND ON TRUST
  • 4. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.5 WHY IS PCI $11B LOST IN 20120 2 4 6 8 10 12 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 GLOBAL PAYMENT CARD INDUSTRY LOSSES $BILLIONS
  • 5. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.6 Merchant .5 " Issuing Bank (Consumer Bank) Card Holder (Consumer) .5 " Payment Card Processors TranUnion Equifax Experian Wm Morrison Amazon Wal Mart Credit Bureaus Deutsche Bank Barclays Royal Bank of Scotland PNC BluePay PayPal Merchant One Credit Agricole Group BNP Paribas HSBC Holdings Banco Santander Collection Agency SquareTwo Euler Hermes Atradius Payment Card Industry Acquiring Bank (Merchant Bank) PAYMENT CARD THE FLOW OF CREDIT
  • 6. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.7 Attacker phishes third party contractor Malware sends credit card data to internal server; sends custom ping to notify Malware scrapes RAM for clear text credit card stripe data Finds and infects internal Windows file server Attacker uses stolen credentials to access contractor portal Stolen data exfiltrated to FTP Servers Finds & infects point of sale systems with malware ANATOMY OF A MILLIONS OF CONSUMERS EFFECTED PERIMETER
  • 7. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.8 N O T P A S S E D A L L REQUIREMENTS Source: Verizon 2014 PCI Compliance Report
  • 8. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.9 LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 SIZE MATTERS BY TRANSACTION VOLUME ANNUAL ONSITE ASSESSMENT QTRLY NETWORKS SCANS ANNUAL SELF ASSESSMENT QTRLY NETWORKS SCANS ANNUAL SELF ASSESSMENT QTRLY NETWORKS SCANS ANNUAL SELF ASSESSMENT QTRLY NETWORKS SCANS 6M+ 1M-6M 20K-1M 0K-20K
  • 9. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.10  Clarifications  Change all default passwords  Mask displayed data  Encryption key storage  Detect/prevent web-based attack  Guidance  Business as Usual Source: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf IN PCI DSS v3.0
  • 10. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.11 TWELVE PCI REQUIREMENTS Identify and authenticate access to system components Regularly test security systems and processes Restrict access to cardholder data by business need to know Develop and maintain secure systems and applications Protect stored cardholder data Remove vendor defaults for passwords and security configs Maintain a policy that addresses infosec for all personnel Track, monitor access to network resources and cardholder data Restrict physical access to cardholder data Encrypt transmission of cardholder data across open, public networks Protect systems against malware and update anti-virus software Install firewall configuration to protect cardholder data
  • 11. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.12 Identify and authenticate access to system components Regularly test security systems and processes Restrict access to cardholder data by business need to know Develop and maintain secure systems and applications Protect stored cardholder data Remove vendor defaults for passwords and security configs Maintain a policy that addresses infosec for all personnel Track, monitor access to network resources and cardholder data Restrict physical access to cardholder data Encrypt transmission of cardholder data across open, public networks Protect systems against malware and update anti-virus software Install firewall configuration to protect cardholder data REQUIREMENTS ORACLE ADDRESSES
  • 12. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.13 ROCK http://www.youtube.com/watch?v=xpfCr4By71U IF YOU ALL 12 HERE’S A HANDY VIDEO
  • 13. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.14 CAPABILITIES PASSWORDS SECURITY CONFIGS 2. REMOVE DEFAULT AND  Forced password reset  Configuration scans  Database lifecycle mgmt.  SSL/TLS network encryption EXAMPLES Change vendor-supplied PASSWORD DEFAULTS Develop CONFIGURATION STANDARDS for all system components ENCRYPT non-console administrative access
  • 14. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.15 CAPABILITIES STORED DATA 3. PROTECT CARDHOLDER  Transparent Data Encryption  Data Redaction  Data Masking  Secure Backup  Privileged Access Control EXAMPLES ENCRYPT cardholder data at rest and REDACT on display REDUCE PRIVILEGED ACCESS to card holder information MASK non-production card data
  • 15. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.16 CAPABILITIES SECURE SYSTEMS APPLICATIONS 6. DEVELOP AND MAINTAIN AND  Follow Oracle Critical Patch Updates  Mask PII in nonproduction  Monitor and block SQL injection attacks EXAMPLES Apply PATCHES within 1 month MASK live PANs in TEST and DEVELOPMENT Address SQL INJECTIONS Enforce SEPARATION of TEST and DEVELOPMENT
  • 16. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.17 CAPABILITIES CARDHOLDER DATA BY BUSINESS 7. RESTRICT NEED TO KNOW  Privilege user access controls  Privilege analysis EXAMPLES Limit ACCESS based on NEED TO KNOW and JOB Employ LEAST PRIVILEGE and SEPARATION of DUTIES ACCESS TO
  • 17. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.18 CAPABILITIES AUTHENTICATE 8. IDENTIFYAND ACCESS TO SYS COMPONENTS  Multifactor authentication  Strong authentication  Single sign-on  Provision Unique-ID’s EXAMPLES Assign a UNIQUE ID to each person with access STRONG AUTHENTICATION for all administrators Set PASSWORD POLICIES MONITOR and ALERT on all suspicious activity
  • 18. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.19 CAPABILITIES ACCESS 10. TRACK AND MONITOR RESOURCES AND CARD HOLDER DATA  Database and system audit  Database activity monitoring  Alerting and Blocking SQL  Conditional auditing EXAMPLES Implement AUDIT TRAILS REDUCE PRIVILEGED ACCESS to card holder information TO NETWORK
  • 19. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.20 SquareTwo Financial is an asset and recovery management organization that secures more than two million individuals and small businesses using Oracle • Minimal customer disruption – 5.9 million accounts • Quickly scale security – 37% company growth • Addressed compliance – PCI, GLBA, HIPAA, and SOX SquareTwo Financial SECURING CARDHOLDER DATA
  • 20. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.21 TransUnion provides credit information and information management services to 45,000 businesses and 500 million consumers worldwide. • Oracle Advanced Security – zero downtime, no application changes • Seamless key rotation – no impact to performance • Audit Vault and Database Firewall – 10k transactions/sec • PCI DSS Compliant – satisfies all auditor requirements TransUnion SECURING CARDHOLDER DATA
  • 21. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.22 Learn More  Sustainable Compliance for the Payment Card Industry Data Security Standard  http://www.oracle.com/us/products/database/security-pci-dss-wp-078843.pdf PCI Compliance Whitepaper
  • 22. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.23