If you are in technology world, specifically in the e-commerce world or in a business that processes credit card transactions, by now, you would know what PCI-DSS is. It stands for Payment Card Industry Data Security Standard and refers to a compliance mandate that Credit Card companies including Visa, MasterCard and American Express require companies to conform to.
As part of PCI Compliance, companies processing credit card transactions are required to conduct periodic assessments by third party qualified security assessors .
A little bit of history on what brought about PCI-DSS. You must have already seen and heard about all the security breaches in companies where customer credit card information is compromised. As we firmly entrench ourselves in electronic commerce, we keep dishing out our credit cards to all the mom-and-pop shops without regard to how they manage that information and secure it. Credit Card scams have amounted to 10s of millions of dollars in both the fraudulent charges and lawsuits by people effected by the breach .
Most credit card companies have policies around disputing the erroneous charges on your card and identity theft insurance. The financial impact of a credit card theft could be reversed, the trauma that people go through repairing possible credit rating, cleaning up the credit history etc is unrepairable. While software that is used to transact and store the credit card and other personal information were supposed to take care of it failed to do so miserably. That forced Visa, MasterCard, American Express and Discover to come up with the mandate for companies to abide by and protect customer information with stiff penalties for any mishaps. By requiring the merchants to comply with their guidelines, the mandate indirectly forced software companies and IT organizations to address the issues at their end as well.
The merchants now have more than one reason for complying
- Financial penalties are stiff – ranging from 250K to millions.
- The damage to the brand reputation of companies and resulting loss of business.
- Increased Insurance, Lawsuits
- Increased Audit expenses subsequent to a breach
Now onto the applications that manage credit card information. Oracle E-Business Suite (as I am sure SAP too) has implemented features to address the deficiencies in its credit card management features to ensure that the information is protected and released a patch – check the Metalink Note 338756.1 (requires Oracle support login)
Now for you IT folks out there, managing Oracle E-Business Suite, if you are getting scrutinized around PCI DSS, here are some of the things you should be looking into. As you probably guessed it by now, majority of the breaches happen from the within.
- Ensure that all the seeded accounts that come with EBS that are no longer needed are disabled.
- Keep track of all the users with access to the credit card information through the application and audit each time the information is accessed and account for them.
- Regulate, Monitor and audit the database access to the credit card tables
- Ensure credit card information display on the application, in reports are masked and in cases it is absolutely needed, only last 4 digits are displayed.
- Ensure any log files that might be generated as part of the transaction involving credit card are secured, purged.
- Ensure the database backup policies and access control on the backups are regulated.
- Maintain audit trail of any updates to the credit card information.
- In case your company does not have (most companies do), place the application across the firewall
- Ensure that the credit card information transmitted during verification is sent encrypted.
- Some of the other things the PCI guideline explicitly requires are updated virus protection, adaware program detection and removal etc.
- And most important of all, make sure you are upto date on any critical patches released by Oracle (and other vendors) around credit card information management. Chances are someone else effected by a loophole has reported the same and the vendor has created a remedial patch.
If you are going to have a PCI Audit here are some things you would need.
- Document and capture the entire data flow diagram of credit card data. The systems, the networks, log files. Along with various points in the flow capture who gets access to those. Make sure you include your redundancy/fail-over systems as well. As things change over time in terms of the components on your IT infrastructure make sure you incorporate that into the data flow diagram.
- Document the backup and recovery process and how that touches the credit card data. Include the people who have access to those.
- Any compliance certification does not automatically make you protected. It is a point-in-time assessment. Compliance is a perpetual thing.
- If your audit is annual, schedule your own audits quarterly to make sure things have not drifted and your are not exposed.
Note: As you can see this information is not just useful for the audit, you will need it to better govern the information or in case of a breach.