Skip Headers
Oracle® Enterprise Manager Application Configuration Console PCI Compliance
Release 5.3.2

E14654-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

1 Overview

This chapter defines PCI compliance and Application Configuration Console's role in supporting it.

1.1 What Is PCI Compliance?

Payment Card Industry Data Security Standard or PCI DSS is the result of a mandate by major credit card brands such as VISA, MasterCard, and American Express to improve security of credit card data. The standard stipulates compliance with a set of account protection mechanisms by taking actions such as the following:

1.2 What If I Don't Handle Credit Card Transactions?

While aimed at merchants, processors, point-of-sale vendors, financial institutions, and payment companies, the spirit of the standard is geared to securing sensitive data, something every business and private citizen can identify with. In this case, the result of the action taken holds significance, even if the codified rule that requires it doesn't. In other words, the fact that you take steps to ensure proper user authentication and password management is what's important, not that you satisfy PCI requirement 8.5.

1.3 How Does Application Configuration Console Support Compliance?

Application Configuration Console is in the business of automating configuration, change, and release management processes. Monitoring changes to operating system security settings is a natural extension of this core competence.

The Application Configuration Console PCI Compliance Automation Module extends Application Configuration Console by providing the tools for creating assets that capture operating system security settings. The tools then provide for these assets to be audited for compliance with recommended standards. Once you have a baseline for your environment, Application Configuration Console's tracking capabilities take over to monitor for any changes and to ensure remediation of detected differences.

1.4 Is Application Configuration Console's PCI Compliance Across the Board?

The Security Standards Council does not avow a single-sourced solution to its mandate. PCI compliance covers a broad spectrum of initiatives, some of which exist outside the reach of Application Configuration Console software influence.

Table 1-1 revisits the previously referenced list of account protection mechanisms identified by the Security Standards Council, this time noting which are supported by the Application Configuration Console PCI Compliance Automation Module.

Table 1-1 PCI Requirements Supported by Application Configuration Console

PCI Requirement Supported

Maintain an information security policy

No

Use and update anti-virus software

No

Encrypt transmission of cardholder data

No

Maintain firewall configuration

No

Take physical access control measures

No

Prevent insecure configuration management

Yes

Track system configurations

Yes

Monitor file and directory permissions to ensure that only authorized personnel have access

Yes

Monitor access changes to system services, ensuring that all unnecessary and insecure services and protocols are disabled

Yes

Monitor user account policies such as password aging, and password complexity

Yes


1.5 More Information

This book describes use of the PCI Compliance Automation Module to achieve compliance with recommended operating system security settings. Its focus is on Application Configuration Console functionality in that limited context. For detailed information on system features and how to use them, consult the Application Configuration Console Online Help.