Payment Card Industry Data Security Standard

The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of standards developed to enhance the security of credit card data in organizations that process such data. Developed by the PCI Security Standards Council, the standards are designed to prevent credit card fraud by implementing consistent data-security measures, which include requirements relating to network management, security policies and procedures, and data-access management.

PCI DSS compliance is required of all organizations that store, process, or transmit credit cardholder data. The PCI DSS currently outlines six basic principles for compliance, supported by more detailed subrequirements for compliance.

Table A-1, "Siebel Business Applications and PCI DSS Requirements" lists the PCI requirements and the ways in which Siebel Business Applications support these requirements.

Table A-1 Siebel Business Applications and PCI DSS Requirements

PCI DSS Principle	PCI DSS Requirement	Siebel CRM Support for PCI DSS
Build and maintain a secure network.	Do the following: Install and maintain a firewall to protect cardholder data. Do not use vendor-supplied default passwords.	Siebel Business Applications support the deployment of firewalls, reverse-proxy servers, and Network Address Translation devices to protect application data from intrusion. During the installation of Siebel Business Applications, warnings are issued if the password specified for the user ID used to start services and processes is the same as the user ID. The installer can use any user ID and password that have the appropriate privileges to perform the task it is required to perform (such as administrator privileges to start services).
Protect cardholder data.	Do the following: Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks.	Siebel Business Applications allow customers to encrypt sensitive information stored in the Siebel database, cardholder data, and other data transmitted across networks.
Maintain a vulnerability management program.	Do the following: Use and regularly update antivirus software on all computers commonly affected by malware. Develop and maintain secure computer systems and applications.	These requirements are customer-governance issues. Oracle recommends that you implement them. For help with security-governance issues, contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance.
Implement strong access control measures.	Do the following: Restrict access to cardholder data by business need-to-know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data.	Siebel Business Applications provide multitiered access-control mechanisms so that only those users with appropriate rights have access to the data. This control includes view-level access control and record-level access control. Each Siebel application user is assigned a login ID, a primary position, and a responsibility in the Siebel application. These security attributes provide the user with the appropriate access rights to the Siebel application. Users do not have direct access to the Siebel database; only the Siebel application has access to it. To prevent users from circumventing application-security protocols if database security is used, then Siebel user passwords can be hashed using the RSA SHA-1 algorithm. Enabling password hashing makes sure that the password used to access the Siebel database is not the same password that the user uses to access the Siebel application. In addition, using an LDAP, ADSI, Single Sign-On, or custom-security adapter to access Siebel Business Applications requires that user database access is managed through a shared application credential, and not through a user ID and password.
Regularly monitor and test networks.	Do the following: Track and monitor all access to network resources and cardholder data. Test security systems and processes regularly.	To maintain data continuity and monitor activity on a Siebel CRM site, you can configure Siebel Audit Trail. This feature allows you to maintain an audit trail of information that indicates when business component fields have been changed, who made the change, and what has been changed. These requirements are customer-governance issues. Oracle recommends that you implement them. For help with security governance concerns, contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance.
Maintain an information security policy.	Maintain a policy that addresses information security.	This requirement is a customer-governance issue. Oracle recommends that you implement it. For help with security governance concerns, contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance.