1. Security Guide
  2. Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard

The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of standards developed to enhance the security of credit card data in organizations that process such data. Developed by the PCI Security Standards Council, the standards are designed to prevent credit card fraud by implementing consistent data-security measures, which include requirements relating to network management, security policies and procedures, and data-access management.

PCI DSS compliance is required of all organizations that store, process, or transmit credit cardholder data. The PCI DSS currently outlines six basic principles for compliance, supported by more detailed subrequirements for compliance.

The following table lists the PCI requirements and the ways in which Siebel CRM supports these requirements.

Note: Siebel CRM and its features do not currently meet certain audit-related PCI DSS 3.1 compliance standards. The following PCI DSS 3.1compliance standard items are not covered by Siebel audit trail:

  • System components.

  • All actions taken by any individual with root or administrative privilege.

  • Invalid logical access attempts.

  • Use of and changes to identification and authentication mechanisms (including but not limited to new account creation and privilege elevation) and all changes, additions, or deletions to accounts with root or administrative privileges.

PCI DSS Principle

PCI DSS Requirement

Siebel CRM Support for PCI DSS

Build and maintain a secure network.

Do the following:

  • Install and maintain a firewall to protect cardholder data.

  • Do not use vendor-supplied default passwords.

Siebel CRM supports the deployment of firewalls, reverse proxy servers, and Network Address Translation devices to protect application data from intrusion.

During the installation of Siebel CRM, warnings are issued if the password specified for the user ID used to start services and processes is the same as the user ID. The installer can use any user ID and password that have the appropriate privileges to perform the task it is required to perform (such as administrator privileges to start services).

Protect cardholder data.

Do the following:

  • Protect stored cardholder data.

  • Encrypt transmission of cardholder data across open, public networks.

Siebel CRM allows customers to encrypt sensitive information stored in the Siebel database, cardholder data, and other data transmitted across networks.

Maintain a vulnerability management program.

Do the following:

  • Use and regularly update antivirus software on all computers commonly affected by malware.

  • Develop and maintain secure computer systems and applications.

These requirements are customer-governance issues. Oracle recommends that you implement them.

For help with security-governance issues, contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance.

Implement strong access control measures.

Do the following:

  • Restrict access to cardholder data by business need-to-know.

  • Assign a unique ID to each person with computer access.

  • Restrict physical access to cardholder data.

Siebel CRM provides multitiered access-control mechanisms so that only those users with appropriate rights have access to the data. This control includes view-level access control and record-level access control.

Each Siebel application user is assigned a login ID, a primary position, and a responsibility in the Siebel application. These security attributes provide the user with the appropriate access rights to the Siebel application.

Users do not have direct access to the Siebel database; only the Siebel application has access to it. To prevent users from circumventing application-security protocols if database security is used, then Siebel user passwords can be hashed. Enabling password hashing makes sure that the password used to access the Siebel database is not the same password that the user uses to access the Siebel application. In addition, using an LDAP, Single Sign-On, or custom-security adapter to access Siebel CRM requires that user database access is managed through a shared application credential, and not through a user ID and password.

Regularly monitor and test networks.

Do the following:

  • Track and monitor all access to network resources and cardholder data.

  • Test security systems and processes regularly.

To maintain data continuity and monitor activity on a Siebel CRM site, you can configure Siebel Audit Trail. This feature allows you to maintain an audit trail of information that indicates when business component fields have been changed, who made the change, and what has been changed.

These requirements are customer-governance issues. Oracle recommends that you implement them.

For help with security governance concerns, contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance.

Maintain an information security policy.

Maintain a policy that addresses information security.

This requirement is a customer-governance issue. Oracle recommends that you implement it.

For help with security governance concerns, contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance.