How You Comply with Third-Party Standards

While we comply with a number of third-party standards, you are ultimately responsible for ensuring that your B2C Service implementation is in compliance.

The following topics offer guidance about configuring a compliant environment:

• How You Secure Access to Oracle B2C Service

• Audit and Read Logs

• Mobile-Access Security

• How You Evaluate PCI Vulnerability

• How You Secure Integrations and Accelerators

• Incident Thread Masking

• How You Secure Email, Outreach, and Surveys

• Analytics Security

• Chat Security in PCI and HIPAA Deployments

Oracle’s control status regarding a regulation does not mean that your B2C Service implementation is automatically considered to be compliant. Your environment(s) must be assessed by an approved third-party organization to ensure controls are properly in place.

On a periodic basis, B2C Service is audited by third-parties to validate that controls are in place which are designed to address various regulations. As a Cloud Service Provider (CSP), B2C Service has many safeguards in place to ensure the security of Oracle’s infrastructure and our customers’ data assets.

However, as the data controller, you retain many obligations. For payment account numbers (PANs) or protected health information (PHI), we recognize that you can extend the data model to retain sensitive information, or choose to use the service to process and transmit sensitive data. For Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, there are controls that you can configure during a deployment that contribute to protecting your data.

To ensure that we are in compliance with the standard, Oracle obtains a Payment Card Industry Data Security Standard (PCI DSS) Attestation of Compliance (AoC) from Oracle’s third party Qualified Security Assessor (QSA) every year. B2C Service is attested for compliance with PCI DSS Service Provider Level 1. Although this can aid you when you are assessed, it is not transferable to the you, and does not mean that you are purchasing a PCI certification.

Similar to the PCI DSS AoC, HIPAA has an AT-101 report from the appropriate external parties. Also, in context of the HIPAA / HITECH rules, Oracle is a Service Provider in a Business Associate role where customers have executed a Business Associate Agreement. If applicable to the order, the Business Associate Agreement (BAA) between the customer and Oracle describes the obligations for each party.

In addition there may be other accreditations, attestations, and certifications available for B2C Service in the environment you purchased. These may include:

• Cyber Essentials Plus

• HMG Cloud Security Principles

• IRAP (Information Security Registered Assessor Program)

• NIST (National Institute of Standards and Technology) Special Publication 800-53, including U.S. government programs:

  • CJIS (Criminal Justice Information Services) Security Policy

  • DFARS (Defense Federal Acquisition Regulation Supplement)

  • DISA SRG (Defense Information Systems Agency Security Requirements Guide)

  • FedRAMP (Federal Risk and Authorization Management Program)

  • FERPA (Family Educational Rights and Privacy Act)

  • FISMA (Federal Information Security Management Act) Baseline

  • IRS (Internal Revenue Service) 1075

  • MARS-E (Minimum Acceptable Risk Standards for Exchanges)

  • NIST 800-171

• SOC-1 and SOC-2

Attestation or accreditation reports for standards and regulations are available upon request through an Oracle account representative.