Payment Card Industry (PCI) standards

4 Payment Card Industry (PCI) standards

Some of the Oracle Hospitality Integration Platform APIs let you send cardholder data, so the Oracle Hospitality Integration Platform is in scope of the PCI DSS. Client systems are also in scope of PCI DSS, so follow these guidelines:

Payment Card Industry Payment Applications - Data Security Standard (PCI PA-DSS) https://www.pcisecuritystandards.org/security_standards/index.php

Payment Card Industry Data Security Standard (PCI DSS) https://www.pcisecuritystandards.org/security_standards/index.php

PCI Requirements

The Oracle Hospitality Integration Platform uses the following standards:

Build and maintain a secure network and systems
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement strong access control measures
- Restrict access to cardholder data by business need-to-know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an information security policy
- Maintain a policy that addresses information security

Handling of Sensitive Authentication Data (PA-DSS 1.1.5)

Oracle Hospitality Integration Platform does not store sensitive authentication data, and we strongly recommend you do not store this type of sensitive data as well. However, if for any reason you need do so, the following guidelines must be followed when dealing with sensitive authentication data used for pre-authorization (swipe data, validation values or codes, PIN or PIN block data):

Collect sensitive authentication data only when needed to solve a specific problem
Store such data only in specific, known locations with limited access
Collect only the limited amount of data needed to solve a specific problem
Encrypt sensitive authentication data while stored
Securely delete such data immediately after use

Secure Deletion of Cardholder Data (PA-DSS 2.1)

Oracle Hospitality Integration Platform does not store cardholder data and therefore there is no data to be purged by the application as required by PA-DSS v3.2.

Any cardholder data you store outside of the application must be documented and you must define a retention period at which time you will securely delete (render irretrievable) the stored cardholder data. When defining a retention period you must take into account legal, regulatory, or business purpose.

All underlying software (this includes operating systems and/or database systems) must be configured to prevent the inadvertent capture of PAN. Instructions for configuring the underlying operating systems or databases can be found in Inadvertent Capture of PAN .

PCI-Compliant Wireless Settings (PA-DSS 6.1.a and 6.2.b)

Oracle Hospitality Integration Platform must not be accessed using wireless technologies. However, should any systems downstream of the client system implement wireless access to the client system, the following guidelines for secure wireless settings must be followed to ensure cardholder data is secure end to end, per PCI Data Security Standards 1.2.3, 2.1.1 and 4.1.1:

PCI DSS section 1.2.3: Perimeter firewalls must be installed between any wireless networks and systems that store cardholder data, and these firewalls must deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.

PCI DSS section 2.1.1: Change wireless vendor defaults as follows:

Encryption keys must be changed from default at installation, and must be changed anytime anyone with knowledge of the keys leaves the company or changes positions
Default SNMP community strings on wireless devices must be changed
Default passwords or passphrases on access points must be changed
Firmware on wireless devices must be updated to support strong encryption for authentication and transmission over wireless networks
Other security-related wireless vendor defaults, if applicable, must be changed

PCI DSS section 4.1.1: Industry best practices (for example, IEEE 802.11.i) must be used to implement strong encryption for authentication and transmission of cardholder data.

Never Store Cardholder Data on Internet-accessible Systems (PA-DSS 9.1.c)

Never store cardholder data on Internet-accessible systems. For example, a web server and a database server must not be on same server.

Maintain an Information Security Program

In addition to the security recommendations included in this document, a comprehensive approach to assessing and maintaining the security compliance of the payment application environment is necessary to protect the organization and sensitive cardholder data.

The following is a very basic plan every owner of a client system provider should adopt in developing and implementing a security policy and program:

Read the PCI DSS in full and perform a security gap analysis. Identify any gaps between existing practices in your organization and those outlined by the PCI requirements.
Once the gaps are identified, determine the steps to close the gaps and protect cardholder data. Changes could mean adding new technologies to shore up firewall and perimeter controls, or increasing the logging and archiving procedures associated with transaction data.
Create an action plan for on-going compliance and assessment.
Implement, monitor and maintain the plan. Compliance is not a one-time event. Regardless of merchant or service provider level, all entities should complete annual self-assessments using the PCI Self-Assessment Questionnaire.
Call in outside experts as needed.