1. Security Guide
  2. Payment Card Industry (PCI) Standards

6 Payment Card Industry (PCI) Standards

Although OPERA Hospitality Distribution does not accept customer card data directly, some APIs still let you send cardholder data, so OPERA Cloud Distribution is in scope for Payment Card Industry Data Security Standard (PCI DSS). Applications sending client systems are also in scope for PCI DSS and must follow these guidelines:

Payment Card Industry Payment Applications - Data Security Standard (PCI PA-DSS).

Payment Card Industry Data Security Standard (PCI DSS).

PCI Requirements

OPERA Cloud Distribution follows these standards:
  • Build and maintain a secure network and systems.

    • Install and maintain a firewall configuration to protect cardholder data.

    • Do not use vendor-supplied defaults for system passwords and other security parameters.

  • Protect cardholder data.

    • Protect stored cardholder data.

    • Encrypt transmission of cardholder data across open, public networks.

  • Maintain a vulnerability management program.

    • Protect all systems against malware and regularly update anti-virus software or programs.

    • Develop and maintain secure systems and applications.

  • Implement strong access control measures.

    • Restrict access to cardholder data by business need-to-know.

    • Identify and authenticate access to system components.

    • Restrict physical access to cardholder data.

  • Regularly monitor and test networks.

    • Track and monitor all access to network resources and cardholder data.

    • Regularly test security systems and processes.

  • Maintain an information security policy.

    • Maintain a policy that addresses information security.

Handling of Sensitive Authentication Data (PA-DSS 1.1.5)

OPERA Cloud Distribution does not store sensitive authentication data, and Oracle strongly recommends against storing sensitive authentication data. However, if you store sensitive authentication data, you must adhere to the following guidelines when dealing with sensitive authentication data used for pre-authorization (swipe data, validation values or codes, PIN or PIN block data):

  • Collect sensitive authentication data only when needed to solve a specific problem.

  • Store such data only in specific, known locations with limited access.

  • Collect only the limited amount of data needed to solve a specific problem.

  • Encrypt sensitive authentication data while stored.

  • Securely delete such data immediately after use.

Secure Deletion of Cardholder Data (PA-DSS 2.1)

Any cardholder data received by OPERA Cloud Distribution is stored in a secure database. All sensitive data in the database is encrypted by default. All data is purged by the application periodically per PA-DSS v3.2.

PCI-Compliant Wireless Settings (PA-DSS 6.1.a and 6.2.b)

OPERA Cloud Distribution must not be accessed using wireless technologies. However, should any systems downstream of the client system implement wireless access to the client system, you must adhere to the following guidelines for secure wireless settings to ensure cardholder data is secure end–to–end per PCI Data Security Standard 1.2.3, 2.1.1 and 4.1.1:

PCI DSS section 1.2.3: Perimeter firewalls must be installed between any wireless networks and systems that store cardholder data, and these firewalls must deny or control any traffic (if such traffic is necessary for business purposes) from the wireless environment into the cardholder data environment.

PCI DSS section 2.1.1: Change wireless vendor defaults as follows:

  • Encryption keys must be changed from default at installation and must be changed any time anyone with knowledge of the keys leaves the company or changes positions.

  • Default SNMP community strings on wireless devices must be changed.

  • Default passwords or passphrases on access points must be changed.

  • Firmware on wireless devices must be updated to support strong encryption for authentication and transmission over wireless networks.

  • Other security-related wireless vendor defaults, if applicable, must be changed.

PCI DSS section 4.1.1: Industry best practices (for example, IEEE 802.11.i) must be used to implement strong encryption for authentication and transmission of cardholder data.

Never Store Cardholder Data on Internet-accessible Systems (PA-DSS 9.1.c)

Never store cardholder data on Internet-accessible systems. For example, a web server and a database server must not be on same server.

Maintain an Information Security Program

In addition to the security recommendations included in this document, a comprehensive approach to assessing and maintaining the security compliance of the payment application environment is necessary to protect the organization and sensitive cardholder data.

The following is a basic plan every owner of a client system provider should adopt in developing and implementing a security policy and program:

  • Read the PCI DSS in full and perform a security gap analysis. Identify any gaps between existing practices in your organization and those outlined by the PCI requirements.

  • Once the gaps are identified, determine the steps to close the gaps and protect cardholder data. Changes could mean adding new technologies to shore up firewall and perimeter controls or increasing the logging and archiving procedures associated with transaction data.

  • Create an action plan for on-going compliance and assessment.

  • Implement, monitor, and maintain the plan. Compliance is not a one-time event. Regardless of merchant or service provider level, all entities should complete annual self-assessments using the PCI Self-Assessment Questionnaire.

  • Call in outside experts as needed.