PCI stands for Payment Card Industry consists of major credit card brands such as VISA, MasterCard, American Express, Discover Card, and JCB International formed as a consortium to create a Data Security Standard (DSS). This is popularly known as PCI DSS.
PCI DSS consists of 12 broad requirements such as protecting the network, protecting the data channel using SSL etc., implementing tight access control mechanism, protect the cardholder data etc.
Out of all the requirements protecting the card holder data is one requirement that generally takes most effort to implement, as the solution must be part of the core data and access.
Historically: for the applications that are part of mainframe and client/server applications, the solution is typically maintaining the public key as part of the client application in the form of a DLL or EXE to encrypt/decrypt the data.
Building Composite Applications: using SOA framework has it's own advantages but implementing the PCI compliance is on the disadvantage side. This is due to the reason of maintaining so many components that are loosely coupled, such as services, processes and composite services and J2EE applications that typically reside outside of the database.
The Solution is two fold:
1. Buy the technology that supports PCI compliance. Examples including a combination of technologies such as Oracle Advanced Security (ASO), Oracle Data Vault and/or Oracle Virtual Private Database (VPD).
2. Build a custom solution using encrypt / decrypt functions in the database using public/private key infrastructure.
We have implemented both the above solutions and has advantages based on the customer requirements and IT goals of the organization.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment