For any business that processes, transmits, or stores payment card information, fraud is a dominant concern. According to The Nilson Report (Issue 1068, July 2015), the worldwide payment card industry experienced $16.31 billion in fraud-related losses last year. Indeed, reports of payment card fraud or data compromise against major retail or banking organizations are recurring stories in the news.
In 2004 leading vendors in the card services industry collaborated in an effort to define a unified set of cardholder data protection standards. They formed the PCI Security Standards Council to create and maintain the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS outlines a set of requirements for evaluating the handling and storage of cardholder information and authentication data. These requirements constitute the basis of internal security reviews, periodic evaluations, and formal compliance assessments. The current PCI DSS standard (revision 3.1) defines 12 requirement categories that apply to operational practices, staff responsibilities, and technology components in the cardholder data environment (CDE). It addresses system and data protection mechanisms that must be in place across equipment, services, and applications.
This paper describes best practices for Oracle Linux implementations and Oracle Linux operating system (OS) features that help to meet requirements listed in the PCI DSS Requirements and Security Assessment Procedures document. It discusses deployment strategies that can narrow the scope of a PCI DSS assessment and improve overall system and data security. It examines each of the 12 requirement categories, highlighting Oracle Linux features, implementation practices, and relevant Oracle technologies that can help to achieve PCI DSS compliance.
Implementing Oracle Linux securely is only one design aspect in achieving an overall PCI DSS-compliant infrastructure. The goal of this paper is to help businesses safeguard cardholder data in an Oracle Linux deployment. Additional security mechanisms are required for other infrastructure components—along with effective configuration architectures and sound operational practices—to realize a fully compliant PCI DSS environment.