Oracle Vault can provide the PCI-DSS requirement 3.6.6 that split knowledge/dual control of keys re
Can opening of the wallet keys be automated thru Oracle Vault?. Can step 6 below be automated so two users do not have to login after the cold backup every Sunday morning at 3AM or after the instance is shutdown each time. What if one of the user is out of town on vacation and Oracle crashes?.
Per note 1062413.1 it says
How to fulfill PCI-DSS requirement 3.6.6 (Split knowledge and establishment of dual control of cryptographic keys). Basically the TDE wallet password should be split into at least two parts and each part should be known by different individuals.
Oracle can fulfill this indirectly if Database Vault is installed. Database Vault can enforce a rule that would allow "ALTER SYSTEM SET WALLET/SET ENCRYPTION" commands only when two or three named users are connected to the database. It is clear that those users can connect to the database only if they provide a password known to them only. This way we achieve indirectly the requirement 3.6.6 of the PCI standard. In the following example the ALTER SYSTEM commands used to manipulate the wallet will succeed only if users WALLET1 and WALLET2 are connected to the database