Updated guidance to customer for PCI compliance on Oracle Cloud Infrastructure

Sanjay Basu

Note: My original blog series was published in ORACLE CLOUD INFRASTRUCTURE blog site. I have republished it here with permission.

Official Disclaimer: The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official policy or position of Oracle Corporation.

This blog is an update and continuation of the blog published on August 20, 2018, explaining how to use underlying security controls for achieving PCI compliance for customer environments on Oracle Cloud Infrastructure (OCI). Over the past two years, we’ve added scores of security and security-focused services that customers can use to achieve PCI and other industry-specific regulatory compliance.


The high-level guidance from PCI Security Standards Council has 12 detailed requirements across the following sections:

  • Build and maintain a secure network and system.

  • Protect cardholder data.

  • Maintain a vulnerability management program.

  • Implement strong access control measures.

  • Regularly monitor and test networks.

  • Maintain an information security policy.

Through our attestation, we’ve already met other requirements for shared hosting providers. The following OCI services have the PCI DSS attestation of compliance:

  • Compute

  • Networking

  • Load Balancing

  • Block Volumes

  • Object Storage

  • Archive Storage

  • File Storage

  • Data Transfer service

  • Database

  • Exadata

  • Container Engine for Kubernetes

  • Container Registry

  • FastConnect

  • Governance

For more information, view and download compliance documents from the Oracle Cloud Console. I’ve provided a list of new services that we’ve added across all six sections, along with the services mentioned in the original blog.

Build and maintain a secure network and system

Requirement 1A: Install and maintain a firewall configuration to protect cardholder data.

You can get more protection with firewall appliance images available from Oracle Cloud Marketplace.

Requirement 1B: Don’t use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

Requirement 2A: Protect stored cardholder data.

  • Existing solution: Protects data at rest. By default, Oracle Cloud Infrastructure Block, File, and Object Storage are encrypted.

  • New solution: When you create an instance, you can encrypt data in transit from the instance to the storage enclave using TLS 1.2.

Oracle Cloud Infrastructure Security Zones enforces more than 30 security protections.

Requirement 2B: Encrypt and protect transmission of cardholder data across open, public networks.

  • Existing solution: All our control and management plane communications are protected with TLS, which is necessary for the PCI DSS attestation. We also recommend using TLS (not SSL) and front-ending the application with our load balancers, as required. We recommend using SSH, IPSec VPN, and FastConnect.

  • New solution: Oracle Cloud Infrastructure Web Application Firewall.

Maintain a vulnerability management program

Requirement 3A: Protect all systems against malware and regularly update antivirus software or programs.

  • Existing solution: Ensure that anti-virus software is deployed at the OS level using Oracle Cloud Infrastructure Native Web Application Firewall.

  • New solution: Platinum Partner solutions from McAfee and Cybereason from Oracle Cloud Marketplace

Oracle and McAfee partner on first cloud native security operation center.

Requirement 3B: Develop and maintain secure systems and applications.

  • Existing solution: To develop and maintain secure systems, have a patch management policy in place and use a managed cloud service provider.

  • New solution: Oracle and McAfee partner on first cloud native security operation center.

Implement strong access control measures

Requirement 4A: Restrict access to cardholder data by business need-to-know. Identify and authenticate access to system components.

  • Existing solution: Review documentation on Identity and Access Management (IAM) controls for compartments and policies. We also suggest using Oracle IDCS for further security controls around access policies. For Oracle Container Engine for Kubernetes, our solution is to use Kubernetes role-based access control with IAM.

  • New solution: IAM Policy Templates, Compartment Explorer, federation with Microsoft Active Directory and Azure Directory, and SSO Integration with IdPs like Ping and Okta.

Requirement 4B: Restrict physical access to cardholder data.

  • Existing solution: Covered under our physical security controls for the data center at the availability domain and region level. We have ISO 27001 certification and SOC 1, SOC 2, and SOC 3 attestations, which provide the basis for control testing relevant to our PCI DSS Attestation of Compliance.

  • New solution: On-going certifications and access to all regulatory attestation and certification documents for viewing and downloading through the Cloud Console access.

Regularly monitor and test networks

Requirement 5A: Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes.

  • Existing solution: Use Oracle CASB and Audit services for monitoring. Integrate CASB and audit logs with existing SIEM solutions. Schedule regular penetration testing of environments based on OCI, using Pen Testing on OCI and Schedule Pen Test through UI.

  • New solution: Oracle Cloud VCN flow logs, enhanced Logging service, and Cloud Guard Automatic Detection and Remediation service.

“This service constantly monitors a company’s cloud configurations and activities to spot threats and security risks, such as a suspicious IP address or a login from an unusual location. IT teams can set up Oracle Cloud Guard, so that it either automatically remediates the risk—by quarantining or shutting down such activity—or alerts a person who can authorize the remediation.” Forbes.com

Maintain an information security policy

Requirement 6A: Maintain a policy that addresses information security for all personnel.

  • Existing solution: While customers are responsible for their security policies, we’re happy to help in any way we can. Most customers have existing security policies, and our team can help with cloud (IaaS, PaaS, or SaaS) specific perspectives and security policy.

  • New solution: Both included and paid services with consulting available from Oracle North America Cloud Engineering. Contact your Oracle Cloud sales representative or Oracle account manager.


I hope these steps simplify the road to PCI compliance for your environments on Oracle Cloud Infrastructure. Look out for more blogs, white papers and technical briefs, and infrastructure security as code (ISaC) for security and compliance on the cloud to ease your migration to Oracle Cloud.


Post a Comment

Popular posts from this blog

OCI Object Storage: Copy Objects Across Tenancies Within a Region

Religious Perspectives on Artificial Intelligence: My views

The Legal Rights of an Algorithm