Earlier this month, Oracle Cloud Infrastructure (OCI) published a Reference Architecture allowing merchants to use OCI resources to quickly build an environment that can help meet the intent and rigor of the Payment Card Industry Data Security Standard (PCI DSS). As merchants looking to get into the business of taking credit card transactions online often encounter additional challenges in architecting a secure and available framework that meets industry standards—such as PCI DSS—this Reference Architecture should now help alleviate some of that confusion surrounding initial compliance while also demystifying some of the other, more confusing aspects of the standard. Having had the privilege of working with the team at OCI, Schellman reviewed the OCI Reference Architecture as an independent assessor—during that process, we found some key advantages that are outlined below:
It introduces a platform topology using architectural and network diagrams so customers may have a baseline to build a compliant environment and add on to the existing infrastructure as needed.
It includes component overviews to help customers better understand how each different system and service can be used to create a compliant merchant environment.
It provides an infrastructure-as-code template to customers to facilitate an easy download and deployment of the Reference Architecture environment from GitHub.
It recommends best practices that enable customers to configure and more easily manage the environment while becoming PCI compliant, once the Reference Architecture is deployed within one of OCI’s PCI DSS validated regions.
It incorporates sample policies and standards that can be used as a baseline to modify and create the appropriate policies for any organization that uses the Reference Architecture.
Because the Reference Architecture is built using OCI’s PCI DSS validated services and is integrated with Stripe’s Payment API for processing of credit card transactions, the environment is not designed to store cardholder data. As such, this may significantly reduce the scope of a merchant’s cardholder data environment (CDE), and so merchants within the e-commerce space or those that take credit cards through other channels may still be required to undergo their own PCI DSS validation; however, using this Reference Architecture should still allow OCI’s existing merchant customers to have an easier time setting up and securing the initial CDE.
About the Authors
Doug Kanney is a Principal at Schellman & Company based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 15 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.
Joe O'Donnell is a Manager with Schellman and mainly dedicated to the PCI and PCI specialty service lines. Joe previously worked within the Enterprise Risk Management consulting practice industry. He has managed IT Reviews in support of the financial audit, and helped with various engagements including but not limited to: SOC reports, penetration testing and vulnerability scanning, SOX, HIPAA, and bank audits. Before focusing his career on IT auditing services, Joe worked as an Enterprise Operations Computing Analyst where he gained experience in IT systems analysis and data center operations.
About the AuthorMore Content by Schellman & Company