Engineered Systems and PCI
- by Joel Weise
Oracle has a number of different engineered systems. These are design to be highly integrated, optimized and secure systems. The Exadata database engineered system and the Exalogic application engineered system are two good examples. Often I am asked how these comply with different standards and regulations. Exalogic is the Oracle engineered system that supports applications and the focus of today's blog. First, we must recognize that as a collection of hardware and software, we cannot simply state that Exalogic is "compliant" with PCI DSS. This is because Exalogic must be implemented within the context of one's existing IT infrastructure, the security features of that infrastructure, the governance framework that exists, security policies, operational procedures, and other factors. What we can say though, is that Exalogic has been designed with various security capabilities that can be utilized to support compliance to PCI DSS as well as other standards and regulations (e.g., NIST and HIPAA). Given that, Exalogic can be an excellant platform for running PCI related payment applications. Coalfire Systems, a leading QSA in the US, has evaluated Exalogic against PCI DSS and supports this position. Their evaluation can be found here: Exalogic and PCI Compliance.
I hope you find it useful.