9/12/13

Document Display

FAQ: Release 11i Oracle Payments and PA-DSS (Doc ID 1101213.1)

Modified: Feb 12, 2013

Type: FAQ

Status: PUBLISHED

Priority: 2

In this Document
Purpose
Questions and Answers
1. What is PA-DSS and what does it mean to be compliant?
2. Does Oracle know of any partners/vendors who offer a tokenization solution?
3. What is the potential impact to customers if their payment application is not PA-DSS compliant by 1-Jul-2010?
4. Where can I find a list of Validated Payments Applications?
References

APPLIES TO:
Oracle Payables - Version 11.5.10.0 to 11.5.10.2 [Release 11.5]
Oracle iReceivables - Version 11.5.10.0 to 11.5.10.2 [Release 11.5.10]
Oracle Internet Expenses - Version 11.5.10.0 to 11.5.10.2 [Release 11.5]
Oracle Advanced Collections - Version 11.5.10.0 to 11.5.10.2 [Release 11.5.10]
Oracle Payments - Version 11.5.10.0 to 11.5.10.2 [Release 11.5]
Information in this document applies to any platform.
Checked for relevance on 12-Feb-2013.

PURPOSE
The purpose of this document is to provide a list of frequently asked questions for our Release 11i customers who are
seeking a PA-DSS solution.

QUESTIONS AND ANSWERS

EBS Release 11i customers are strongly encouraged to upgrade to R12.1
where PA-DSS certification efforts will be focused.

1. What is PA-DSS and what does it mean to be compliant?

PA-DSS is a subset of the overall PCI DSS compliance requirements. PA-DSS stands for Payment Applications Data
Security Standard and it applies to payment processing applications such as Oracle Payments/iPayment. PCI DSS
compliance refers to the overall compliance of your system including network, firewall, data storage, applications etc.
Customers are responsible for achieving overall PCI DSS compliance.
Oracle will be completing PA-DSS compliance for EBS Release 12. Oracle is NOT planning to bring Release 11i into PADSS compliance. Oracle recommends tokenization as an alternative to PA-DSS compliance for 11i customers.
Tokenizaton is the process of replacing sensitive instrument data (for example, credit card numbers) with an
alphanumeric, non-identifiable token. This token will be stored in the application instead of real instrument data, thus
eliminating the need for PA-DSS compliance. For this alternative, customers will need to integrate with a PA-DSS
compliant third party tokenization solution provider.
https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_adf.ctrl-state=ozvxy8jvv_33

1/2

9/12/13

Document Display

2. Does Oracle know of any partners/vendors who offer a tokenization solution?

Here are two partners (Cybersource and Princeton Payment Solution) who are PA-DSS compliant and can offer
tokenization solutions. For up to date tokenization partner information, please refer to the Oracle Partner Network site.
DISCLAIMER: Oracle does not endorse any partners that provide tokenization solutions, nor do we have marketing
agreements with these partners for such. In addition, Oracle has not validated nor tested the solutions offered by
these partners.

3. What is the potential impact to customers if their payment application is not PA-DSS compliant
by 1-Jul-2010?
The potential impact could be that your credit card processors (e.g., Paymentech or FirstData) will stop processing
your credit card payments. We recommend customers consult with their credit card processors to determine the
impact.

4. Where can I find a list of Validated Payments Applications?

You will find this information on the PCI Security Standard Council web site. Access the PCI SSC link,. then click
Accept. Lastly, select a vendor from the list of values.

REFERENCES
NOTE:1098843.1 - Oracle Payments - PA-DSS (Payment Applications Data Security Standards) update for Release 11i
NOTE:981033.1 - Oracle Payment Application Data Security Standard (PA-DSS) Consolidated Patch Release Notes,
Release 12.1.2

https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_adf.ctrl-state=ozvxy8jvv_33

2/2