Who is responsible for each of the Payment Card Industry Data Security Standards (PCI DSS) controls?
Environment:
PCI pods (Includes US Federal Government pods)
Resolution:
Oracle and its B2C Service customers have shared responsibility in ensuring their Oracle B2C Service implementation meets the Payment Card Industry Data Security Standards (PCI DSS) V3.2.1 (until March 2024) and V4.0 controls. While the PCI DSS covers all forms of credit card processing, not all parts may apply to your business model and usage of B2C Service.
While Oracle B2C Service is assessed annually for complying with the PCI DSS controls, the assessment covers the environment as your Cloud Service Provider and the software as delivered “out of the box”. Customers have opportunities to extend and customize the solution to their business needs, but those customizations are not covered by the annual Oracle PCI assessment. For customizations you make, they need to be reviewed prior to being moved into your production site. If you want to discuss a new customization, please contact your Technical Account Manager. To help clarify the roles and responsibilities for performing tasks related to PCI DSS controls, we are providing the attached Ownership Matrices (see below).
For more information, see the following resources:
PCI (PC Pod) Frequently Asked Questions
Guidance for Implementing in PCI or HIPAA Service Cloud Environment.