The latest cloud infrastructure announcements, technical solutions, and enterprise cloud insights.

Download and deploy the first independently assessed PCI-compliant reference architecture

Andrew Hahn
Cloud and Architecture Content Manager

Patrick Lamphere, Director, OCI Regulated Markets Product Development

Our online retail customers often ask us, “How can my organization store credit card data on Oracle Cloud Infrastructure (OCI)?” One of the best ways to quickly build an environment that meets an industry framework is to use a reference architecture to design your applications.

If you have workloads that store, process, or transmit credit card information, you need to secure your systems and design the data security policies in a payment card industry (PCI)-compliant way. With our new PCI reference architecture, OCI is the first cloud provider to deliver a PCI-compliant deployment solution that’s been validated by a third-party auditor, Schellman & Company.

A reference architecture is a framework that introduces a platform topology, using architectural diagrams, a component overview, and recommendations for best practices. They save time by providing industry best practices and optimized code.

Obtaining the Shellman & Company assessment was an extra step that we took to ensure that your deployments using our reference architecture meet the Payment Card Industry Data Security Standard (PCI-DSS) requirements. When obtaining your PCI certification, you can reduce both time and cost by using our audited PCI reference architecture to satisfy your own audit requirements.

Deploy a fully functioning, PCI-compliant e-commerce site

The PCI reference architecture is more than a collection of configuration scripts, it also includes a sample e-commerce site built on the Spring Framework that meets the requirements of PCI-DSS. Using the included sample policies and standards, you can build out a PCI-compliant information security management system (ISMS).

A graphic depicting the PCI reference architecture.
Figure 1: PCI reference architecture

Built on open source and Oracle

The architecture includes a fully functional e-commerce application built on OCI and Oracle Autonomous Linux. The PCI reference architecture is written in Java using the Spring Framework and uses the following OCI services and features:

  • Audit

  • ATP Database

  • Autoscaling

  • Block Storage

  • Compute

  • DHCP

  • DNS

  • Internet gateway

  • Load balancers

  • NAT gateways

  • Object Storage

  • Route tables

  • Security lists

  • Service gateway

  • Vault

  • Virtual cloud networks

  • Web application firewall

With OCI and Oracle Autonomous Linux, the PCI reference architecture uses the following open source tools:

  • Apache Tomcat

  • CINC

  • Clamav

  • Elasticsearch

  • Kibana

  • Logstash

  • Lynis

  • NMAP

  • OATH toolkit

  • SCIP Vulscan

  • Spring Framework

  • Suricata

  • Wazuh

The PCI reference architecture is integrated with the Stripe Payment API for processing credit cards.

Ease of use

Using modular Terraform and CINC scripts, you can swap components using the tools of your choice. Updating the website is as simple as following these steps:

  1. Upload a new .war file to Object Storage.

  2. End the running web server instances.

Autoscaling automatically deploys new hosts, pulling in the latest configuration on startup, and all OS updates are handled automatically by Oracle Autonomous Linux.

The PCI reference architecture joins over 200 existing reference architectures, Quick Starts, and Solutions Playbooks from Oracle and our partners. Read more about the PCI Reference Architecture by visiting Oracle’s Architecture Center.

To get started, download the PCI reference architecture on GitHub, making deployment a ‘git pull’ away!

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha