PCI DSS Compliance is Essential for the Secure Handling of Credit Card Data and Customer Information
Maintaining payment security is essential for every business that processes credit card transactions or holds credit card data. The Payment Card Industry (PCI) Data Security Standards (DSS) are global standards, most recently updated in May 2018. The requirements of this global association are both highly detailed and very clear — it is the responsibility of every organization to ensure compliance in order to protect customer data.
The Java Security and Support Challenge
Many organizations throughout the payments industry have deployed systems that are at least partially developed using the Java programming language. Java has been a critical technology for web-based systems and card processing platforms since the late 1990s, and will remain an essential language for many years to come.
Since 2017, Oracle has driven a new 6 month release and support cadence for Java, featuring releases every 6 months, with long-term support releases made available every three years. Java 9, 10 12, 13, 14, 15 and 16 will be supported for 6 months, then support will end with each release. A
In addition, publicly available security updates and bug fixes for Java 8 and 11 ended in January 2019.
If your operation relied upon free, publicly-available security updates from Oracle (part of their quarterly Critical Patch Update cycle prior to January 2019, a feature of Java for over 20 years) — that access ended unless you have either signed a contract with Oracle or explored alternatives.
PCI Compliance Requires Security Updates Within 30 Days
Per the June 30, 2018 PCI deadline for all processors of credit card data to move away from SSL, if your software is not updated within 30 days (see page 55, below) of the release of security patches as part of a support contract, your compliance with the PCI DSS is in jeopardy. As of January 2019, you no longer had access to free public security updates from Oracle.
How does your organization ensure its’ Java is secure ?
PCI DSS Page 55, Revised May 17, 2018 — Emphasis added
Of course, you can ink a Java Support contract with Oracle (the quoted price may be staggering) — or you can explore alternatives.
Maintaining PCI Certification — How Zulu Enterprise Can Help
Zulu Enterprise is the Azul supported build of OpenJDK. We offer fully certified, tested, secure and supported releases of Java SE 6-8, Java 11, 13 and 14.
Azul provides timely security updates, stability patches, and bug fixes to Zulu Enterprise to our commercial customers with plenty of time to meet the PCI DSS standard, which requires security updates to be applied and implemented within 30 days of release under a vendor’s support contract.
Azul also back-ports patches from the most recent builds of Java to prior releases, ensuring that security issues, once publicized, cannot be effectively ‘weaponized.’
If your operation requires compliance with the PCI DSS standard, or other data security standards such as HIPAA, and you are interested in a proven alternative to Oracle’s proprietary Java solutions, please contact us. We’ll show you how Zulu Enterprise can ensure that you have a proven, cost-effective ability to keep your Java environments in compliance.