Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric
Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric
Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Innovative Payment Card Soluti<strong>on</strong>s<br />
<str<strong>on</strong>g>Minimize</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>Impact</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g><br />
<str<strong>on</strong>g>Secti<strong>on</strong></str<strong>on</strong>g> 3 <strong>on</strong> <strong>SAP</strong> Applicati<strong>on</strong>s<br />
A New Approach to Credit Card Encrypti<strong>on</strong><br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.
<str<strong>on</strong>g>Minimize</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>Impact</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> <str<strong>on</strong>g>Secti<strong>on</strong></str<strong>on</strong>g> 3<br />
<strong>on</strong> <strong>SAP</strong> Applicati<strong>on</strong>s<br />
A New Approach to Credit Card Encrypti<strong>on</strong><br />
C<strong>on</strong>tents<br />
Introducti<strong>on</strong> .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
<str<strong>on</strong>g>PCI</str<strong>on</strong>g> Requirement 3:<br />
The Biggest Obstacle to Compliance . . . . . . . . . . . 4<br />
The Challenges <str<strong>on</strong>g>of</str<strong>on</strong>g> Encrypti<strong>on</strong> .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
The Mandate: Keep Cardholder Data<br />
Storage to a Minimum .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6<br />
A New Approach to Encrypti<strong>on</strong><br />
Management for Heterogeneous<br />
<strong>SAP</strong> Envir<strong>on</strong>ments .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7<br />
An Introducti<strong>on</strong> to XiSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
C<strong>on</strong>clusi<strong>on</strong> .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
Encrypti<strong>on</strong> represents <strong>on</strong>e <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
most important mandates for <str<strong>on</strong>g>PCI</str<strong>on</strong>g><br />
compliance—and it also represents<br />
<strong>on</strong>e <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> most difficult requirements<br />
to implement successfully and<br />
cost effectively for companies that<br />
run <strong>SAP</strong>. This paper describes a new<br />
approach to managing encrypted data<br />
in <strong>SAP</strong> that significantly streng<str<strong>on</strong>g>the</str<strong>on</strong>g>ns<br />
an organizati<strong>on</strong>’s security posture,<br />
while minimizing <str<strong>on</strong>g>the</str<strong>on</strong>g> impact <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g><br />
compliance <strong>on</strong> <strong>SAP</strong>.<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
.
<str<strong>on</strong>g>Minimize</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>Impact</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> <str<strong>on</strong>g>Secti<strong>on</strong></str<strong>on</strong>g> 3 <strong>on</strong> <strong>SAP</strong> Applicati<strong>on</strong>s<br />
<str<strong>on</strong>g>PCI</str<strong>on</strong>g> Requirement 3: The Biggest Obstacle<br />
to Compliance<br />
With <str<strong>on</strong>g>the</str<strong>on</strong>g> advent <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> Payment Card Industry Data Security<br />
Standard (<str<strong>on</strong>g>PCI</str<strong>on</strong>g> DSS), encrypting stored credit card numbers<br />
is no l<strong>on</strong>ger opti<strong>on</strong>al. Any company that stores, processes, or<br />
transmits credit card informati<strong>on</strong>—regardless <str<strong>on</strong>g>of</str<strong>on</strong>g> size or volume<br />
<str<strong>on</strong>g>of</str<strong>on</strong>g> transacti<strong>on</strong>s—must encrypt stored credit card data or face<br />
serious c<strong>on</strong>sequences for n<strong>on</strong>-compliance, including fines <str<strong>on</strong>g>of</str<strong>on</strong>g><br />
up to $500,000, <str<strong>on</strong>g>the</str<strong>on</strong>g> loss <str<strong>on</strong>g>of</str<strong>on</strong>g> brand integrity, and erosi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g><br />
market value.<br />
While <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> standard <str<strong>on</strong>g>of</str<strong>on</strong>g>fers broad guidance—featuring rules<br />
<strong>on</strong> <str<strong>on</strong>g>the</str<strong>on</strong>g> proper use <str<strong>on</strong>g>of</str<strong>on</strong>g> firewalls, computer access c<strong>on</strong>trols, antivirus<br />
s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware, and more—it is <str<strong>on</strong>g>the</str<strong>on</strong>g> encrypti<strong>on</strong> requirements<br />
that are proving to be am<strong>on</strong>g <str<strong>on</strong>g>the</str<strong>on</strong>g> most difficult for organizati<strong>on</strong>s<br />
to address. According to a study c<strong>on</strong>ducted by Verisign Global Security C<strong>on</strong>sulting Services,<br />
failure to address <str<strong>on</strong>g>the</str<strong>on</strong>g> data encrypti<strong>on</strong> requirements found in secti<strong>on</strong> 3 <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> is <str<strong>on</strong>g>the</str<strong>on</strong>g> most comm<strong>on</strong><br />
reas<strong>on</strong> for failing a <str<strong>on</strong>g>PCI</str<strong>on</strong>g> audit:<br />
“Companies were most frequently n<strong>on</strong>-compliant with Requirement 3 <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> Data Security<br />
Standard; 79 percent <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> failed assessments did not meet<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> requirement to protect stored data (that is, <str<strong>on</strong>g>the</str<strong>on</strong>g>y did not<br />
encrypt data).” — Less<strong>on</strong>s Learned: Top Reas<strong>on</strong>s for <str<strong>on</strong>g>PCI</str<strong>on</strong>g> Audit<br />
Failure and How to Avoid Them, Verisign Global Security<br />
C<strong>on</strong>sulting Services.<br />
“Companies were most frequently<br />
n<strong>on</strong>-compliant with Requirement <br />
3 <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> Data Security <br />
Standard; 79 percent <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> <br />
failed assessments did not <br />
meet <str<strong>on</strong>g>the</str<strong>on</strong>g> requirement to protect<br />
stored data (that is, <str<strong>on</strong>g>the</str<strong>on</strong>g>y did not<br />
encrypt data).”<br />
Selected <str<strong>on</strong>g>Secti<strong>on</strong></str<strong>on</strong>g> 3 Requirements<br />
that Centralizati<strong>on</strong> and Tokenizati<strong>on</strong><br />
Helps Address<br />
What does requirement 3 say, and why is it so challenging?<br />
Titled “Protect Stored Cardholder Data”, this requirement<br />
focuses <strong>on</strong> all <str<strong>on</strong>g>the</str<strong>on</strong>g> aspects essential to ensuring that stored payment<br />
data remains safe. This requirement applies to essentially<br />
any system in which card holder data is stored, including applicati<strong>on</strong>s,<br />
databases, backup tapes, and portable digital media.<br />
Requirement 3 includes <str<strong>on</strong>g>the</str<strong>on</strong>g>se mandates:<br />
• <str<strong>on</strong>g>Minimize</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> amount <str<strong>on</strong>g>of</str<strong>on</strong>g> credit card informati<strong>on</strong> stored.<br />
• Encrypt credit card data that remains stored.<br />
• Protect encrypti<strong>on</strong> keys against both disclosure and misuse.<br />
• Implement sound key management processes.<br />
• Rotate encrypti<strong>on</strong> keys annually.<br />
Rule<br />
Requirement<br />
3.0 Encrypti<strong>on</strong> is a critical comp<strong>on</strong>ent <str<strong>on</strong>g>of</str<strong>on</strong>g> cardholder<br />
data protecti<strong>on</strong>.<br />
3.1 Keep cardholder data storage to a minimum.<br />
3.4 Render account number unreadable through…<br />
str<strong>on</strong>g cryptography and associated key management<br />
3.5 Restrict access to keys to <str<strong>on</strong>g>the</str<strong>on</strong>g> fewest number <str<strong>on</strong>g>of</str<strong>on</strong>g><br />
custodians necessary<br />
3.5.2 Store keys securely in <str<strong>on</strong>g>the</str<strong>on</strong>g> fewest possible locati<strong>on</strong>s<br />
and forms<br />
3.6 Fully document and implement all key management<br />
processes and procedures for keys used<br />
for encrypti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> cardholder data<br />
3.6.4 Periodic changing <str<strong>on</strong>g>of</str<strong>on</strong>g> keys…at least annually<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
.
The Challenges <str<strong>on</strong>g>of</str<strong>on</strong>g> Encrypti<strong>on</strong> in <strong>SAP</strong><br />
While most security pr<str<strong>on</strong>g>of</str<strong>on</strong>g>essi<strong>on</strong>al recognize <str<strong>on</strong>g>the</str<strong>on</strong>g> merits <str<strong>on</strong>g>of</str<strong>on</strong>g><br />
encrypting credit card data, <str<strong>on</strong>g>the</str<strong>on</strong>g>y <str<strong>on</strong>g>of</str<strong>on</strong>g>ten struggle with <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
limitati<strong>on</strong>s inherent in <strong>SAP</strong>. The <strong>SAP</strong> Cryptographic Library<br />
(<strong>SAP</strong>CRYPTOLIB) functi<strong>on</strong>ality <str<strong>on</strong>g>of</str<strong>on</strong>g>fers a starting point for native<br />
encrypti<strong>on</strong> logic in <strong>SAP</strong> ERP. Basis Administrators can download<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> library relevant to <str<strong>on</strong>g>the</str<strong>on</strong>g>ir operating system and c<strong>on</strong>figure <strong>SAP</strong><br />
to encrypt credit card data. <strong>SAP</strong> Note 766703 answers frequently<br />
asked questi<strong>on</strong>s about credit card number encrypti<strong>on</strong> logic in <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
<strong>SAP</strong> R/3 and <strong>SAP</strong> ERP products. O<str<strong>on</strong>g>the</str<strong>on</strong>g>r notes <str<strong>on</strong>g>of</str<strong>on</strong>g>fer similar guidance<br />
for o<str<strong>on</strong>g>the</str<strong>on</strong>g>r <strong>SAP</strong> products. However, security pr<str<strong>on</strong>g>of</str<strong>on</strong>g>essi<strong>on</strong>als must address <str<strong>on</strong>g>the</str<strong>on</strong>g> encrypti<strong>on</strong> limitati<strong>on</strong>s<br />
in native <strong>SAP</strong> enumerated below.<br />
This targeted coverage in <strong>on</strong>ly<br />
four tables leaves card number<br />
data in o<str<strong>on</strong>g>the</str<strong>on</strong>g>r standard <strong>SAP</strong><br />
tables and in custom tables<br />
unencrypted and exposed.<br />
• Limited Tables. Encrypti<strong>on</strong> functi<strong>on</strong>ality in <strong>SAP</strong> R/3 and <strong>SAP</strong> ERP secures payment card number<br />
data in <strong>on</strong>ly four tables: two tables related to storage <str<strong>on</strong>g>of</str<strong>on</strong>g> card numbers <strong>on</strong> customer master<br />
records, VCKUN and VCNUM; a third table related to storage <str<strong>on</strong>g>of</str<strong>on</strong>g> card numbers <strong>on</strong> sales orders<br />
and invoices, FPLTC; and a fourth table related to storage <str<strong>on</strong>g>of</str<strong>on</strong>g> card numbers <strong>on</strong> accounting documents,<br />
BSEGC. This targeted coverage in <strong>on</strong>ly four tables leaves card number data in o<str<strong>on</strong>g>the</str<strong>on</strong>g>r<br />
standard <strong>SAP</strong> tables and in custom tables unencrypted and exposed.<br />
• Limited Algorithms. Only three encrypti<strong>on</strong> algorithms are made available by <strong>SAP</strong> and <str<strong>on</strong>g>the</str<strong>on</strong>g>y may<br />
not meet <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> DSS definiti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> str<strong>on</strong>g cryptography due to <str<strong>on</strong>g>the</str<strong>on</strong>g> inability to verify <str<strong>on</strong>g>the</str<strong>on</strong>g> actual<br />
algorithm being utilized.<br />
• Limited Flexibility. <strong>SAP</strong>’s <str<strong>on</strong>g>of</str<strong>on</strong>g>fering supports <strong>on</strong>ly a s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware-based cryptography, leaving no<br />
possibility to use hardware based cryptography comp<strong>on</strong>ents that are fast becoming <str<strong>on</strong>g>the</str<strong>on</strong>g> standard<br />
for <str<strong>on</strong>g>the</str<strong>on</strong>g>ir additi<strong>on</strong>al security benefits.<br />
• No Predefined Integrati<strong>on</strong> Point. For organizati<strong>on</strong>s interested in integrati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> best-<str<strong>on</strong>g>of</str<strong>on</strong>g>-breed<br />
third party encrypti<strong>on</strong> soluti<strong>on</strong>s, <strong>SAP</strong> provides no single, predefined point <str<strong>on</strong>g>of</str<strong>on</strong>g> integrati<strong>on</strong>. The<br />
CCNUM domain is not <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>on</strong>ly domain in which credit card numbers will be found, so multiple<br />
integrati<strong>on</strong> points will be required.<br />
• Downtime for Key Rotati<strong>on</strong>. <strong>SAP</strong> <strong>on</strong>ly supports a single encrypti<strong>on</strong> key at a time, which is stored<br />
in a .pse file. This presents a significant challenge to meeting <str<strong>on</strong>g>the</str<strong>on</strong>g> annual key rotati<strong>on</strong> requirement<br />
found in <str<strong>on</strong>g>PCI</str<strong>on</strong>g> <str<strong>on</strong>g>Secti<strong>on</strong></str<strong>on</strong>g> 3.6.4. To rotate encrypti<strong>on</strong> keys, <strong>SAP</strong> must be taken <str<strong>on</strong>g>of</str<strong>on</strong>g>fline so each credit<br />
card number can be manually unencrypted with <str<strong>on</strong>g>the</str<strong>on</strong>g> old key and re-encrypted with <str<strong>on</strong>g>the</str<strong>on</strong>g> new key.<br />
Order-entry and billing processes must be disc<strong>on</strong>tinued during this time to avoid storing credit<br />
card numbers in clear text, or to avoid failed authorizati<strong>on</strong> and settlement resulting from mismatched<br />
keys.<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
.
<str<strong>on</strong>g>Minimize</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>Impact</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> <str<strong>on</strong>g>Secti<strong>on</strong></str<strong>on</strong>g> 3 <strong>on</strong> <strong>SAP</strong> Applicati<strong>on</strong>s<br />
The Mandate: Keep Cardholder Data Storage<br />
to a Minimum<br />
The challenges presented in <str<strong>on</strong>g>the</str<strong>on</strong>g> prior secti<strong>on</strong> are significant for <strong>SAP</strong> organizati<strong>on</strong>s. For those that<br />
also store credit card numbers in o<str<strong>on</strong>g>the</str<strong>on</strong>g>r systems outside <str<strong>on</strong>g>of</str<strong>on</strong>g> <strong>SAP</strong>, <str<strong>on</strong>g>the</str<strong>on</strong>g> encrypti<strong>on</strong> challenge grows<br />
exp<strong>on</strong>entially more imposing.<br />
Rule 3.1 <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> standard advises that organizati<strong>on</strong>s, “Keep<br />
cardholder data storage to a minimum.” To do so, organizati<strong>on</strong>s<br />
must first identify precisely where all payment data is stored. While<br />
this may seem simple, for many large enterprises it is anything but.<br />
In fact, for a large enterprise <str<strong>on</strong>g>the</str<strong>on</strong>g> data discovery process can take<br />
m<strong>on</strong>ths <str<strong>on</strong>g>of</str<strong>on</strong>g> staff time to complete.<br />
The more repositories that<br />
house credit card informati<strong>on</strong>,<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> more points <str<strong>on</strong>g>of</str<strong>on</strong>g><br />
exposure and <str<strong>on</strong>g>the</str<strong>on</strong>g> higher <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
cost <str<strong>on</strong>g>of</str<strong>on</strong>g> encrypti<strong>on</strong> and <str<strong>on</strong>g>PCI</str<strong>on</strong>g>.<br />
While rule 3.1 <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> speaks to comm<strong>on</strong> sense—that is, d<strong>on</strong>’t keep<br />
sensitive data where it’s not required—<str<strong>on</strong>g>the</str<strong>on</strong>g> reality for many organizati<strong>on</strong>s<br />
is that retenti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> credit card data in multiple locati<strong>on</strong>s is critical to a host <str<strong>on</strong>g>of</str<strong>on</strong>g> business<br />
processes. For most business-to-business transacti<strong>on</strong>s, credit card numbers are required throughout<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> entire order-to-cash process. Some retailers require <str<strong>on</strong>g>the</str<strong>on</strong>g> data for returns, disputes, and<br />
fraud protecti<strong>on</strong>. For <str<strong>on</strong>g>the</str<strong>on</strong>g>se organizati<strong>on</strong>s <str<strong>on</strong>g>the</str<strong>on</strong>g> reality is that credit card data must be stored in many<br />
separate and distributed systems, making <str<strong>on</strong>g>the</str<strong>on</strong>g> encrypti<strong>on</strong> requirements <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> secti<strong>on</strong> 3.1 <strong>on</strong>erous<br />
and expensive. It’s simple, <str<strong>on</strong>g>the</str<strong>on</strong>g> more repositories that house credit card informati<strong>on</strong>, <str<strong>on</strong>g>the</str<strong>on</strong>g> more<br />
points <str<strong>on</strong>g>of</str<strong>on</strong>g> exposure and <str<strong>on</strong>g>the</str<strong>on</strong>g> higher <str<strong>on</strong>g>the</str<strong>on</strong>g> cost <str<strong>on</strong>g>of</str<strong>on</strong>g> encrypti<strong>on</strong> and <str<strong>on</strong>g>PCI</str<strong>on</strong>g>.<br />
But what if <str<strong>on</strong>g>the</str<strong>on</strong>g>re was an alternative for <str<strong>on</strong>g>the</str<strong>on</strong>g>se organizati<strong>on</strong>s?<br />
What if <str<strong>on</strong>g>the</str<strong>on</strong>g>re was a way to take 3.1 a step fur<str<strong>on</strong>g>the</str<strong>on</strong>g>r,<br />
and remove credit card numbers from all disparate<br />
systems, while at <str<strong>on</strong>g>the</str<strong>on</strong>g> same time enabling all essential<br />
business processes to c<strong>on</strong>tinue as needed? Some<br />
organizati<strong>on</strong>s have d<strong>on</strong>e this very thing—by adopting a<br />
new approach to encrypti<strong>on</strong> management. The following<br />
secti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g>fers an overview <str<strong>on</strong>g>of</str<strong>on</strong>g> this approach, outlining<br />
how it works, some <str<strong>on</strong>g>of</str<strong>on</strong>g> its benefits, how it compares to<br />
traditi<strong>on</strong>al encrypti<strong>on</strong> methods, and more.<br />
What if <str<strong>on</strong>g>the</str<strong>on</strong>g>re was a way to…remove<br />
credit card numbers from all disparate<br />
systems, while at <str<strong>on</strong>g>the</str<strong>on</strong>g> same time<br />
enabling all essential business processes<br />
to c<strong>on</strong>tinue as needed?<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
.
A New Approach to Encrypti<strong>on</strong> Management for<br />
Heterogeneous <strong>SAP</strong> Envir<strong>on</strong>ments<br />
Today, <str<strong>on</strong>g>the</str<strong>on</strong>g>re’s a new approach to encrypti<strong>on</strong> management that <str<strong>on</strong>g>of</str<strong>on</strong>g>fers an array <str<strong>on</strong>g>of</str<strong>on</strong>g> benefits, both<br />
in terms <str<strong>on</strong>g>of</str<strong>on</strong>g> security and ease <str<strong>on</strong>g>of</str<strong>on</strong>g> administrati<strong>on</strong>. This approach focuses <strong>on</strong> using an encrypti<strong>on</strong><br />
management server to c<strong>on</strong>trol and manage not <strong>on</strong>ly encrypti<strong>on</strong> keys, but <str<strong>on</strong>g>the</str<strong>on</strong>g> underlying data.<br />
This approach is based <strong>on</strong> two key facets that deliver value throughout an enterprise:<br />
Centralizati<strong>on</strong>. All credit card numbers stored in<br />
<strong>SAP</strong> and o<str<strong>on</strong>g>the</str<strong>on</strong>g>r business applicati<strong>on</strong>s and databases<br />
are removed from those systems and placed<br />
in a highly secure, centralized encrypti<strong>on</strong> management<br />
server that can be protected and m<strong>on</strong>itored<br />
utilizing robust encrypti<strong>on</strong> technology.<br />
BEFORE<br />
Tokenizati<strong>on</strong>. Each credit card number that previously<br />
resided in <strong>SAP</strong> or o<str<strong>on</strong>g>the</str<strong>on</strong>g>r applicati<strong>on</strong>s is replaced<br />
with a token that references <str<strong>on</strong>g>the</str<strong>on</strong>g> credit card number.<br />
A token can be thought <str<strong>on</strong>g>of</str<strong>on</strong>g> as a claim check that an<br />
authorized user or system can use to obtain <str<strong>on</strong>g>the</str<strong>on</strong>g> associated<br />
credit card number. In <str<strong>on</strong>g>the</str<strong>on</strong>g> event <str<strong>on</strong>g>of</str<strong>on</strong>g> a breach<br />
<str<strong>on</strong>g>of</str<strong>on</strong>g> <strong>on</strong>e <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> business applicati<strong>on</strong>s or databases, <strong>on</strong>ly<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> tokens could be accessed, which would be <str<strong>on</strong>g>of</str<strong>on</strong>g> no<br />
value to a would-be attacker.<br />
Before Centralizati<strong>on</strong> and Tokenizati<strong>on</strong><br />
<strong>SAP</strong><br />
1 2 3 4<br />
Encrypti<strong>on</strong> and key management<br />
technology must be implemented<br />
<strong>on</strong> each system in which credit card<br />
numbers are stored.<br />
Web Store<br />
1 2 3 4<br />
Encrypti<strong>on</strong><br />
# # # # # # # # # # # #<br />
####<br />
# # # # Encrypti<strong>on</strong><br />
####<br />
#### ####<br />
Payment App<br />
1 2 3 4<br />
# # # #<br />
Encrypti<strong>on</strong><br />
# # # #<br />
####<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
.
####<br />
<str<strong>on</strong>g>Minimize</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>Impact</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> <str<strong>on</strong>g>Secti<strong>on</strong></str<strong>on</strong>g> 3 <strong>on</strong> <strong>SAP</strong> Applicati<strong>on</strong>s<br />
AFTER<br />
After Centralizati<strong>on</strong> and Tokenizati<strong>on</strong><br />
<strong>SAP</strong><br />
1 2 3 4 1 2 3 4<br />
Encrypti<strong>on</strong><br />
# # # #<br />
Web Store<br />
1 2 3 4<br />
Payment App<br />
Encrypti<strong>on</strong> and key management<br />
technology must <strong>on</strong>ly be implemented<br />
in a single, centralized system.<br />
Benefits <str<strong>on</strong>g>of</str<strong>on</strong>g> Centralizing and Tokenizing Data<br />
By implementing this encrypti<strong>on</strong> management server approach, companies<br />
can realize a range <str<strong>on</strong>g>of</str<strong>on</strong>g> benefits, including a reduced impact <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> <strong>on</strong> <strong>SAP</strong>,<br />
improved security, optimized applicati<strong>on</strong> integrati<strong>on</strong> and performance, and<br />
simplified administrati<strong>on</strong>.<br />
<strong>SAP</strong> no l<strong>on</strong>ger bears <br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> full weight <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g><br />
requirements.<br />
Reduced <str<strong>on</strong>g>Impact</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> <strong>on</strong> <strong>SAP</strong><br />
By removing stored credit card informati<strong>on</strong> from <strong>SAP</strong> and o<str<strong>on</strong>g>the</str<strong>on</strong>g>r systems to a centralized server,<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> majority <str<strong>on</strong>g>of</str<strong>on</strong>g> focus and energy for <str<strong>on</strong>g>PCI</str<strong>on</strong>g> compliance will be <strong>on</strong> <str<strong>on</strong>g>the</str<strong>on</strong>g> centralized server. <strong>SAP</strong> no<br />
l<strong>on</strong>ger bears <str<strong>on</strong>g>the</str<strong>on</strong>g> full weight <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> requirements, nor subsequent modificati<strong>on</strong>s that could be<br />
determined by a <str<strong>on</strong>g>PCI</str<strong>on</strong>g> audit.<br />
Improved Security<br />
By centralizing and tokenizing data, organizati<strong>on</strong>s gain <str<strong>on</strong>g>the</str<strong>on</strong>g>se security benefits:<br />
• <str<strong>on</strong>g>Minimize</str<strong>on</strong>g>d exposure <str<strong>on</strong>g>of</str<strong>on</strong>g> data. As menti<strong>on</strong>ed above, <str<strong>on</strong>g>PCI</str<strong>on</strong>g> requirement 3.1 requires that<br />
organizati<strong>on</strong>s keep payment data in <str<strong>on</strong>g>the</str<strong>on</strong>g> minimum number <str<strong>on</strong>g>of</str<strong>on</strong>g> locati<strong>on</strong>s, and this approach<br />
addresses this requirement fully. Security is immediately streng<str<strong>on</strong>g>the</str<strong>on</strong>g>ned by minimizing <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
number <str<strong>on</strong>g>of</str<strong>on</strong>g> potential targets for would-be attackers.<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
.
• Segregati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> card data from applicati<strong>on</strong>s. Unencrypted data never resides<br />
in <strong>SAP</strong> or o<str<strong>on</strong>g>the</str<strong>on</strong>g>r applicati<strong>on</strong>s. <strong>SAP</strong> users never see payment data in clear text<br />
unless <str<strong>on</strong>g>the</str<strong>on</strong>g>y have specific, valid authority.<br />
• Reduced exposure <str<strong>on</strong>g>of</str<strong>on</strong>g> keys. <str<strong>on</strong>g>PCI</str<strong>on</strong>g> requirements 3.5.1 and 3.5.2 mandate that access<br />
to keys is restricted to <str<strong>on</strong>g>the</str<strong>on</strong>g> fewest number <str<strong>on</strong>g>of</str<strong>on</strong>g> custodians and that keys are stored<br />
securely in <str<strong>on</strong>g>the</str<strong>on</strong>g> fewest possible locati<strong>on</strong>s. By centralizing keys <strong>on</strong> a secure server,<br />
an encrypti<strong>on</strong> management server optimally addresses <str<strong>on</strong>g>the</str<strong>on</strong>g>se requirements.<br />
• <str<strong>on</strong>g>Impact</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> breach limited. With this approach, if an attacker somehow bypasses<br />
both <str<strong>on</strong>g>the</str<strong>on</strong>g> token and encrypti<strong>on</strong>, <str<strong>on</strong>g>the</str<strong>on</strong>g>y will <strong>on</strong>ly have access to <strong>on</strong>e card number.<br />
In c<strong>on</strong>trast, with many encrypti<strong>on</strong> soluti<strong>on</strong>s, if an attacker gains access to <strong>on</strong>e<br />
cryptographic key, <str<strong>on</strong>g>the</str<strong>on</strong>g>y can potentially decrypt thousands or even hundreds<br />
<str<strong>on</strong>g>of</str<strong>on</strong>g> thousands <str<strong>on</strong>g>of</str<strong>on</strong>g> records<br />
If an attacker<br />
somehow<br />
bypasses both<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> token and<br />
encrypti<strong>on</strong>, <str<strong>on</strong>g>the</str<strong>on</strong>g>y<br />
will have access<br />
to <strong>on</strong>ly <strong>on</strong>e card<br />
number.<br />
Optimized <strong>SAP</strong> Performance and Availability<br />
Through employing an encrypti<strong>on</strong> management server, organizati<strong>on</strong>s can enjoy a range <str<strong>on</strong>g>of</str<strong>on</strong>g><br />
advantages in integrati<strong>on</strong> and performance:<br />
• Improved applicati<strong>on</strong> processing. Tokens can be passed between <strong>SAP</strong> and o<str<strong>on</strong>g>the</str<strong>on</strong>g>r applicati<strong>on</strong>s<br />
without requiring any encrypti<strong>on</strong> or decrypti<strong>on</strong>, thus also providing encrypti<strong>on</strong><br />
“<strong>on</strong>-<str<strong>on</strong>g>the</str<strong>on</strong>g>-wire” at system integrati<strong>on</strong> points. Fur<str<strong>on</strong>g>the</str<strong>on</strong>g>r, <strong>SAP</strong> is freed from having to do resourceintensive<br />
cryptographic processing. This can significantly streamline transacti<strong>on</strong>s across <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
enterprise.<br />
• Optimized applicati<strong>on</strong> availability. Full key rotati<strong>on</strong> can be realized without <strong>SAP</strong> downtime<br />
as this will occur in a separate system entirely.<br />
• Smart tokens. Smart tokens, tokens that feature embedded strings, can be used and can<br />
eliminate <str<strong>on</strong>g>the</str<strong>on</strong>g> need to do frequent decrypti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> data for reporting and related purposes.<br />
Simplified Administrati<strong>on</strong><br />
Tokenizati<strong>on</strong> significantly eases <str<strong>on</strong>g>the</str<strong>on</strong>g> administrative burden <str<strong>on</strong>g>of</str<strong>on</strong>g><br />
encrypti<strong>on</strong>, <str<strong>on</strong>g>of</str<strong>on</strong>g>fering a range <str<strong>on</strong>g>of</str<strong>on</strong>g> administrative advantages:<br />
• <str<strong>on</strong>g>Minimize</str<strong>on</strong>g>d compliance requirements. By removing<br />
payment data from disparate repositories, <str<strong>on</strong>g>the</str<strong>on</strong>g> cost <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g><br />
is drastically reduced. Instead <str<strong>on</strong>g>of</str<strong>on</strong>g> implementing encrypti<strong>on</strong>,<br />
managing keys, and implementing policies <strong>on</strong> multiple<br />
systems, <strong>on</strong>ly <strong>on</strong>e central server will be <str<strong>on</strong>g>the</str<strong>on</strong>g> focus <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g><br />
encrypti<strong>on</strong> efforts.<br />
Tokens can be passed<br />
between <strong>SAP</strong> and o<str<strong>on</strong>g>the</str<strong>on</strong>g>r applicati<strong>on</strong>s<br />
without requiring any<br />
encrypti<strong>on</strong> or decrypti<strong>on</strong>...<br />
• Streamlined key management. All keys and policies can be managed centrally, as opposed<br />
to having keys in multiple, distributed locati<strong>on</strong>s. This makes such <str<strong>on</strong>g>PCI</str<strong>on</strong>g>-required tasks as key<br />
revocati<strong>on</strong> and rotati<strong>on</strong> much faster and easier.<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
.
<str<strong>on</strong>g>Minimize</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>Impact</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> <str<strong>on</strong>g>Secti<strong>on</strong></str<strong>on</strong>g> 3 <strong>on</strong> <strong>SAP</strong> Applicati<strong>on</strong>s<br />
• Centralized log management. With an encrypti<strong>on</strong> management server, administrators gain <strong>on</strong>e centralized<br />
locati<strong>on</strong> that c<strong>on</strong>tains informati<strong>on</strong> <strong>on</strong> all decrypti<strong>on</strong> requests, which significantly eases compliance audits as<br />
well as surveillance and remediati<strong>on</strong> efforts.<br />
How Credit Card Processing in <strong>SAP</strong> Works with an Encrypti<strong>on</strong> Management Server<br />
One <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> more difficult issues with encrypting credit card data at rest is that <str<strong>on</strong>g>the</str<strong>on</strong>g> data must <str<strong>on</strong>g>of</str<strong>on</strong>g>ten be decrypted<br />
for standard business routines, such as recurring payments or repeat purchases. Without <str<strong>on</strong>g>the</str<strong>on</strong>g> proper mechanisms<br />
in place, this <strong>on</strong>going need for decrypti<strong>on</strong> can present a range <str<strong>on</strong>g>of</str<strong>on</strong>g> challenges, such as slow applicati<strong>on</strong> resp<strong>on</strong>se,<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> potential for unauthorized access, and complexity in applicati<strong>on</strong> development.<br />
With an encrypti<strong>on</strong> management server, organizati<strong>on</strong>s can address <str<strong>on</strong>g>the</str<strong>on</strong>g> need for decrypti<strong>on</strong> while avoiding <str<strong>on</strong>g>the</str<strong>on</strong>g>se<br />
challenges. The diagram below depicts how <str<strong>on</strong>g>the</str<strong>on</strong>g> encrypti<strong>on</strong> management server would support payment processing<br />
in an <strong>SAP</strong> envir<strong>on</strong>ment.<br />
Payment Processing with Encrypti<strong>on</strong> Management Server<br />
Request for Credit Card<br />
Authorizati<strong>on</strong> Originates in <strong>SAP</strong><br />
Token Associated With that<br />
Credit Card Sent to <strong>SAP</strong>-certified<br />
Payment Processing Applicati<strong>on</strong><br />
Payment Processing Applicati<strong>on</strong><br />
Submits Token to Central<br />
Repository and Requests<br />
Decrypted Credit Card Number<br />
<strong>SAP</strong><br />
PAYMENT<br />
APPLICATION<br />
1 2 3 4<br />
Central Repository Returns<br />
Encrypted Number to Payment<br />
Applicati<strong>on</strong><br />
1 2 3 4<br />
Payment Applicati<strong>on</strong> Submits<br />
Credit Card Number to Payment<br />
Processor for Authorizati<strong>on</strong><br />
Encrypti<strong>on</strong><br />
# # # #<br />
Authorizati<strong>on</strong> Returned to<br />
Payment Processing Applicati<strong>on</strong><br />
and <str<strong>on</strong>g>the</str<strong>on</strong>g>n to <strong>SAP</strong><br />
Authorizati<strong>on</strong> Sent to <strong>SAP</strong> from<br />
Payment Processing Applicati<strong>on</strong><br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
10.
How an Encrypti<strong>on</strong> Management Server Compares with Traditi<strong>on</strong>al<br />
Encrypti<strong>on</strong> Approaches<br />
Many security pr<str<strong>on</strong>g>of</str<strong>on</strong>g>essi<strong>on</strong>als have ei<str<strong>on</strong>g>the</str<strong>on</strong>g>r deployed or are familiar with such traditi<strong>on</strong>al approaches<br />
as applicati<strong>on</strong> encrypti<strong>on</strong> and database encrypti<strong>on</strong>. How does <str<strong>on</strong>g>the</str<strong>on</strong>g> approach outlined <strong>on</strong> page 10<br />
compare to <str<strong>on</strong>g>the</str<strong>on</strong>g>se traditi<strong>on</strong>al approaches? Following is an overview <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> differences, and how<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g>se soluti<strong>on</strong>s can work in c<strong>on</strong>cert toge<str<strong>on</strong>g>the</str<strong>on</strong>g>r.<br />
Applicati<strong>on</strong> Encrypti<strong>on</strong><br />
Applicati<strong>on</strong> encrypti<strong>on</strong> is an approach in which encrypti<strong>on</strong> and decrypti<strong>on</strong><br />
<str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> data takes place within <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>SAP</strong> applicati<strong>on</strong>. The data is encrypted or<br />
decrypted by <strong>SAP</strong> every time it is written to or retrieved from <str<strong>on</strong>g>the</str<strong>on</strong>g> database.<br />
As a result, <str<strong>on</strong>g>the</str<strong>on</strong>g> data residing <strong>on</strong> <str<strong>on</strong>g>the</str<strong>on</strong>g> database is always encrypted.<br />
Once an organizati<strong>on</strong> has employed an encrypti<strong>on</strong> management server,<br />
<strong>SAP</strong> no l<strong>on</strong>ger directly participates in any cryptographic operati<strong>on</strong>s.<br />
The applicati<strong>on</strong> relies <strong>on</strong> <str<strong>on</strong>g>the</str<strong>on</strong>g> central token server to manage cryptographic<br />
operati<strong>on</strong>s and key management processes. This means <strong>SAP</strong> does not require<br />
local cryptographic technology and so is spared <str<strong>on</strong>g>the</str<strong>on</strong>g> management and performance<br />
issues associated with encrypti<strong>on</strong>.<br />
By replacing <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
card number with a<br />
token into <str<strong>on</strong>g>the</str<strong>on</strong>g> same<br />
<strong>SAP</strong> Database Table<br />
field <str<strong>on</strong>g>the</str<strong>on</strong>g>re is no additi<strong>on</strong>al<br />
database space<br />
required.<br />
With this approach, a central server issues a token to replace <str<strong>on</strong>g>the</str<strong>on</strong>g> credit card number in <strong>SAP</strong>.<br />
A benefit <str<strong>on</strong>g>of</str<strong>on</strong>g> this approach is that <str<strong>on</strong>g>the</str<strong>on</strong>g>re is no need to encrypt or decrypt at every step in <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
<strong>SAP</strong> workflow, but <strong>on</strong>ly when <str<strong>on</strong>g>the</str<strong>on</strong>g> unencrypted number is specifically needed, such as for<br />
payment processing. The token becomes a surrogate for <str<strong>on</strong>g>the</str<strong>on</strong>g> credit card number itself and may<br />
even be exchanged with o<str<strong>on</strong>g>the</str<strong>on</strong>g>r applicati<strong>on</strong>s in <str<strong>on</strong>g>the</str<strong>on</strong>g> enterprise as if it was a real credit card number—<br />
without <str<strong>on</strong>g>the</str<strong>on</strong>g> overhead <str<strong>on</strong>g>of</str<strong>on</strong>g> decrypti<strong>on</strong> and re-encrypti<strong>on</strong>, or <str<strong>on</strong>g>the</str<strong>on</strong>g> risk <str<strong>on</strong>g>of</str<strong>on</strong>g> exposure. Also, by replacing<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> card number with a token into <str<strong>on</strong>g>the</str<strong>on</strong>g> same <strong>SAP</strong> Database Table field <str<strong>on</strong>g>the</str<strong>on</strong>g>re is no additi<strong>on</strong>al database<br />
space required.<br />
Database Encrypti<strong>on</strong><br />
Database encrypti<strong>on</strong> is an approach to encrypting data at rest in which encrypti<strong>on</strong><br />
and decrypti<strong>on</strong> is handled at <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>SAP</strong> database server level, ra<str<strong>on</strong>g>the</str<strong>on</strong>g>r than at <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
applicati<strong>on</strong> level. The data to be protected is encrypted every time it passes from<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> applicati<strong>on</strong> to <str<strong>on</strong>g>the</str<strong>on</strong>g> database. Likewise, as data is requested from <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>SAP</strong> database,<br />
it is decrypted before being returned to <str<strong>on</strong>g>the</str<strong>on</strong>g> applicati<strong>on</strong>. The data is <strong>on</strong>ly in an<br />
encrypted state when it’s at rest in <str<strong>on</strong>g>the</str<strong>on</strong>g> database. Applicati<strong>on</strong> processing happens<br />
independently <str<strong>on</strong>g>of</str<strong>on</strong>g> encrypti<strong>on</strong> and decrypti<strong>on</strong>, with all data stored unencrypted in <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
<strong>SAP</strong>’s memory.<br />
When an encrypti<strong>on</strong> management server is deployed, <strong>SAP</strong> interfaces with <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
central server as described in <str<strong>on</strong>g>the</str<strong>on</strong>g> previous secti<strong>on</strong>. The <strong>SAP</strong> database no l<strong>on</strong>ger<br />
Cryptographic<br />
processing is completely<br />
removed<br />
from <strong>SAP</strong>, which<br />
enhances performance.<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
11.
<str<strong>on</strong>g>Minimize</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>Impact</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> <str<strong>on</strong>g>Secti<strong>on</strong></str<strong>on</strong>g> 3 <strong>on</strong> <strong>SAP</strong> Applicati<strong>on</strong>s<br />
requires means for cryptography and key management, with all intelligence for encrypti<strong>on</strong> being<br />
centralized within <str<strong>on</strong>g>the</str<strong>on</strong>g> encrypti<strong>on</strong> management server. Again, this centralized server interfaces with<br />
o<str<strong>on</strong>g>the</str<strong>on</strong>g>r databases and applicati<strong>on</strong>s by issuing a token in place <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> credit card number.<br />
This approach <str<strong>on</strong>g>of</str<strong>on</strong>g>fers significant benefits over traditi<strong>on</strong>al database encrypti<strong>on</strong>. First, unencrypted<br />
payment data is removed from <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>SAP</strong> applicati<strong>on</strong> and database at all times, which boosts<br />
security. Sec<strong>on</strong>d, cryptographic processing is completely removed from <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>SAP</strong> servers, which<br />
enhances applicati<strong>on</strong> and database performance.<br />
Implementati<strong>on</strong> Requirements<br />
To implement this new encrypti<strong>on</strong> management approach for heterogeneous<br />
<strong>SAP</strong> envir<strong>on</strong>ments, an organizati<strong>on</strong> must deploy a single, secure<br />
server that will house all credit card data and will act as <str<strong>on</strong>g>the</str<strong>on</strong>g> central<br />
system for managing keys, tokens, and security policies.<br />
Following are <str<strong>on</strong>g>the</str<strong>on</strong>g> core capabilities that this centralized server<br />
must include:<br />
• <strong>SAP</strong> interface. An encrypti<strong>on</strong> management server must have <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
capability to extract <str<strong>on</strong>g>the</str<strong>on</strong>g> credit card number when it enters <strong>SAP</strong><br />
in <str<strong>on</strong>g>the</str<strong>on</strong>g> normal business workflow and <str<strong>on</strong>g>the</str<strong>on</strong>g>n replace it with a token.<br />
This will require a custom remote functi<strong>on</strong> call (RFC) that<br />
involves a c<strong>on</strong>versi<strong>on</strong> exit when <str<strong>on</strong>g>the</str<strong>on</strong>g> credit card number is<br />
entered into <strong>SAP</strong>. Integrati<strong>on</strong> with <str<strong>on</strong>g>the</str<strong>on</strong>g> CCNUM domain provides access to more than 160<br />
standard tables, but as noted earlier more domain integrati<strong>on</strong>s will likely be required. Modificati<strong>on</strong>s<br />
to <strong>SAP</strong> at <str<strong>on</strong>g>the</str<strong>on</strong>g> code-level for this approach are usually minimal and limited to <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
RFC, with no modificati<strong>on</strong>s required for cryptographic functi<strong>on</strong>s.<br />
• N<strong>on</strong>-<strong>SAP</strong> interface. For most o<str<strong>on</strong>g>the</str<strong>on</strong>g>r applicati<strong>on</strong>s, a Web Services interface will be required<br />
that functi<strong>on</strong>s much like <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>SAP</strong> RFC.<br />
• Token management. The encrypti<strong>on</strong> management server should include an applicati<strong>on</strong> for<br />
issuing tokens, which should be a maximum 25-digit number to match <str<strong>on</strong>g>the</str<strong>on</strong>g> field length for<br />
credit card numbers in <strong>SAP</strong>. Where o<str<strong>on</strong>g>the</str<strong>on</strong>g>r data with varying lengths needs to be encrypted,<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> server should accept a source-system generated token that uses a unique identifier for<br />
that specific field, such as primary bank account number.<br />
• Manage and rotate keys. Ensure that <str<strong>on</strong>g>the</str<strong>on</strong>g> server can automate routine key management<br />
tasks and intelligently handle key rotati<strong>on</strong>, or that it can be integrated with third-party<br />
soluti<strong>on</strong>s that deliver <str<strong>on</strong>g>the</str<strong>on</strong>g>se capabilities.<br />
An encrypti<strong>on</strong> management<br />
server must have <str<strong>on</strong>g>the</str<strong>on</strong>g> capability<br />
to extract <str<strong>on</strong>g>the</str<strong>on</strong>g> credit<br />
card number when it enters<br />
<strong>SAP</strong> in <str<strong>on</strong>g>the</str<strong>on</strong>g> normal business<br />
workflow and <str<strong>on</strong>g>the</str<strong>on</strong>g>n replace<br />
it with a token.<br />
• Logging. The server should track all decrypti<strong>on</strong> activity to provide an audit trail specifying<br />
who has decrypted sensitive payment data.<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
12.
• Secure access. Capabilities need to be in place to ensure that <strong>on</strong>ly authorized staff can<br />
access administrative functi<strong>on</strong>s.<br />
• Performance and high availability. The server should support high volumes <str<strong>on</strong>g>of</str<strong>on</strong>g> encrypti<strong>on</strong><br />
routines and token requests without impeding <str<strong>on</strong>g>the</str<strong>on</strong>g> performance <str<strong>on</strong>g>of</str<strong>on</strong>g> associated applicati<strong>on</strong>s<br />
and workflow. In additi<strong>on</strong>, <str<strong>on</strong>g>the</str<strong>on</strong>g> server should be enabled for c<strong>on</strong>tinuous processing, even in<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> event <str<strong>on</strong>g>of</str<strong>on</strong>g> a server outage.<br />
Hurdles to Developing a Centralized Encrypti<strong>on</strong> Management Server<br />
Developing all <str<strong>on</strong>g>the</str<strong>on</strong>g> capabilities outlined above can present significant challenges if a security team<br />
seeks to build a soluti<strong>on</strong> in-house. Following are a few <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> biggest hurdles an internal team could<br />
face in this endeavor:<br />
• Developing applicati<strong>on</strong> interfaces. Developing a custom RFC<br />
for <strong>SAP</strong> and a Web Services interface for o<str<strong>on</strong>g>the</str<strong>on</strong>g>r applicati<strong>on</strong>s may<br />
require unique expertise and c<strong>on</strong>sume significant resources.<br />
C<strong>on</strong>siderati<strong>on</strong> must be made for how this interface will affect<br />
business workflow, <strong>SAP</strong> tables, and overall applicati<strong>on</strong> performance.<br />
Developing ei<str<strong>on</strong>g>the</str<strong>on</strong>g>r <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g>se<br />
interfaces would require<br />
a great deal <str<strong>on</strong>g>of</str<strong>on</strong>g> expertise<br />
in order to ensure performance<br />
and availability.<br />
• Developing token applicati<strong>on</strong>s. Writing an applicati<strong>on</strong> that is capable<br />
<str<strong>on</strong>g>of</str<strong>on</strong>g> issuing and managing tokens in heterogeneous envir<strong>on</strong>ments<br />
and that can support multiple field-length requirements<br />
can be complex and challenging. Fur<str<strong>on</strong>g>the</str<strong>on</strong>g>r, <strong>on</strong>going support <str<strong>on</strong>g>of</str<strong>on</strong>g> this applicati<strong>on</strong> could be time<br />
c<strong>on</strong>suming and difficult.<br />
• Development time. Allocating dedicated resources to this large undertaking and covering<br />
for resp<strong>on</strong>sibilities this staff would o<str<strong>on</strong>g>the</str<strong>on</strong>g>rwise be fulfilling could present logistical, tactical,<br />
and budgetary challenges.<br />
• Development expertise. For many organizati<strong>on</strong>s, locating <str<strong>on</strong>g>the</str<strong>on</strong>g> in-house expertise to<br />
develop such complex capabilities as key management, token management, policy c<strong>on</strong>trols,<br />
and heterogeneous applicati<strong>on</strong> integrati<strong>on</strong> can be very difficult.<br />
• Accommodating new algorithms. Over time, an organizati<strong>on</strong>’s security needs change, and so<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> cryptographic algorithms or encrypti<strong>on</strong> mechanisms in use may also change. Once initial<br />
development has been d<strong>on</strong>e, <str<strong>on</strong>g>the</str<strong>on</strong>g> development team may need to add capabilities for integrating<br />
with a new protocol or encrypti<strong>on</strong> soluti<strong>on</strong>, which may entail a substantial rewrite <str<strong>on</strong>g>of</str<strong>on</strong>g><br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> applicati<strong>on</strong> in use.<br />
• Minimizing impact <strong>on</strong> applicati<strong>on</strong> performance. Writing code that interfaces with multiple<br />
applicati<strong>on</strong>s while minimizing <str<strong>on</strong>g>the</str<strong>on</strong>g> performance impact <strong>on</strong> those applicati<strong>on</strong>s presents an<br />
array <str<strong>on</strong>g>of</str<strong>on</strong>g> challenges.<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
13.
<str<strong>on</strong>g>Minimize</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>Impact</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> <str<strong>on</strong>g>Secti<strong>on</strong></str<strong>on</strong>g> 3 <strong>on</strong> <strong>SAP</strong> Applicati<strong>on</strong>s<br />
• Maintaining s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware upgrades and updates. The overhead <str<strong>on</strong>g>of</str<strong>on</strong>g> maintaining and enhancing a security<br />
product <str<strong>on</strong>g>of</str<strong>on</strong>g> this complexity can ultimately represent a major resource investment and a distracti<strong>on</strong> from an<br />
organizati<strong>on</strong>’s core focus and expertise.<br />
These challenges are significant and can severely undermine <str<strong>on</strong>g>the</str<strong>on</strong>g> value <str<strong>on</strong>g>of</str<strong>on</strong>g> an encrypti<strong>on</strong> management server. For<br />
security administrators looking to gain <str<strong>on</strong>g>the</str<strong>on</strong>g> benefits <str<strong>on</strong>g>of</str<strong>on</strong>g> centralizati<strong>on</strong> and tokenizati<strong>on</strong>, without having to develop<br />
and support <str<strong>on</strong>g>the</str<strong>on</strong>g>ir own encrypti<strong>on</strong> management server, <strong>Paymetric</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g>fers an <str<strong>on</strong>g>of</str<strong>on</strong>g>f-<str<strong>on</strong>g>the</str<strong>on</strong>g>-shelf soluti<strong>on</strong> called XiSecure.<br />
An Introducti<strong>on</strong> to XiSecure <br />
<strong>Paymetric</strong>’s XiSecure is a breakthrough encrypti<strong>on</strong> management<br />
soluti<strong>on</strong> for centralizing and tokenizing credit card data across an<br />
enterprise. XiSecure works exactly as described in this document:<br />
it removes credit card numbers from distributed business<br />
applicati<strong>on</strong>s, replaces <str<strong>on</strong>g>the</str<strong>on</strong>g>m with tokens, and stores <str<strong>on</strong>g>the</str<strong>on</strong>g> numbers<br />
in a centralized, highly secure server.<br />
XiSecure <str<strong>on</strong>g>of</str<strong>on</strong>g>fers all <str<strong>on</strong>g>the</str<strong>on</strong>g> benefits<br />
discussed in this whitepaper—<br />
with <str<strong>on</strong>g>the</str<strong>on</strong>g> additi<strong>on</strong>al value <str<strong>on</strong>g>of</str<strong>on</strong>g> rapid<br />
time to implementati<strong>on</strong> and <strong>on</strong>going<br />
maintenance and support.<br />
A complete soluti<strong>on</strong> that features integrated hardware, s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware,<br />
operating system, and database, XiSecure <str<strong>on</strong>g>of</str<strong>on</strong>g>fers all <str<strong>on</strong>g>the</str<strong>on</strong>g> following critical capabilities:<br />
• <strong>SAP</strong> R/3 and <strong>SAP</strong> ERP interfaces<br />
• Token management s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware<br />
• Third party encrypti<strong>on</strong> and key management interfaces<br />
• Logging and secure access features<br />
• Web Services interfaces<br />
• Encrypti<strong>on</strong> and key management s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware<br />
• High availability features<br />
In short, XiSecure <str<strong>on</strong>g>of</str<strong>on</strong>g>fers all <str<strong>on</strong>g>the</str<strong>on</strong>g> benefits discussed in this whitepaper—with <str<strong>on</strong>g>the</str<strong>on</strong>g> additi<strong>on</strong>al value <str<strong>on</strong>g>of</str<strong>on</strong>g> rapid time to<br />
implementati<strong>on</strong> and <strong>on</strong>-going maintenance and support.<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
14.
How Does XiSecure Work?<br />
XiSecure removes credit<br />
card numbers from<br />
distributed business<br />
applicati<strong>on</strong>s and replaces<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g>m with tokens.<br />
The credit card numbers<br />
are <str<strong>on</strong>g>the</str<strong>on</strong>g>n stored, in a<br />
centralized XiSecure<br />
server.<br />
Credit card numbers are<br />
encrypted and managed<br />
within <str<strong>on</strong>g>the</str<strong>on</strong>g> XiSecure server.<br />
Key management and key<br />
rotati<strong>on</strong> can occur within<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> XiSecure server, without<br />
applicati<strong>on</strong> downtime.<br />
CRM<br />
NO CREDIT CARD<br />
NUMBERS REMAIN<br />
IN BUSINESS APPS<br />
ERP<br />
<strong>SAP</strong><br />
0 1 2 3 4 5 67 8 9<br />
WEB<br />
C<strong>on</strong>clusi<strong>on</strong><br />
Whe<str<strong>on</strong>g>the</str<strong>on</strong>g>r a security administrator is tasked with complying with <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> standard, adhering to<br />
ano<str<strong>on</strong>g>the</str<strong>on</strong>g>r standard such as HIPAA or GLBA, or is simply looking to optimize <str<strong>on</strong>g>the</str<strong>on</strong>g> security <str<strong>on</strong>g>of</str<strong>on</strong>g> sensitive<br />
informati<strong>on</strong>, encrypti<strong>on</strong> is essential. Companies with heterogeneous <strong>SAP</strong> envir<strong>on</strong>ments adopting<br />
an approach to encrypti<strong>on</strong> in which sensitive data is centralized and tokenized, gain significant<br />
benefits in terms <str<strong>on</strong>g>of</str<strong>on</strong>g> security, efficiency, and cost savings. <strong>Paymetric</strong>’s XiSecure represents a<br />
commercial product that enables organizati<strong>on</strong>s to quickly and easily harness <str<strong>on</strong>g>the</str<strong>on</strong>g> benefits <str<strong>on</strong>g>of</str<strong>on</strong>g><br />
centralizati<strong>on</strong> and tokenizati<strong>on</strong>—and so minimize exposure, streng<str<strong>on</strong>g>the</str<strong>on</strong>g>n security, and dramatically<br />
reduce <str<strong>on</strong>g>the</str<strong>on</strong>g> cost <str<strong>on</strong>g>of</str<strong>on</strong>g> encrypti<strong>on</strong>.<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
15.
About <strong>Paymetric</strong><br />
<strong>Paymetric</strong>, Inc. provides innovative s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware for<br />
managing, protecting, and integrating payment card<br />
transacti<strong>on</strong>s in enterprise systems, most notably <strong>SAP</strong>.<br />
The company combines proven expertise in ERP<br />
payment processes with powerful s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware and<br />
services to improve return <strong>on</strong> card acceptance,<br />
optimize purchasing card<br />
programs, and reduce barriers to compliance.<br />
To learn more about our innovative<br />
payment card soluti<strong>on</strong>s, visit:<br />
www.paymetric.com<br />
<strong>Paymetric</strong>, Inc. / 13430 Northwest Freeway, Suite 900 / Houst<strong>on</strong>, Texas 77040 / tel 713-895-2000 / fax 713-895-2001 / www.paymetric.com<br />
XS/WP/<str<strong>on</strong>g>PCI</str<strong>on</strong>g> COMPLIANCE WHITE PAPER <strong>SAP</strong>/1-2008<br />
Copyright 2008 <strong>Paymetric</strong>, Inc. All rights reserved. <strong>Paymetric</strong>, XiPay, XiPay Extensi<strong>on</strong>s, XiPay Cartridges, XiBuy, XiSecure, and <strong>Paymetric</strong> Soluti<strong>on</strong>s are ei<str<strong>on</strong>g>the</str<strong>on</strong>g>r registered trademarks, service marks, or trademarks <str<strong>on</strong>g>of</str<strong>on</strong>g> <strong>Paymetric</strong>, Inc. in<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> United States and/or o<str<strong>on</strong>g>the</str<strong>on</strong>g>r countries. <strong>SAP</strong> and my<strong>SAP</strong> are registered trademarks <str<strong>on</strong>g>of</str<strong>on</strong>g> <strong>SAP</strong> AG. All o<str<strong>on</strong>g>the</str<strong>on</strong>g>r trademarks appearing <strong>on</strong> this document are <str<strong>on</strong>g>the</str<strong>on</strong>g> property <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g>ir respective owners. The names <str<strong>on</strong>g>of</str<strong>on</strong>g> third parties and <str<strong>on</strong>g>the</str<strong>on</strong>g>ir<br />
products referred to herein may be trademarks or registered trademarks <str<strong>on</strong>g>of</str<strong>on</strong>g> such third parties. All informati<strong>on</strong> provided herein is provided “AS-IS” without any warranty.