Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric

More documents

Recommendations

Info

How an Encryption Management Server Compares with Traditional Encryption Approaches Many security pr<strong>of</strong>essionals have ei<strong>the</strong>r deployed or are familiar with such traditional approaches as application encryption and database encryption. How does <strong>the</strong> approach outlined on page 10 compare to <strong>the</strong>se traditional approaches? Following is an overview <strong>of</strong> <strong>the</strong> differences, and how <strong>the</strong>se solutions can work in concert toge<strong>the</strong>r. Application Encryption Application encryption is an approach in which encryption and decryption <strong>of</strong> <strong>the</strong> data takes place within <strong>the</strong> SAP application. The data is encrypted or decrypted by SAP every time it is written to or retrieved from <strong>the</strong> database. As a result, <strong>the</strong> data residing on <strong>the</strong> database is always encrypted. Once an organization has employed an encryption management server, SAP no longer directly participates in any cryptographic operations. The application relies on <strong>the</strong> central token server to manage cryptographic operations and key management processes. This means SAP does not require local cryptographic technology and so is spared <strong>the</strong> management and performance issues associated with encryption. By replacing <strong>the</strong> card number with a token into <strong>the</strong> same SAP Database Table field <strong>the</strong>re is no additional database space required. With this approach, a central server issues a token to replace <strong>the</strong> credit card number in SAP. A benefit <strong>of</strong> this approach is that <strong>the</strong>re is no need to encrypt or decrypt at every step in <strong>the</strong> SAP workflow, but only when <strong>the</strong> unencrypted number is specifically needed, such as for payment processing. The token becomes a surrogate for <strong>the</strong> credit card number itself and may even be exchanged with o<strong>the</strong>r applications in <strong>the</strong> enterprise as if it was a real credit card number— without <strong>the</strong> overhead <strong>of</strong> decryption and re-encryption, or <strong>the</strong> risk <strong>of</strong> exposure. Also, by replacing <strong>the</strong> card number with a token into <strong>the</strong> same SAP Database Table field <strong>the</strong>re is no additional database space required. Database Encryption Database encryption is an approach to encrypting data at rest in which encryption and decryption is handled at <strong>the</strong> SAP database server level, ra<strong>the</strong>r than at <strong>the</strong> application level. The data to be protected is encrypted every time it passes from <strong>the</strong> application to <strong>the</strong> database. Likewise, as data is requested from <strong>the</strong> SAP database, it is decrypted before being returned to <strong>the</strong> application. The data is only in an encrypted state when it’s at rest in <strong>the</strong> database. Application processing happens independently <strong>of</strong> encryption and decryption, with all data stored unencrypted in <strong>the</strong> SAP’s memory. When an encryption management server is deployed, SAP interfaces with <strong>the</strong> central server as described in <strong>the</strong> previous section. The SAP database no longer Cryptographic processing is completely removed from SAP, which enhances performance. © 2008 Paymetric, Inc. All rights reserved. 11.
<strong>Minimize</strong> <strong>the</strong> <strong>Impact</strong> <strong>of</strong> <strong>PCI</strong> <strong>Section</strong> 3 on SAP Applications requires means for cryptography and key management, with all intelligence for encryption being centralized within <strong>the</strong> encryption management server. Again, this centralized server interfaces with o<strong>the</strong>r databases and applications by issuing a token in place <strong>of</strong> <strong>the</strong> credit card number. This approach <strong>of</strong>fers significant benefits over traditional database encryption. First, unencrypted payment data is removed from <strong>the</strong> SAP application and database at all times, which boosts security. Second, cryptographic processing is completely removed from <strong>the</strong> SAP servers, which enhances application and database performance. Implementation Requirements To implement this new encryption management approach for heterogeneous SAP environments, an organization must deploy a single, secure server that will house all credit card data and will act as <strong>the</strong> central system for managing keys, tokens, and security policies. Following are <strong>the</strong> core capabilities that this centralized server must include: • SAP interface. An encryption management server must have <strong>the</strong> capability to extract <strong>the</strong> credit card number when it enters SAP in <strong>the</strong> normal business workflow and <strong>the</strong>n replace it with a token. This will require a custom remote function call (RFC) that involves a conversion exit when <strong>the</strong> credit card number is entered into SAP. Integration with <strong>the</strong> CCNUM domain provides access to more than 160 standard tables, but as noted earlier more domain integrations will likely be required. Modifications to SAP at <strong>the</strong> code-level for this approach are usually minimal and limited to <strong>the</strong> RFC, with no modifications required for cryptographic functions. • Non-SAP interface. For most o<strong>the</strong>r applications, a Web Services interface will be required that functions much like <strong>the</strong> SAP RFC. • Token management. The encryption management server should include an application for issuing tokens, which should be a maximum 25-digit number to match <strong>the</strong> field length for credit card numbers in SAP. Where o<strong>the</strong>r data with varying lengths needs to be encrypted, <strong>the</strong> server should accept a source-system generated token that uses a unique identifier for that specific field, such as primary bank account number. • Manage and rotate keys. Ensure that <strong>the</strong> server can automate routine key management tasks and intelligently handle key rotation, or that it can be integrated with third-party solutions that deliver <strong>the</strong>se capabilities. An encryption management server must have <strong>the</strong> capability to extract <strong>the</strong> credit card number when it enters SAP in <strong>the</strong> normal business workflow and <strong>the</strong>n replace it with a token. • Logging. The server should track all decryption activity to provide an audit trail specifying who has decrypted sensitive payment data. © 2008 Paymetric, Inc. All rights reserved. 12.
Page 1 and 2: Innovative Payment Card Solutions <
Page 3 and 4: Minimize t
Page 7 and 8: #### Minimize <str
Page 9: Minimize t
Page 15: About Paymetric Paymetric, Inc. pro

Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?