Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric

More documents

Recommendations

Info

<strong>Minimize</strong> <strong>the</strong> <strong>Impact</strong> <strong>of</strong> <strong>PCI</strong> <strong>Section</strong> 3 on SAP Applications A New Approach to Credit Card Encryption Contents Introduction .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 <strong>PCI</strong> Requirement 3: The Biggest Obstacle to Compliance . . . . . . . . . . . 4 The Challenges <strong>of</strong> Encryption .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 The Mandate: Keep Cardholder Data Storage to a Minimum .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 A New Approach to Encryption Management for Heterogeneous SAP Environments .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 An Introduction to XiSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Conclusion .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Encryption represents one <strong>of</strong> <strong>the</strong> most important mandates for <strong>PCI</strong> compliance—and it also represents one <strong>of</strong> <strong>the</strong> most difficult requirements to implement successfully and cost effectively for companies that run SAP. This paper describes a new approach to managing encrypted data in SAP that significantly streng<strong>the</strong>ns an organization’s security posture, while minimizing <strong>the</strong> impact <strong>of</strong> <strong>PCI</strong> compliance on SAP. © 2008 Paymetric, Inc. All rights reserved. .
<strong>Minimize</strong> <strong>the</strong> <strong>Impact</strong> <strong>of</strong> <strong>PCI</strong> <strong>Section</strong> 3 on SAP Applications <strong>PCI</strong> Requirement 3: The Biggest Obstacle to Compliance With <strong>the</strong> advent <strong>of</strong> <strong>the</strong> Payment Card Industry Data Security Standard (<strong>PCI</strong> DSS), encrypting stored credit card numbers is no longer optional. Any company that stores, processes, or transmits credit card information—regardless <strong>of</strong> size or volume <strong>of</strong> transactions—must encrypt stored credit card data or face serious consequences for non-compliance, including fines <strong>of</strong> up to $500,000, <strong>the</strong> loss <strong>of</strong> brand integrity, and erosion <strong>of</strong> market value. While <strong>the</strong> <strong>PCI</strong> standard <strong>of</strong>fers broad guidance—featuring rules on <strong>the</strong> proper use <strong>of</strong> firewalls, computer access controls, antivirus s<strong>of</strong>tware, and more—it is <strong>the</strong> encryption requirements that are proving to be among <strong>the</strong> most difficult for organizations to address. According to a study conducted by Verisign Global Security Consulting Services, failure to address <strong>the</strong> data encryption requirements found in section 3 <strong>of</strong> <strong>PCI</strong> is <strong>the</strong> most common reason for failing a <strong>PCI</strong> audit: “Companies were most frequently non-compliant with Requirement 3 <strong>of</strong> <strong>the</strong> <strong>PCI</strong> Data Security Standard; 79 percent <strong>of</strong> <strong>the</strong> failed assessments did not meet <strong>the</strong> requirement to protect stored data (that is, <strong>the</strong>y did not encrypt data).” — Lessons Learned: Top Reasons for <strong>PCI</strong> Audit Failure and How to Avoid Them, Verisign Global Security Consulting Services. “Companies were most frequently non-compliant with Requirement 3 <strong>of</strong> <strong>the</strong> <strong>PCI</strong> Data Security Standard; 79 percent <strong>of</strong> <strong>the</strong> failed assessments did not meet <strong>the</strong> requirement to protect stored data (that is, <strong>the</strong>y did not encrypt data).” Selected <strong>Section</strong> 3 Requirements that Centralization and Tokenization Helps Address What does requirement 3 say, and why is it so challenging? Titled “Protect Stored Cardholder Data”, this requirement focuses on all <strong>the</strong> aspects essential to ensuring that stored payment data remains safe. This requirement applies to essentially any system in which card holder data is stored, including applications, databases, backup tapes, and portable digital media. Requirement 3 includes <strong>the</strong>se mandates: • <strong>Minimize</strong> <strong>the</strong> amount <strong>of</strong> credit card information stored. • Encrypt credit card data that remains stored. • Protect encryption keys against both disclosure and misuse. • Implement sound key management processes. • Rotate encryption keys annually. Rule Requirement 3.0 Encryption is a critical component <strong>of</strong> cardholder data protection. 3.1 Keep cardholder data storage to a minimum. 3.4 Render account number unreadable through… strong cryptography and associated key management 3.5 Restrict access to keys to <strong>the</strong> fewest number <strong>of</strong> custodians necessary 3.5.2 Store keys securely in <strong>the</strong> fewest possible locations and forms 3.6 Fully document and implement all key management processes and procedures for keys used for encryption <strong>of</strong> cardholder data 3.6.4 Periodic changing <strong>of</strong> keys…at least annually © 2008 Paymetric, Inc. All rights reserved. .
Page 1: Innovative Payment Card Solutions <
Page 5 and 6: Minimize t
Page 7 and 8: #### Minimize <str
Page 15: About Paymetric Paymetric, Inc. pro

Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?