Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric
Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric
Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The Challenges <str<strong>on</strong>g>of</str<strong>on</strong>g> Encrypti<strong>on</strong> in <strong>SAP</strong><br />
While most security pr<str<strong>on</strong>g>of</str<strong>on</strong>g>essi<strong>on</strong>al recognize <str<strong>on</strong>g>the</str<strong>on</strong>g> merits <str<strong>on</strong>g>of</str<strong>on</strong>g><br />
encrypting credit card data, <str<strong>on</strong>g>the</str<strong>on</strong>g>y <str<strong>on</strong>g>of</str<strong>on</strong>g>ten struggle with <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
limitati<strong>on</strong>s inherent in <strong>SAP</strong>. The <strong>SAP</strong> Cryptographic Library<br />
(<strong>SAP</strong>CRYPTOLIB) functi<strong>on</strong>ality <str<strong>on</strong>g>of</str<strong>on</strong>g>fers a starting point for native<br />
encrypti<strong>on</strong> logic in <strong>SAP</strong> ERP. Basis Administrators can download<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> library relevant to <str<strong>on</strong>g>the</str<strong>on</strong>g>ir operating system and c<strong>on</strong>figure <strong>SAP</strong><br />
to encrypt credit card data. <strong>SAP</strong> Note 766703 answers frequently<br />
asked questi<strong>on</strong>s about credit card number encrypti<strong>on</strong> logic in <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
<strong>SAP</strong> R/3 and <strong>SAP</strong> ERP products. O<str<strong>on</strong>g>the</str<strong>on</strong>g>r notes <str<strong>on</strong>g>of</str<strong>on</strong>g>fer similar guidance<br />
for o<str<strong>on</strong>g>the</str<strong>on</strong>g>r <strong>SAP</strong> products. However, security pr<str<strong>on</strong>g>of</str<strong>on</strong>g>essi<strong>on</strong>als must address <str<strong>on</strong>g>the</str<strong>on</strong>g> encrypti<strong>on</strong> limitati<strong>on</strong>s<br />
in native <strong>SAP</strong> enumerated below.<br />
This targeted coverage in <strong>on</strong>ly<br />
four tables leaves card number<br />
data in o<str<strong>on</strong>g>the</str<strong>on</strong>g>r standard <strong>SAP</strong><br />
tables and in custom tables<br />
unencrypted and exposed.<br />
• Limited Tables. Encrypti<strong>on</strong> functi<strong>on</strong>ality in <strong>SAP</strong> R/3 and <strong>SAP</strong> ERP secures payment card number<br />
data in <strong>on</strong>ly four tables: two tables related to storage <str<strong>on</strong>g>of</str<strong>on</strong>g> card numbers <strong>on</strong> customer master<br />
records, VCKUN and VCNUM; a third table related to storage <str<strong>on</strong>g>of</str<strong>on</strong>g> card numbers <strong>on</strong> sales orders<br />
and invoices, FPLTC; and a fourth table related to storage <str<strong>on</strong>g>of</str<strong>on</strong>g> card numbers <strong>on</strong> accounting documents,<br />
BSEGC. This targeted coverage in <strong>on</strong>ly four tables leaves card number data in o<str<strong>on</strong>g>the</str<strong>on</strong>g>r<br />
standard <strong>SAP</strong> tables and in custom tables unencrypted and exposed.<br />
• Limited Algorithms. Only three encrypti<strong>on</strong> algorithms are made available by <strong>SAP</strong> and <str<strong>on</strong>g>the</str<strong>on</strong>g>y may<br />
not meet <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>PCI</str<strong>on</strong>g> DSS definiti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> str<strong>on</strong>g cryptography due to <str<strong>on</strong>g>the</str<strong>on</strong>g> inability to verify <str<strong>on</strong>g>the</str<strong>on</strong>g> actual<br />
algorithm being utilized.<br />
• Limited Flexibility. <strong>SAP</strong>’s <str<strong>on</strong>g>of</str<strong>on</strong>g>fering supports <strong>on</strong>ly a s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware-based cryptography, leaving no<br />
possibility to use hardware based cryptography comp<strong>on</strong>ents that are fast becoming <str<strong>on</strong>g>the</str<strong>on</strong>g> standard<br />
for <str<strong>on</strong>g>the</str<strong>on</strong>g>ir additi<strong>on</strong>al security benefits.<br />
• No Predefined Integrati<strong>on</strong> Point. For organizati<strong>on</strong>s interested in integrati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> best-<str<strong>on</strong>g>of</str<strong>on</strong>g>-breed<br />
third party encrypti<strong>on</strong> soluti<strong>on</strong>s, <strong>SAP</strong> provides no single, predefined point <str<strong>on</strong>g>of</str<strong>on</strong>g> integrati<strong>on</strong>. The<br />
CCNUM domain is not <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>on</strong>ly domain in which credit card numbers will be found, so multiple<br />
integrati<strong>on</strong> points will be required.<br />
• Downtime for Key Rotati<strong>on</strong>. <strong>SAP</strong> <strong>on</strong>ly supports a single encrypti<strong>on</strong> key at a time, which is stored<br />
in a .pse file. This presents a significant challenge to meeting <str<strong>on</strong>g>the</str<strong>on</strong>g> annual key rotati<strong>on</strong> requirement<br />
found in <str<strong>on</strong>g>PCI</str<strong>on</strong>g> <str<strong>on</strong>g>Secti<strong>on</strong></str<strong>on</strong>g> 3.6.4. To rotate encrypti<strong>on</strong> keys, <strong>SAP</strong> must be taken <str<strong>on</strong>g>of</str<strong>on</strong>g>fline so each credit<br />
card number can be manually unencrypted with <str<strong>on</strong>g>the</str<strong>on</strong>g> old key and re-encrypted with <str<strong>on</strong>g>the</str<strong>on</strong>g> new key.<br />
Order-entry and billing processes must be disc<strong>on</strong>tinued during this time to avoid storing credit<br />
card numbers in clear text, or to avoid failed authorizati<strong>on</strong> and settlement resulting from mismatched<br />
keys.<br />
© 2008 <strong>Paymetric</strong>, Inc. All rights reserved.<br />
.