Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric

More documents

Recommendations

Info

• Segregation <strong>of</strong> card data from applications. Unencrypted data never resides in SAP or o<strong>the</strong>r applications. SAP users never see payment data in clear text unless <strong>the</strong>y have specific, valid authority. • Reduced exposure <strong>of</strong> keys. <strong>PCI</strong> requirements 3.5.1 and 3.5.2 mandate that access to keys is restricted to <strong>the</strong> fewest number <strong>of</strong> custodians and that keys are stored securely in <strong>the</strong> fewest possible locations. By centralizing keys on a secure server, an encryption management server optimally addresses <strong>the</strong>se requirements. • <strong>Impact</strong> <strong>of</strong> breach limited. With this approach, if an attacker somehow bypasses both <strong>the</strong> token and encryption, <strong>the</strong>y will only have access to one card number. In contrast, with many encryption solutions, if an attacker gains access to one cryptographic key, <strong>the</strong>y can potentially decrypt thousands or even hundreds <strong>of</strong> thousands <strong>of</strong> records If an attacker somehow bypasses both <strong>the</strong> token and encryption, <strong>the</strong>y will have access to only one card number. Optimized SAP Performance and Availability Through employing an encryption management server, organizations can enjoy a range <strong>of</strong> advantages in integration and performance: • Improved application processing. Tokens can be passed between SAP and o<strong>the</strong>r applications without requiring any encryption or decryption, thus also providing encryption “on-<strong>the</strong>-wire” at system integration points. Fur<strong>the</strong>r, SAP is freed from having to do resourceintensive cryptographic processing. This can significantly streamline transactions across <strong>the</strong> enterprise. • Optimized application availability. Full key rotation can be realized without SAP downtime as this will occur in a separate system entirely. • Smart tokens. Smart tokens, tokens that feature embedded strings, can be used and can eliminate <strong>the</strong> need to do frequent decryption <strong>of</strong> data for reporting and related purposes. Simplified Administration Tokenization significantly eases <strong>the</strong> administrative burden <strong>of</strong> encryption, <strong>of</strong>fering a range <strong>of</strong> administrative advantages: • <strong>Minimize</strong>d compliance requirements. By removing payment data from disparate repositories, <strong>the</strong> cost <strong>of</strong> <strong>PCI</strong> is drastically reduced. Instead <strong>of</strong> implementing encryption, managing keys, and implementing policies on multiple systems, only one central server will be <strong>the</strong> focus <strong>of</strong> <strong>PCI</strong> encryption efforts. Tokens can be passed between SAP and o<strong>the</strong>r applications without requiring any encryption or decryption... • Streamlined key management. All keys and policies can be managed centrally, as opposed to having keys in multiple, distributed locations. This makes such <strong>PCI</strong>-required tasks as key revocation and rotation much faster and easier. © 2008 Paymetric, Inc. All rights reserved. .
<strong>Minimize</strong> <strong>the</strong> <strong>Impact</strong> <strong>of</strong> <strong>PCI</strong> <strong>Section</strong> 3 on SAP Applications • Centralized log management. With an encryption management server, administrators gain one centralized location that contains information on all decryption requests, which significantly eases compliance audits as well as surveillance and remediation efforts. How Credit Card Processing in SAP Works with an Encryption Management Server One <strong>of</strong> <strong>the</strong> more difficult issues with encrypting credit card data at rest is that <strong>the</strong> data must <strong>of</strong>ten be decrypted for standard business routines, such as recurring payments or repeat purchases. Without <strong>the</strong> proper mechanisms in place, this ongoing need for decryption can present a range <strong>of</strong> challenges, such as slow application response, <strong>the</strong> potential for unauthorized access, and complexity in application development. With an encryption management server, organizations can address <strong>the</strong> need for decryption while avoiding <strong>the</strong>se challenges. The diagram below depicts how <strong>the</strong> encryption management server would support payment processing in an SAP environment. Payment Processing with Encryption Management Server Request for Credit Card Authorization Originates in SAP Token Associated With that Credit Card Sent to SAP-certified Payment Processing Application Payment Processing Application Submits Token to Central Repository and Requests Decrypted Credit Card Number SAP PAYMENT APPLICATION 1 2 3 4 Central Repository Returns Encrypted Number to Payment Application 1 2 3 4 Payment Application Submits Credit Card Number to Payment Processor for Authorization Encryption # # # # Authorization Returned to Payment Processing Application and <strong>the</strong>n to SAP Authorization Sent to SAP from Payment Processing Application © 2008 Paymetric, Inc. All rights reserved. 10.
Page 1 and 2: Innovative Payment Card Solutions <
Page 3 and 4: Minimize t
Page 7: #### Minimize <str
Page 15: About Paymetric Paymetric, Inc. pro

Minimize the Impact of PCI Section 3 on SAP Applications - Paymetric

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?