SAP Accounting Consulting

Symptom

Secure handling of credit card data in ERP
Other terms

Payment cards, business partner, CCARD, PCA_MASTER, credit cards, encryption, masking
Reason and Prerequisites

Security standards for the payment card industry
Solution

Table of contents
1. Background
2. Features
3. Availibility
4. Constraints
5. System setup
1. Background
Information about payment cards is stored in various applications for the ERP system. Customizing settings provide you with various levels of security to protect your data.
The existing options for saving encrypted payment card numbers for selected applications, such as the encryption of payment card data in the customer master record, are being retained in the same form. The enhancements described in the following section are also available.
2. Features
Master Data for Business Partner
Previously, only CRM systems allowed the encryption of payment card numbers in the master data for business partners. This option now exists in ERP systems. You can convert and encrypt saved data.
Other Stored Payment Card Data
In many applications, the numbers for payment cards are stored with other data for payment cards, such as card holders and validity periods. The following Customizing settings are in force for these applications.
Security Level
You can select from the following settings:
o No additional security measures
o Masked display, no encrypted storage
o Masked display and encrypted storage
Masked display means that the system hides part of the number when displaying or changing objects that contain a payment card number. For example, the system can display the value 1111********4444 instead of the card number 1111222233334444. You can set the number of visible characters at the start and end of the payment card number. The security standards for the payment card industry demand that a maximum of six characters be visible at the start, and four characters at the end.
Unmasked Display
If card numbers are displayed in masked format, it may be necessary to display the number again without masking. To do this, SAP provides the Display Card Number Unmasked in a series of transactions. You can define two specifications for this function in Customizing:
o Access log
o Additional authorization check
You can store each display of an unmasked payment card number in an access log. This allows you to trace which user displayed which payment card number, and when.
You can use an additional authorization check for authorization object B_CCSEC to restruct the option for unmasked display.
Access Logs
It is possible to evaluate access to payment card data with the report RCCSEC_LOG_SHOW or the transaction CCSEC_LOG_SHOW. To evaluate the access log, a user requires authorization for the activity 71 in the authorization object B_CCSEC.
You can delete log records if they are at least one year old. Deletion takes place using the report RCCSEC_LOG_DEL or the transaction CCSEC_LOG_DEL. To activate the deletion report, you must have authorization for the object B_CCSEC with the activity 06.
Further Migration Programs
For all objects that were previously able to store payment card numbers that had not been encrypted, the rule is now that the card numbers for all new objects are encrypted as soon as an appropriate security level is set. Your data records will then contain unencrypted payment card numbers (old records) and encrypted payment card numbers (new records). This does not represent a functional restriction, as the application programs can work with this mixed status. Further migration programs are also provided for selected applications. These follow the naming convention RCCSEC_MIGRATION_*.
For more information, see the documentation for the migration programs.
Other System Settings
You can decide whether you want encryption for each card type (AMEX, MC, VISA). The appropriate column is only visible if encryption for payment cards is already set up in the business partner (meaning that the migration program has been executed), or if you have set up encrypted storage for other data records using the security level. You set this up in the Implementation Guide for Cross-Application Components under Payment Cards -> Basic Settings -> Maintain Payment Card Type.
Impact for applications using credit card data
See the related notes section for more information on how the ERP applications support the new features.
3. Availability
The functionality will be provided via support packages for SAP ERP 6.0 (former SAP ERP 2005) and subsequent Enhancement Packages. The enhancements cannot be implemeted manually.
In order to be able to use the enhancements, you must import the following support packages for the software components in use (see the information in brackets whether the implementation is a must).
SAP ERP 6.0
SAP APPL 600 SP11 (must)
SAP HR 600 SP22 (must)
EA-APPL 600 SP11 (must)
EA-HR 600 SP22 (must)
EA-PS 600 SP11 (only if in use)
EA-RETAIL 600 SP11 (only if in use)
IS-OIL 600 SP11 (only if in use)
IS-M 600 SP11 (only if in use)
IS-UT 600 SP11 (only if in use)
IS-PS-CA 600 SP11 (only if in use)
FI-CA 600 SP11 (only if in use)
FI-CAX 600 SP11 (only if in use)
INSURANCE 600 SP11 (only if in use)
FINBASIS 600 SP11 (must)
SAP ERP Enhancement Package 2005.2
SAP APPL 602 SP01 (must)
SAP HR 600 SP22 (must)
EA-APPL 602 SP01 (must)
EA-HR 602 SP01 (must)
EA-PS 602 SP01 (only if in use)
EA-RETAIL 602 SP01 (only if in use)
IS-OIL 602 SP01 (only if in use)
IS-M 602 SP01 (only if in use)
IS-UT 602 SP01 (only if in use)
FI-CA 602 SP01 (only if in use)
FI-CAX 602 SP01 (only if in use)
FINBASIS 602 SP01 (must)
ERP 2005 Enhancement Package 3
SAP APPL 603
SAP HR 600 SP22 (must)
EA-APPL 603
EA-HR 603
EA-PS 603
EA-RETAIL 603
IS-OIL 603
IS-M 603
IS-UT 603
IS-PS-CA 603
FI-CA 603
FI-CAX 603
INSURANCE 603
FINBASIS 603
SAP NETWEAVER 7.0 (2004S)
SAP_ABA 700 SP14 (must)
About the availablity of the enhancments for the Travel Management application please refer to the prerequisites mentioned in SAP note 1066751.
Furthermore enhancements in the BI content for POS Data Management have been made and will be supplied with BI_CONT 7.03 SP08.
4. Constraints
n/a
5. System Setup
You need to apply the support packages mentioned in chapter 3. Do not make use of the functionality if the support packages are not installed; SAP does not guarantee functional correctness in this case.
To save encrypted payment card information in your system, or to allow masked display, proceed as follows.
Security Level Setup
Firstly, set up the security level that you want to use for secure handling of payment card data. You can select from the following settings:
o No additional security measures
o Masked display, no encrypted storage
o Masked display and encrypted storage
Masked display affects all payment card types. If you also choose encrypted storage, this only affects those card types marked as such in Customizing (see Settings for Card Types to Be Encrypted).
Specify how many characters are to be visible at the start and end of the payment card number.
Define whether an additional authorization check is to run when displaying unmasked payment card numbers.
Define whether the system is to log the display of unmasked payment cards.
Maintain the settings with the SM30 transaction, by specifying view V_TCCSEC.
Note: The steps described in the following section are only necessary if you use the security level ‘Masked Display and Encrypted Storage’.
Encryption Software Setup
The function package SAPCRYPTOLIB contains the functions required for encryption. Install SAPCRYPTOLIB. You can make general settings for running the encryption software in the Implementation Guide for SAP NetWeaver under Application Server -> System Administration -> Maintain Public Key Information for System.
You have to set up encryption with the SSFA transaction. In this step you must use the PAYCRD application. Create the PSE via transaction STRUST and make sure that you make use of algorithm RSA.
For more information, see SAP note 662340.
Settings for Card Types to Be Encrypted
Define which card types are to be stored encrypted. You make this setting with the IMG path Cross-Application Components -> Payment Cards -> Basic Settings -> Maintain Payment Card Type.
Migration of Payment Card Data in Business Partner Master Data
If you use the SAP Business Partner, migration is necessary for the encrypted storage of the payment card data defined for the business partner. To do this, execute the migration program RCC_MIGRATION.
Note that the business partner data must be migrated completely, and that no payment card information for the business partner can be changed when migrating.
Do not overlook the following important note:
It is not possible to use the system during migration, or after a partially successful migration of business partner data. We cannot predict how the processing programs will react and severe inconsistencies can occur.
The migration program copies the payment card data to new database tables. Encrypted storage can take place directly during migration, or can be performed later with the program PCA_MASS_CRYPTING.
In order to allow you to execute the migration program, you require an access code that SAP will supply on request. To do this, enter a customer message under the component AP-MD-PCA and refer to this note.
The migration program transfers credit card data from the database table CCARD to database tables PCA_* and makes further necessary system settings. After the migration program has been ended as normal, no more entries exist in the database table CCARD. For security reasons, the system stores a security copy of the table entries in the table CCARD_COPY. Once you have ensured that the system is functioning correctly after migration, you can delete the security copy with the program RCC_MIGRATION_DEL_COPY.
Note: Even if you have not yet defined payment card data in the business partner master records – during installation, for example – but data is to be stored encrypted in the future, you must execute the migration program.
Migration of Further Data
To migrate payment card information that is stored in other, sometimes industry-specific applications, you must use the migration programs that meet the naming convention RCCSEC_MIGRATION_*. The documentation for the programs tells you which migration programs to use for your particular installation.
Archiving
If a payment card number is stored encrypted, the system stores the encrypted values in the database table CCSEC_ENC. It is possible to determine the unmasked payment card number from the encrypted value.
You can archive these table entries with the archiving object CA_PCA_SEC. You can specify how far in the past the last usage of the payment card number is to be before the system starts archiving.
After archiving, queries are used for decryption from the archive.