Skip to Content
Author's profile photo Former Member

Enable Credit Card Encryption

We configured the encryption of credit card data primarily based on Note 662340 and 633462. Since quite a few programs and transactions are called, together with system parameter and environment variable changes, it is worth documenting it with detailed steps and screenshots.

Phase 1. Enable SSF encryption using SAPCryptolib

If SSF encryption has been configured before, please jump to Phase 2. Otherwise please follow the procedure below for Windows platform, or Note 662340 for other platforms.

Step 1. Download the SAPcryptolib from – “Download” – “SAP Cryptographic Software”.


Step 2. Copy the library and ticket file

Copy sapcrypto.dll and sapgenpse.exe to C:\usr\sap\SID\SYS\exe\run

Copy the ticket file to C:\usr\sap\SID\DVEBMGSxx\sec

Step 3. Change the environment virable for QASADM and SARServiceQAS


Step 4. Set the profile parameters and restart SAP


Step 5. Check that Tcode STRUST can be called successfully

Phase 2. Configure the encryption of credit card data

Step 1. Specify the applicaiton-specific SSF parameters in Tcode SSFA

Call Tcode SSFA, and specify “Private Address Book” and “SSF Profile Name”


Click on “New Entries” – get to next screen; then select “Encryption of Paymant Card in SAP system”, hit “Enter” key and Save. The default parameters should work.


Step 2. Check the folder “Encryption of Payment Card” created in Tcode STRUST


Step 3. Create PSE by calling program SSF_CREATE_PSE in Tcode SE38

Execute program SSF_CREATE_PSE from Tcode SE38. (We found that it is easier to call SSF_CREATE_PSE than using Tcode STRUST for this step.) Give the distinguished name you want to use. We also selected the longest key length for stronger security.


Step 4. Import/verify the certificate in Tcode STRUST

Call Tcode STRUST, expend “Encryption of Payment Card” on the left and double-click the item  under it, then select the certificate displayed on the right (it should have the distinguished name you gave in the previous step). The self-issued certificate could be used. If you want to use external trust center, click on “Create Certificate Request” to get the request, and click “Improt Cert. Response” after the certificate is generated.

Step 5. Execute report SAPFACCG in Tcode SE38 once

Step 6. Maintain view CCARDEC_V in Tcode SM30

Call Tcode SM30 and maintain view CCARDEC_V. Add VISA, MC, and AMEX as Payment Card Type and check “Encrypted” respectively.


Phase 3. Check the configuration

Execute report CCARDEC_CHECK from Tcode SE38, only select P_TOOLS, and you should get the results like the following


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Venkata Ramisetti
      Venkata Ramisetti
      Great effort. Thanks.
      Author's profile photo Former Member
      Former Member
      HI Victor Lin/Ramakrishna Ramisetti,
      The Blog is very good.
      Can any one of you send the detailed document on Enabling Credit Card Encryption to the following mail
      Still it would be fantastic if you would publish the complete configuration document for Enabling Credit Card Encryption.
      Author's profile photo Former Member
      Former Member
      Hi Victor,

      We followed your instructions step by step but in the database tables, we still see unencrypted credit card number.  We are on enterprise 4.72 system, IS Utilities CCS solution.  We are currently at support pack level SAPKH47025.  The tables we are specifically looking at are CCARD, DFKKOPC, DFKKOPKC.

      We would really appreciate any help you can extend.


      Author's profile photo Aditya Nawathe
      Aditya Nawathe
      Appreciate your publishing this info.
      Author's profile photo Diane Szmurlo
      Diane Szmurlo
      Hi Victor,

      We are running SAP on ISeries and are upgrading to ECC 6.0.  We are trying to implement CC Encryption and I have made it through the technical install of SAPCRYPTO using note 758667 for ISeries.  The problem is in Step 3 of your procedure.  The program SSF_CREATE_PSE does not exist in ECC 6.0. Per note #662340 SAP suggests to use STRUST.  Do you have any update to this blog using STRUST for creating the PSE and following steps?

      Author's profile photo Former Member
      Former Member

      Is the use of SAPCRYPTO limited to credit card encryption? I am working a solution to encrypt SAP IDOC files transmitted (ALE'd) from SAP rel 4.7 to SAP rel 6.0.  We would prefer to encrypt only certain fields within the IDOC and use BADi IDOC_DATA_MAPPER with installing an encryption function in the BADi. Would enabling the lib to encrypt IDOC's be a solution? Or is there other encryption functionality we should consider?