Skip to Content

We configured the encryption of credit card data primarily based on Note 662340 and 633462. Since quite a few programs and transactions are called, together with system parameter and environment variable changes, it is worth documenting it with detailed steps and screenshots.

Phase 1. Enable SSF encryption using SAPCryptolib

If SSF encryption has been configured before, please jump to Phase 2. Otherwise please follow the procedure below for Windows platform, or Note 662340 for other platforms.

Step 1. Download the SAPcryptolib from http://service.sap.com/swdc – “Download” – “SAP Cryptographic Software”.

image

Step 2. Copy the library and ticket file

Copy sapcrypto.dll and sapgenpse.exe to C:\usr\sap\SID\SYS\exe\run

Copy the ticket file to C:\usr\sap\SID\DVEBMGSxx\sec

Step 3. Change the environment virable for QASADM and SARServiceQAS

image

Step 4. Set the profile parameters and restart SAP

image

Step 5. Check that Tcode STRUST can be called successfully

Phase 2. Configure the encryption of credit card data

Step 1. Specify the applicaiton-specific SSF parameters in Tcode SSFA

Call Tcode SSFA, and specify “Private Address Book” and “SSF Profile Name”

image

Click on “New Entries” – get to next screen; then select “Encryption of Paymant Card in SAP system”, hit “Enter” key and Save. The default parameters should work.

image

Step 2. Check the folder “Encryption of Payment Card” created in Tcode STRUST

image

Step 3. Create PSE by calling program SSF_CREATE_PSE in Tcode SE38

Execute program SSF_CREATE_PSE from Tcode SE38. (We found that it is easier to call SSF_CREATE_PSE than using Tcode STRUST for this step.) Give the distinguished name you want to use. We also selected the longest key length for stronger security.

image

Step 4. Import/verify the certificate in Tcode STRUST

Call Tcode STRUST, expend “Encryption of Payment Card” on the left and double-click the item  under it, then select the certificate displayed on the right (it should have the distinguished name you gave in the previous step). The self-issued certificate could be used. If you want to use external trust center, click on “Create Certificate Request” to get the request, and click “Improt Cert. Response” after the certificate is generated.

Step 5. Execute report SAPFACCG in Tcode SE38 once

Step 6. Maintain view CCARDEC_V in Tcode SM30

Call Tcode SM30 and maintain view CCARDEC_V. Add VISA, MC, and AMEX as Payment Card Type and check “Encrypted” respectively.

image

Phase 3. Check the configuration

Execute report CCARDEC_CHECK from Tcode SE38, only select P_TOOLS, and you should get the results like the following

image

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. mdv sapcrm
    HI Victor Lin/Ramakrishna Ramisetti,
    The Blog is very good.
    Can any one of you send the detailed document on Enabling Credit Card Encryption to the following mail id:Vali4sap@yahoo.co.in
    Still it would be fantastic if you would publish the complete configuration document for Enabling Credit Card Encryption.
    Regards,
    DV.
    (0) 
  2. Phani Emani
    Hi Victor,

    We followed your instructions step by step but in the database tables, we still see unencrypted credit card number.  We are on enterprise 4.72 system, IS Utilities CCS solution.  We are currently at support pack level SAPKH47025.  The tables we are specifically looking at are CCARD, DFKKOPC, DFKKOPKC.

    We would really appreciate any help you can extend.

    Phani.

    (0) 
  3. Diane Szmurlo
    Hi Victor,

    We are running SAP on ISeries and are upgrading to ECC 6.0.  We are trying to implement CC Encryption and I have made it through the technical install of SAPCRYPTO using note 758667 for ISeries.  The problem is in Step 3 of your procedure.  The program SSF_CREATE_PSE does not exist in ECC 6.0. Per note #662340 SAP suggests to use STRUST.  Do you have any update to this blog using STRUST for creating the PSE and following steps?

    (0) 
  4. Joseph Wahl

    Is the use of SAPCRYPTO limited to credit card encryption? I am working a solution to encrypt SAP IDOC files transmitted (ALE’d) from SAP rel 4.7 to SAP rel 6.0.  We would prefer to encrypt only certain fields within the IDOC and use BADi IDOC_DATA_MAPPER with installing an encryption function in the BADi. Would enabling the lib to encrypt IDOC’s be a solution? Or is there other encryption functionality we should consider? 

    (0) 

Leave a Reply