PCI DSS compliances in SAP applications
PCI DSS stands for Payment Card Industry, Data Security Standard. The current version 1.1 is a comprehensive standard that covers security management, policies and procedures, security architecture, security in application developments and change management. It intends to proactively protect customer account data, including customer credit card information.
In the last few years, many retailers and credit card service providers have tackled PCI DSS compliance tasks. According to Forrester Research, a lot of money have been spent on becoming PCI compliant, and it is believed that majority of them are in compliance now, especially those level 1 merchants and service providers. However, it may take a while before the benefits of PCI compliance will be seen.
It’s not easy to be PCI compliant. There’re 12 requirements to be met:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security
Further details are in the DSS document. As one can see, this is comprehensive, covers lots of security best practices developed over the years.
What are the benefits of being PCI compliant?
- Paying less service fees, of course.
- I believe those organizations, who have truely embraced PCI compliances, should have institutioned a more or less holistic security practices, and they should get good ROI down the road.
- Implemented some security best practices as a result.
- PCI compliance programs and lessons learned can be applied to general GRC area. I think this can be huge.
- Anything else that you could think of?
What are implications to SAP customers? Here’re a few high level bullet points that I could think of:
- Most requirements have direct impacts to SAP applications, not just requirement 3.
- No PCI consulting companies that I know understand ERP, not to mention the depth and complexity of SAP.
- Continue on the last point, for example, in SAP applications, data elements carrying cardholder data can traverse many places (extended memory, temp storage, files on OS, etc.) and can mophy into different persistent objects before being displayed on screen or saved into tables. Are cardholder data safe in these places?
- Should you encrypt cardholder data stored in SAP? how?
- How to ensure continuous PCI compliance, or any GRC compliances while SAP applications are under constant changes?
- Anything else?