Over the past few years, many of the major credit card companies have slowly been ratcheting down on the data security practices of the thousands of merchants that accept their payment cards. The relatively recent formation of the PCI SSC (Payment Card Industry Security Standards Council) by a number of these companies, has resulted in the establishment of the PCI DSS or Payment Card Industry Data Security Standards. These standards outline the payment card data security practices that are necessary for merchants accepting payment cards as a form of payment. More information about the PCI DSS can be found at http://www.pcisecuritystandards.org/.
A related set of standards was published by the same organization under the name of PABP or Payment Application Best Practices. These standards are applicable to vendors that provide software solutions used by merchants in the processing payment card data. The goal of these standards is to ensure at least a base level of consistency across the software vendor landscape in the way payment card data is protected. More information about these standards can also be found on the PCI website referenced above.
Recognizing that payment card data security is an important topic for many companies, SAP has moved forward with a number of enhancements that aid companies in realizing a secure transactional environment. The following features have been made available across many areas in SAP CRM and SAP ERP:
- Configurable masked display of payment card number in the U.I.
- Configurable encryption of payment card number leveraging the SAP NetWeaver cryptographic library
- Audit trail of user access to unmasked payment card data when masking feature is active
- Various migration programs to support upgrade scenarios when moving from non-encrypted to encrypted data
- Periodic exchange of encryption keys via SAP NetWeaver
For further detail on these and related features, the following two SAP OSS Notes are very useful:
1032588 – Secure handling of payment card data in ERP
1034482 – FAQ Credit Card Encryption in CRM
Further information about related CRM features is also available in the section on Payment Card Processing in SAP Help via the following link: http://help.sap.com/saphelp_crm70/helpdata/EN/e6/d05af4c30341f7a7ab93298794cfb6/frameset.htm
A general statement about SAP and it’s current position on the standards published by the PCI can also be accessed via the following link in the SAP Service Marketplace