Skip to Content

SAP Security Notes

Recently SAP simplified the way to find out about potential security issues related to the our software.  You can find any related notes by going to the top of the service marketplace support portal.

Go to http://service.sap.com/securitynotes and then you can click on “Display SAP Security Notes” to get a pretty extensive list.

You can also use the Service Marketplace options to subscribe to this information, so you will see it automatically using an RSS reader.

SAP Point of Sale

A colleague mentioned to me that SAP had posted a security note that could affect some users of SAP Point of Sale.  In summary, it looks like a handful of retailers may be using functionality that could lead to a PCI DSS issue for them.  I recommend that you check the service marketplace for details, and take appropriate action.

To find it, you can look at the security notes as mentioned above, or search for note # 1403618 which is for IS-R-TGM-POS.  The note was released November 18th, 2009.

The good news is that the issue doesn’t affect everyone, but its definitely worth having a look at. Also, there is a straightforward solution.

PCI Standard Revision Underway

It looks like the PCI Security Standards Council is revising the specifications again.  The review process has started for PCI DSS 1.2.  It may be worthwhile to learn more on the evolution of the standard so that you are prepared.

To learn more, I encourage you to visit the PCI SSC web site: https://www.pcisecuritystandards.org/

Hopefully these will not be substantial changes, but as always, it pays to stay informed.

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Abderrazzak Azirhi
    Hi Colin, thx for sharing your intersting blog.
    My question is whether PCI-compliance a legal or rather a ‘Must-Have’ business requirement ?
    thx a lot
    abdu
    (0) 
    1. Colin Haig Post author
      PCI DSS compliance is not required by law, but is required by the payment card issuers (e.g. Visa, Mastercard, American Express).  Any business that wishes to take credit cards, has a contractual obligation to the payment acquirer (payment networks) to keep the data secure and operate with proper practices. Card data theft , security breaches and non-compliance can result in substantial fines, on the order of over US$25,000 per month or more. Effectively, all retailers must be compliant, or they will not be able to take payment cards, which would have a huge negative impact on their business.
      Some legislation is being discussed regarding full disclosure of non-compliance as it has a risk to shareholders, however I do not believe it is in place today.  Think of it as an “absolutely must have” – and many retailers had never spent any time securing their systems prior to PCI DSS coming into play.
      (0) 

Leave a Reply