how to avoid pci pitfalls in keeping your sap® system compliant and secure
DESCRIPTION
Many companies find it challenging to keep sensitive card data out of their SAP® systems. View this presentation to learn how you can leverage Paymetric's XiIntercept for SAP® to prevent card data from ever entering your SAP environment - minimizing PCI Compliance scope and reducing the risk of a data breach. For more information, visit www.paymetric.com.TRANSCRIPT
PCI Compliance: Avoiding the Pitfalls in Keeping Your SAP® System Fully Compliant and Secure Presenter: Eric Bushman, VP Solu6ons Engineering
October 24, 2014 ©2014. Paymetric. All Rights Reserved. 1
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
2
Agenda
§ PCI DSS Requirements Overview
§ Common Data Security Challenges within SAP®
§ Best Prac6ces When Dealing with Raw Card Numbers
§ How to Solve for these Challenges § Why Paymetric
§ Q&A
©2014. Paymetric. All Rights Reserved.
3
What is PCI Compliance?
Sec4on
Category
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Controls Measures
Regularly Monitor and Test Networks
Maintain an Informa6on Security Policy
Requirement
1. Install and maintain a firewall configura6on
2. Do not use vendor-‐supplied defaults for system passwords
3. Protect stored cardholder data 4. Encrypt transmission of cardholder data
5. Use and regularly update an6-‐virus soZware
6. Develop and maintain secure systems and applica6ons
7. Restrict access to data by business need-‐to-‐know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to network resources and card data
10. Track and monitor all access to network resources and card data
11. Regularly test security systems and processes
12. Maintain a policy that address informa6on security
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
4
Data Security Challenges in SAP®
§ Order Entry or Collec6ons workflows require card details to be entered into SAP and used for the payment transac6ons
§ Even storing cards on a customer master record requires entry of RAW cards at some point in some applica6on
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
5
Best Practices
§ Don’t allow interfaces to pass RAW card numbers into SAP
§ Check BAPI interfaces
§ Check IDOC interfaces
§ Check File/Excel upload interfaces
The Golden Rule: Avoid exposure of RAW cards in your SAP system as much as possible
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
6
Best Practices
§ Use XiIntercept solu6ons to prevent direct entry of RAW cards in SAP GUI and/or SAP HTML interfaces
§ XiIntercept for SAP can be used during capture in the SAP GUI
§ XiIntercept for Ecommerce can be used during capture in the SAP HTML GUI
§ Use SAP Card Valida6on rules that prevent entry of RAW card data – flags it as an error and disallows entry
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
7
Best Practices
§ Don’t allow users to view detokenized cards in SAP
§ Deac6vate calls to the detokenized service via SAP
§ Only allow users to reference and view RAW card data in Paymetric Repor6ng Portal (XiPay Web GUI) interface
§ Train users to prevent entry of RAW card numbers in text fields where valida6ons and tokeniza6on can’t be performed
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
8
Best Practices
§ Convert to tokens and purge any exis6ng RAW or encrypted data in the SAP database
§ Customer Master records
§ Historical transac6onal data
§ Text fields
§ If you are capturing CVV values for transmission in Authoriza6on calls in SAP, ensure that you’ve applied the OSS notes to prevent storage of the CVV value in the SAP DB
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
9
Solution Overview
§ Easily scales across the SAP landscape
§ Gives merchants the argument that SAP is out of scope for a PCI DSS audit
§ Eliminates data exposure in the event of a data breach
§ Centralizes configura6on and audi6ng
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
10
Paymetric Cloud-Based Environment
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
11
Create A Tokeniza4on Layer Around Your Enterprise
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
12
Remove Systems from Your Cardholder Data Environment (CDE)
for SAP®
Sensi4ve card data entered within SAP is
intercepted and secured by XiIntercept
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
13
XiIntercept for eCommerce
Intercept Card Data at the Earliest Point of Your Workflow
Paymetric intercepts and secures shaded
data fields
SAQ Valida4on Types
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
14
SAQ Valida4on Type
Descrip4on Number of Ques4ons
A Card-‐not-‐present merchants 14
A-‐EP eCommerce merchants redirec6ng to a third-‐party website 139
C Merchants with payment applica6ons systems connected to the Internet
140
D-‐MER All other SAQ-‐eligible merchants 263
May Qualify Your Organiza4on for Self Assessment Ques4onnaire C, Reducing the Number of Compliance Requirements from 263 to 139
Reduce PCI DSS Audit Scope
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
15
May Qualify Your Organiza4on for Self Assessment Ques4onnaire C, Reducing the Number of Compliance Requirements from 263 to 139
14
139 140
263
0
50
100
150
200
250
300
SAQ A SAQ A-‐EP SAQ C D-‐MER
Number of Ques4ons Per SAQ
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
16
Why Paymetric
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
17
Global Support
§ Mul6-‐Currency § Visa § Mastercard § AMEX § Diners § Etc.
Security § Replaces stored data with tokens § Store actual data in off-‐site secure data vault § XiFlex maintains original length and format of data § Provides key management and rota6on outside of
enterprise applica6ons elimina6ng down6me
Performance § Web-‐based User Interface § Mul6-‐Client Architecture § Mul6ple Cardholder Authen6ca6on Types § Mul6ple Integra6on Technologies § High Availability – 24 x 7 Opera6ons § Access Logging § Monitoring of Decryp6on Requests § Integrated Back-‐up § Load Balancing § Disaster Recovery § Database Clustering
Alterna4ve Payments § PayPal § BillMe Later § Google Checkout § Amazon § Telecheck § Etc.
Processing Levels § Level 1 § Level 2 § Level 3
Solution Features
Mul4ple Payment Types § Credit § PINless Debit § GiZ § Loyalty § ACH § Etc.
Cer4fica4ons § SAP Enterprise Services Interface § SAP Cross-‐Applica6on Payment Card Interface § Level 1 PCI DSS Cer6fied Service Provider
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
18
Challenges We Address
PAYMENT MANAGEMENT
BUSINESS RISK
TECHNOLOGY
OPERATIONAL
COSTS § Mul6ple Payment Types § Mul6ple Geographies § Mul6ple Currencies § Mul6ple Systems § Mul6ple Par6es
§ Data Security § PCI Compliance § Working Capital § Revenue Recogni6on § Reconcilia6on § Unauthorized Shipments § Customer Sa6sfac6on
§ System Integra6on § Upgrades § Semi-‐Annual Assoc. Releases
§ Mul6ple Workflows § Manual Authoriza6on § Manual Reconcilia6on § Manual Invoice Clearing
§ Interchange Costs § Processing Expense § PCI Costs § Maintenance Costs § Support Costs
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
19
Award-Winning Company
Paymetric is Recognized for Electronic Payments Innova4on
Paymetric is an award-‐winning company built on shared purpose, an unremilng pursuit of excellence, las6ng collabora6on, accountability and integrity. For more than 15 years, we have been recognized for our work and honored with awards for technical innova6on and thought leadership.
October 24, 2014 ©2014. Paymetric. All Rights Reserved.
20
Questions?