Princeton Payment Solutions'
CardSecure®
Ensuring PCI Compliance in SAP Environments
Executive Summary
The Payment Card industry, legislative mandates, and best security practices are all calling for the encryption of credit card numbers and other sensitive data within an organization's applications and databases.
How do you accomplish this in SAP environments? With CardSecure® you can encrypt credit card numbers and similar data within SAP - boosting security and ensuring compliance with the security standards set forth by Visa and adopted by all payment card issuers.
Secure Payment Processing Solutions
In today's high-stakes computing environment, it is absolutely crucial for credit card numbers and similar sensitive data to be carefully encrypted wherever stored.
Many companies are finding that in order to prevent costly and embarrassing data theft, they must practice strong encryption within their mass storage devices, such as databases, hard drives and backup media. In addition, encryption and key management schemes must comply with industry standards and international information protection laws.
While SAP provides encryption libraries, the implementation of these libraries can be tricky. Like dynamite, encryption is useful but dangerous if not thought out properly. When discussing encryption, SAP has been careful to specify that secure encryption is best handled by experts.
Princeton Payment Solutions' CardSecure handles all aspects of encryption for credit card numbers and similar data, providing a solid encryption management infrastructure, including:
CardSecure enables organizations to introduce required credit and payment card data encryption to their existing enterprise database and application infrastructure, simplifying security management, concentrating key data into a defensible facility, and complying with government and card association privacy and security requirements. A prime example of this is the feature that allows the ability to change keys without having to de-encrypt and re-encrypt all data, saving untold numbers of cycles and hours going forward.
Cryptography is consolidated and consistently implemented using a scalable and readily adaptable architecture, insuring that future system modifications will have minimal impact on security.
SAP vs. CardSecure® Encryption: A PCI Compliance Checklist |
||
| PCI Requirement | Native SAP Encryption |
CardSecure Encryption |
| Key indicators for a roll over strategy | Fail |
Pass |
| Key management on a server separate for the application | Fail |
Pass |
| Centralized encryption policy vs. one for SAP and one for the rest of the company | Fail |
Pass |
| Upgradable to a solution that covers Social Security numbers, Tax ID numbers, Bank ACH Number or any other fields with sensitive data | Fail |
Pass |
CardSecure® Provides the Following Features:
- Encryption and decryption of sensitive credit and payment card data using a transparent encryption scheme.
- The ability to run on multiple servers to provide load-sharing or fail-over capability.
- Encoding in ASCII-printable characters - enabling straightforward database lookup and limiting the necessity for schema changes.
- Encryption using either software or hardware security modules.
- Support of two widely-approved strong encryption algorithms:
- Triple Data Encryption Algorithm (3DES)
- Advanced Encryption Standard (AES)
- Encryption using PKCS 5 key derivation.
- Custom reports
- Straightforward key management - including key rollover with minimal application downtime.
- Database access of an account number using the encrypted (and encoded) value.
- Integration with SAP via the Remote Function Call (RFC) interface.
- Tools for bulk encryption and re-encryption.
- Non-SAP interface through either secure SSL or plain TCP/IP over a secured subnet, with the ability to restrict usage to authorized application hosts.
- A proxy module for non-SAP SSL applications - presenting the same simple request interface
