Many companies find it challenging to keep sensitive card data out of their SAP® systems. View this presentation to learn how you can leverage Paymetric's XiIntercept for SAP® to prevent card data from ever entering your SAP environment - minimizing PCI Compliance scope and reducing the risk of a data breach. For more information, visit www.paymetric.com.

1. PCI Compliance: Avoiding the Pitfalls in Keeping
Your SAP® System Fully Compliant and Secure
Presenter:
Eric
Bushman,
VP
Solu6ons
Engineering
October
24,
2014
©2014.
Paymetric.
All
Rights
Reserved.
1

2. Agenda
§ PCI
DSS
Requirements
Overview
§ Common
Data
Security
Challenges
within
SAP®
§ Best
Prac6ces
When
Dealing
with
Raw
Card
Numbers
§ How
to
Solve
for
these
Challenges
§ Why
Paymetric
§ Q&A
October
24,
2014
2
©2014.
Paymetric.
All
Rights
Reserved.

3. 3
What
is
PCI
Compliance?
©2014.
Paymetric.
All
Rights
Reserved.
Sec4on
Category
Build
and
Maintain
a
Secure
Network
Protect
Cardholder
Data
Maintain
a
Vulnerability
Management
Program
Implement
Strong
Access
Controls
Measures
Regularly
Monitor
and
Test
Networks
Maintain
an
Informa6on
Security
Policy
Requirement
1.
Install
and
maintain
a
firewall
configura6on
2.
Do
not
use
vendor-­‐supplied
defaults
for
system
passwords
3.
Protect
stored
cardholder
data
4.
Encrypt
transmission
of
cardholder
data
5.
Use
and
regularly
update
an6-­‐virus
soZware
6.
Develop
and
maintain
secure
systems
and
applica6ons
7.
Restrict
access
to
data
by
business
need-­‐to-­‐know
8.
Assign
a
unique
ID
to
each
person
with
computer
access
9.
Restrict
physical
access
to
network
resources
and
card
data
10.
Track
and
monitor
all
access
to
network
resources
and
card
data
11.
Regularly
test
security
systems
and
processes
12.
Maintain
a
policy
that
address
informa6on
security

4. Data Security Challenges in SAP®
§ Order
Entry
or
Collec6ons
workflows
require
card
details
to
be
entered
into
SAP
and
used
for
the
payment
transac6ons
§ Even
storing
cards
on
a
customer
master
record
requires
entry
of
RAW
cards
at
some
point
in
some
applica6on
October
24,
2014
4
©2014.
Paymetric.
All
Rights
Reserved.

5. Best Practices
The
Golden
Rule:
Avoid
exposure
of
RAW
cards
in
your
SAP
system
as
much
as
possible
§ Don’t
allow
interfaces
to
pass
RAW
card
numbers
into
SAP
October
24,
2014
5
©2014.
Paymetric.
All
Rights
Reserved.
§ Check
BAPI
interfaces
§ Check
IDOC
interfaces
§ Check
File/Excel
upload
interfaces

6. Best Practices
§ Use
XiIntercept
solu6ons
to
prevent
direct
entry
of
RAW
cards
in
SAP
GUI
and/or
SAP
HTML
interfaces
October
24,
2014
6
©2014.
Paymetric.
All
Rights
Reserved.
§ XiIntercept
for
SAP
can
be
used
during
capture
in
the
SAP
GUI
§ XiIntercept
for
Ecommerce
can
be
used
during
capture
in
the
SAP
HTML
GUI
§ Use
SAP
Card
Valida6on
rules
that
prevent
entry
of
RAW
card
data
–
flags
it
as
an
error
and
disallows
entry

7. Best Practices
§ Don’t
allow
users
to
view
detokenized
cards
in
SAP
October
24,
2014
7
©2014.
Paymetric.
All
Rights
Reserved.
§ Deac6vate
calls
to
the
detokenized
service
via
SAP
§ Only
allow
users
to
reference
and
view
RAW
card
data
in
Paymetric
Repor6ng
Portal
(XiPay
Web
GUI)
interface
§ Train
users
to
prevent
entry
of
RAW
card
numbers
in
text
fields
where
valida6ons
and
tokeniza6on
can’t
be
performed

8. Best Practices
§ Convert
to
tokens
and
purge
any
exis6ng
RAW
or
encrypted
data
in
the
SAP
database
October
24,
2014
8
©2014.
Paymetric.
All
Rights
Reserved.
§ Customer
Master
records
§ Historical
transac6onal
data
§ Text
fields
§ If
you
are
capturing
CVV
values
for
transmission
in
Authoriza6on
calls
in
SAP,
ensure
that
you’ve
applied
the
OSS
notes
to
prevent
storage
of
the
CVV
value
in
the
SAP
DB

9. Solution Overview
§ Easily
scales
across
the
SAP
landscape
§ Gives
merchants
the
argument
that
SAP
is
out
of
scope
for
a
PCI
DSS
audit
§ Eliminates
data
exposure
in
the
event
of
a
data
breach
§ Centralizes
configura6on
and
audi6ng
October
24,
2014
9
©2014.
Paymetric.
All
Rights
Reserved.

10. Paymetric Cloud-Based Environment
October
24,
2014
10
©2014.
Paymetric.
All
Rights
Reserved.

11. Create
A
Tokeniza4on
Layer
Around
Your
Enterprise
October
24,
2014
11
©2014.
Paymetric.
All
Rights
Reserved.

12. October
24,
2014
12
©2014.
Paymetric.
All
Rights
Reserved.
for SAP®
Remove
Systems
from
Your
Cardholder
Data
Environment
(CDE)
Sensi4ve
card
data
entered
within
SAP
is
intercepted
and
secured
by
XiIntercept

13. XiIntercept for eCommerce
October
24,
2014
13
Intercept
Card
Data
at
the
Earliest
Point
©2014.
Paymetric.
All
Rights
Reserved.
of
Your
Workflow
Paymetric
intercepts
and
secures
shaded
data
fields

14. SAQ
Valida4on
Types
May
Qualify
Your
Organiza4on
for
Self
Assessment
Ques4onnaire
C,
Reducing
the
Number
of
Compliance
Requirements
from
263
to
139
SAQ
Valida4on
Type
October
24,
2014
14
©2014.
Paymetric.
All
Rights
Reserved.
Descrip4on
Number
of
Ques4ons
A
Card-­‐not-­‐present
merchants
14
A-­‐EP
eCommerce
merchants
redirec6ng
to
a
third-­‐party
website
139
C
Merchants
with
payment
applica6ons
systems
connected
to
the
Internet
140
D-­‐MER
All
other
SAQ-­‐eligible
merchants
263

15. Reduce
PCI
DSS
Audit
Scope
May
Qualify
Your
Organiza4on
for
Self
Assessment
Ques4onnaire
C,
Reducing
the
Number
of
Compliance
Requirements
from
263
to
139
300
250
200
150
100
October
24,
2014
15
50
©2014.
Paymetric.
All
Rights
Reserved.
14
Number
of
Ques4ons
Per
SAQ
139
140
263
0
SAQ
A
SAQ
A-­‐EP
SAQ
C
D-­‐MER

16. Why Paymetric
October
24,
2014
16
©2014.
Paymetric.
All
Rights
Reserved.

17. Cer4fica4ons
§ SAP
Enterprise
Services
Interface
§ SAP
Cross-­‐Applica6on
Payment
Card
Interface
§ Level
1
PCI
DSS
Cer6fied
Service
Provider
Security
§ Replaces
stored
data
with
tokens
§ Store
actual
data
in
off-­‐site
secure
data
vault
§ XiFlex
maintains
original
length
and
format
of
data
§ Provides
key
management
and
rota6on
outside
of
enterprise
applica6ons
elimina6ng
down6me
October
24,
2014
17
©2014.
Paymetric.
All
Rights
Reserved.
Global
Support
§ Mul6-­‐Currency
§ Visa
§ Mastercard
§ AMEX
§ Diners
§ Etc.
Alterna4ve
Payments
§ PayPal
§ BillMe
Later
§ Google
Checkout
§ Amazon
§ Telecheck
§ Etc.
Processing
Levels
§ Level
1
§ Level
2
§ Level
3
Performance
§ Web-­‐based
User
Interface
§ Mul6-­‐Client
Architecture
§ Mul6ple
Cardholder
Authen6ca6on
Types
§ Mul6ple
Integra6on
Technologies
§ High
Availability
–
24
x
7
Opera6ons
§ Access
Logging
§ Monitoring
of
Decryp6on
Requests
§ Integrated
Back-­‐up
§ Load
Balancing
§ Disaster
Recovery
§ Database
Clustering
Solution Features
Mul4ple
Payment
Types
§ Credit
§ PINless
Debit
§ GiZ
§ Loyalty
§ ACH
§ Etc.

18. Challenges We Address
PAYMENT
MANAGEMENT
October
24,
2014
18
©2014.
Paymetric.
All
Rights
Reserved.
BUSINESS
RISK
TECHNOLOGY
COSTS
§ Interchange
Costs
§ Processing
Expense
§ PCI
Costs
§ Maintenance
Costs
§ Support
Costs
OPERATIONAL
§ Mul6ple
Payment
Types
§ Mul6ple
Geographies
§ Mul6ple
Currencies
§ Mul6ple
Systems
§ Mul6ple
Par6es
§ Data
Security
§ PCI
Compliance
§ Working
Capital
§ Revenue
Recogni6on
§ Reconcilia6on
§ Unauthorized
Shipments
§ Customer
Sa6sfac6on
§ System
Integra6on
§ Upgrades
§ Semi-­‐Annual
Assoc.
Releases
§ Mul6ple
Workflows
§ Manual
Authoriza6on
§ Manual
Reconcilia6on
§ Manual
Invoice
Clearing

19. Award-Winning Company
Paymetric
is
Recognized
for
Electronic
Payments
Innova4on
Paymetric
is
an
award-­‐winning
company
built
on
shared
purpose,
an
unremilng
pursuit
of
excellence,
las6ng
collabora6on,
accountability
and
integrity.
For
more
than
15
years,
we
have
been
recognized
for
our
work
and
honored
with
awards
for
technical
innova6on
and
thought
leadership.
October
24,
2014
19
©2014.
Paymetric.
All
Rights
Reserved.

20. Questions?
October
24,
2014
20
©2014.
Paymetric.
All
Rights
Reserved.