How PCI Security Compliance Requirements Affect Your SAP System

  • by Eric Bushman, Director of SAP Solutions, Paymetric Inc.
  • January 15, 2007
Card issuers are requiring merchants, banks, service providers, and card processors to take stringent measures to protect stored data. Establishing user security roles and minimizing end-user access to non-encrypted card data within your SAP system is essential for compliance.
Key Concept
The Payment Card Industry Data Security Standard (PCI DSS) represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning Visa’s Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard’s Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process, including preventing, detecting, and reacting to security incidents. American Express, Discover, and most other card issuers support PCI DSS as well.

As data thieves become more sophisticated and networks grow more complex, organizations managing sensitive payment card information are feeling increased pressure to better secure the data they store. High-profile thefts of card data from a range of retailers and processors have raised awareness and created a sense of urgency for more stringent data security.

Payment Card Industry (PCI) standards, which apply to store merchants, banks, service providers, and card processors, aim to reduce the risk of a security threat by mandating the proper use of firewalls, message encryption, computer access controls, and antivirus software. They also require frequent security audits and network monitoring, and forbid the use of default passwords.

Companies processing more than 20,000 transactions annually are required to scan their networks quarterly and conduct annual audits of their Payment Card Industry Data Security Standard (PCI DSS) compliance. The mandate applies to hundreds of thousands of organizations around the world, and complying with the standard is no simple task. The card issuers have made it clear that failure to comply with PCI’s detailed technical requirements can result (and have resulted) in substantial penalties, including fines.

The PCI DSS requirements are comprised of 12 specific points related to building secure networks and protecting cardholder information. Addressing these requirements not only protects businesses and merchants from cardholder fraud but also satisfies a broader mandate for information protection and security. Stakeholders in the process commonly include the CFO, CIO, the treasury and sales departments, and the Basis and IT teams. Cooperation among these entities is essential to achieving successful compliance.

In this article, I focus on SAP-specific issues surrounding two of the 12 requirements, which are listed in the sidebar, “Twelve Requirements of PCI DSS”: Requirement 3, which addresses the protection of stored data; and Requirement 7, which sets forth restrictions on accessing data on a need-to-know basis.

Eric Bushman

Eric Bushman specializes in payment card processing and integration within the SAP Payment Card Interface, including consumer cards, corporate cards, purchase cards, and debit cards. He works closely with Paymetric's Fortune-class customers to integrate payment card workflows with native SAP sales and accounting operations. He served as the integration lead for payment card processing in the first credit card integration with SAP's R/3 (SD and FI) product for Nuskin in 1997, and as the integration lead for payment card processing in the first credit card integration with SAP's Customer Relationship Management (CRM) product for iLogistix in 2000. Prior to becoming an independent SAP integration consultant in 1996, he was a consultant for Price Waterhouse. Eric will be a featured speaker at the ASUG CRM Forum in Phoenix this October.

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.