Credit card encryption-decryption

Similar Messages

• Credit Card Encryption through RFC calls to third party software

  Dear All,
     I am working on credit card encryption in CRM. At our firm, we have SAP R/3 which is integrated with third party server for performing credit card encryption using RFC calls. We want to perform similar thing in SAP CRM. I was looking into SAP standard mechanism to perform encryption and it seems they use class CL_PCA_SECURITY -> External Encryption to encrypt credit card. Are there any BADIs available for me to change behaviour of this call and call our listeners (for third party server) instead of what standard SAP is calling. Here is what in the code:
  call C function 'SSFENVELOPE'
    CALL 'SSF_ABAP_SERVICE'                                 "#EC CI_CCALL
         ID 'OPCODE'             FIELD   SSF_OPCODES-ENVELOPE
         ID 'SECTOOLKIT'         FIELD   SSFTOOLKIT
         ID 'STRFORMAT'          FIELD   STR_FORMAT
         ID 'STRFORMATL'         FIELD   STR_FORMAT_L
         ID 'BINENC'             FIELD   B_INENC
         ID 'IOSPEC'             FIELD   IO_SPEC
         ID 'OSTRINPUTDATAL'     FIELD   OSTR_INPUT_DATA_L
         ID 'STRPAB'             FIELD   STR_PAB
         ID 'STRPABL'            FIELD   STR_PAB_L
         ID 'STRPABPASSWORD'     FIELD   STR_PAB_PASSWORD
         ID 'STRPABPASSWORDL'    FIELD   STR_PAB_PASSWORD_L
         ID 'OSTRENVELOPEDDATAL' FIELD   OSTR_ENVELOPED_DATA_L
         ID 'CRC'                FIELD   CRC
         ID 'OSTRINPUTDATA'      FIELD   OSTR_INPUT_DATA-SYS
         ID 'RECIPIENTLIST'      FIELD   RCPTAB-SYS
         ID 'OSTRENVELOPEDDATA'  FIELD   OSTR_ENVELOPED_DATA-SYS
         ID 'STRSYMENCRALG'      FIELD   STR_SYM_ENCR_ALG
         ID 'STRSYMENCRALGL'     FIELD   STR_SYM_ENCR_ALG_L.

  Vivek,
  While it may be technically possible to accomplish what you are suggesting (leveraging the encryption functionality provided by your third-party server) I would recommend strongly that you consider a token-based solution instead.  You can learn more about tokenization on this [blog|/people/eric.bushman4/blog/2009/01/02/tokenization-as-a-means-of-securing-credit-card-numbers ].
  There are many reasons why a token-based solution is superior to using application specific encryption (as outlined in the blog), but specifically in the case you describe where an SAP CRM and SAP R/3 are involved there is one specific reason to consider:
  When order data is replicated between SAP CRM and SAP R/3 the systems will attempt to decrypt the credit card numbers prior to passing the data and therefore the RAW card number will be stored in the middleware logs.  This is especially true when using SAP's native credit card encryption logic in the CRM and R/3-ECC applications. 
  For example, let's say a user enters a credit card as the form of payment during Order Creation in CRM.  At Order Save the system will send the credit card information to your third-party server for an authorization attempt and the results will be returned to CRM.  As the Order is saved and committed to the CRM database the standard SAP encryption functionality can be leveraged to encrypt the card data.  Based on your middleware configuration, eventually the Order data (including the credit card details) will be sent to the R/3 or ECC system.  In order to do so the CRM system will first decrypt the card number meaning that the CRM middleware logs will contain RAW card numbers.  When the Order is created in R/3 or ECC the native credit card encryption functionality in R/3 or ECC could be used to encrypt the card number prior to the Order being stored in the database.
  Should you choose to use a third-party server you may find, depending on how the third-party vendor's logic works in SAP, that you must utilize a BADI to decrypt the card number in CRM so that the CRM middleware has a RAW card and so that when the Orders is saved in the R/3 or ECC system it can be encrypted again with the third-party vendor solution.  In either case the RAW card number is present in all systems for some period of time and potentially stored in logs thus exposing your systems to risk and greater PCI audit scrutiny.
  Eric Bushman
  VP, Solutions Engineering
  [Paymetric|https://www.paymetric.com]

• Credit card encryption not working

  Hi CRM - Payment card experts,
  We have a issue, where in the CRM is interfaced with Paymetric for credit card processing. As per the design, the credit card encryption should work. But, i see no encryption happening in the crm order.
  Please suggest, where could  be the problem.
  Thanks.
  Regards,
  Phaniraj

  Hi,
  Can you please be more specific with your problem.
  Can you please let us know where exaclty you are doing the card number encryption(BAPI/BADI/RFC/FM).
  Please let us know if you are calling some third party for doing this encryption.
  If you are doing the encryption internally(not calling any external third party) than you can check by debugging whether your encryption code is getting called or not,
  If its a third party validation/encryption than check for the rfc connections.
  If you want to write the new logic for encryption than write it in the same place where card number validation(Luhn's formula credit card validation) code is written.
  Regards,
  Arshi
  Edited by: Arshi Arshi on Jun 15, 2009 9:38 AM
  Edited by: Arshi Arshi on Jun 15, 2009 9:42 AM

• Credit Card Encryption & System Copy

  Hi All,
  We have done a system copy from PRD back to QA (credit card encryption is activated on both servers). The customer would like to be able to read the PRD data including the credit card details but of course the QA system can only de-crypt its own data and not the PRD data. Is there a way of de-crypting the PRD data that is already within QA and then re-encrypt using QA key?
  I didn't set up the original encryption so I am learning about this as I go.
  Thanks.

  >
  Natalie wrote:
  > Well, I have advised this to my customer, but at the end of the day the customer owns the system and he wants to be able to see the Productive data in the QA system.
  Well, the upper management of this customer is finally (legally) responsible to ensure that access to this sensitive data is controlled and restricted (no matter where it is stored - if the data is replicated then all storages need to be protected with the same strong mechanisms).
  Usually access to non-productive systems is much easier (less restrictive). So, the customer is taking quite a huge risk that this sensitive data might be less protected than (legally) required.
  Aside of legal consequences the loss of trust / reputation might impose an even higher (business) risk. I would consider twice ... (but I'm not the CEO nor the CIO of that customer) ...
  PS: for your own protection I'd strongly recommend that you inform the customer on those risks (in written form) and let him sign-off that you've warned him ... (otherwise you might be kept liable as well - if being engaged as adviser / consultant).

• Credit Card Encryption Question

  Question from my customer (on EBS 11i):
  I have a question about the Visa VCF 4 Transaction Loader. We are working
  on automating this process and have installed a secured storage area to
  hold the file. It is my understanding that the bank is going to send us an
  encrypted file.
  Is the Visa VCF 4 Transaction Loader can process a PGP encrypted file?
  Your help is appreciated - thanks!

  The answer is that you do not store the ciphertext in the card number field. You create a reference number which is 25 bytes long that substitutes for the card number, and is stored in the card number field. The reference number, in turn, is also stored in a custom table with the ciphertext. The reference number is a unique key to that table.
  You then create translation routines to encrypt/decrypt the ciphertext based on the reference number that you stored. These routines would be passed the card number field, which contains the reference number. The input parameter list for these routines are standard. The routines that do the encryption/decryption are configured to be called at the appropriate times.
  - Brendan

• Credit card encryption in table BUT0CC & CCARD

  Hi,
  We are on SAP IS-UT release 604. We are capturing Customer credit card information at business partner level (FPP2). The credit card information is displayed as masked on the BP screens. However this is not stored as encrypted in underlying SAP tables BUT0CC and CCARD.
  Can you please let me know how it is possible to store encrypted card in these tables?
  Thanks
  Shadab

  Shadab,
  there are various notes available explaining how to encrypt data in SAP:  e.g. 662340, 842087, 836079, ...
  You migh also check-out the IMG activity SPRO -> Cross Application Components -> Payment Cards ->           
  Basic Settings -> Maintain Payment Card Type -> "Encryption" (Flag)
  Cheers,
  Fritz

• Credit Card Encryption - executing tcode SSFA

  Hi all,
  I have searched SDN and various other site for information on what the correct sequence is to execute the tcode SSFA.  We have applied the OSS Note 66462 requirements (see below) but cannot figure out how to execute step 5 - can anyone please give any advice?
  To activate encryption, your system must meet the following requirements:
  1. For Release 4.6C, you must import Support Package SAPKH46C46 and
  2. Kernel 4.6D must have patch level 1329 (see Note 565111).
  3. For Release 470, you must import Support Package SAPKH47022.
  4. For Release ERP 500, you must import Support Package SAPKH50007.
  5. Download and install SAPCRYPTOLIB (see Note 662340). You must use the CCARD application when you use Transaction SSFA to set up encryption.
  For what it is worth - we are on 4.6C and AFS3.0B

  The Basis and Security people got this done

• Is there any off the shelf credit card enryption/decrption tool available ?

  Since, Credit Card (CC) processing is very critical , my company is looking for options which are available in the market -ready to use !!!
  Is there any off the shelf credit card enryption/decrption tool available ?

  What is "credit card encryption/decryption"?
  1) Are you willing to encrypt and decrypt credit card numbers in a safe way, to store them in a database?
  - JCE and crypto
  2) Are you willing to communicate with the credit card companies to perform credit card transactions in a safe way?
  - Contact them; there are third-party companies that sell solutions for communicating with Visa, Mastercard etc; the credit card company can tell you what company they recommend
  3) Are you trying to validate the credit card numbers (no online processing needed, just validate the card numbers in Javascript)
  - search for Luhn's algorithm

• Credit Card Payment at time of SO creation - Basic questions

  Most of our customers pay by credit card at the time of Sales order creation. (80% of times)
  Now sometimes they pickup the order at the same time and sometimes we follow the normal delivery process and ship material to them.
  Now we are not sure what document type or process flow will fit this process.
  Should we be using two different document types/ process to meet this requirement.
  Thought of using standard order type but then as they have already paid at the time of order creation we Dont want to send Invoice at Billing stage
  Shall we use Rush order or cash order for our requirement. (But they dont pickup material all the time, sometime we ship)
  Also if we maintain credit card information at Customer Master level, will it flow down to sales order and Biiling process.
  Thanks in advance.

  Jeet,
  I have worked with over 350 SAP customers over the last 14 years who have implemented the SAP Payment Card Processing business logic.  The majority of them use an integrated solution so that SAP submits the Authorization requests through SAP's Cross Application Payment Card Interface (CA-PCI) during Sales Order Save.  Some of them use external devices\applications to perform the Authorizations outside of SAP and simply use the SAP business logic to record those transactions.
  I would recommend you consider continuing to use the SAP Payment Card Processing business logic with your external Authorization process so that you can take advantage of the GL posting automation that SAP performs when an Invoice is posted to Accounting.  Namely that SAP will CREDIT the Customer AR account and DEBIT the Credit Card Receivable account for the card type used.  This is of great benefit to the Merchant because it eliminates the need for someone to MANUALLY post the payments to clear the open items on the Customer AR account once the Settlement deposit is received.
  Another advantage is that, when researching customer orders in SAP, you'll be able to see the card details that were used for payment.  Just be certain to activate SAP's credit card encryption logic or use a third-party Tokenization solution to secure the data.
  Eric Bushman
  [www.paymetric.com|http://www.paymetric.com]

• How to see masked Credit Card number in Sales Order !!

  Hi,
  In our SAP system credit card enceryption is activated. Certain users want to see the credit card number in the sales order change/display screen.We are in SAP ECC 6.0.
  Please let me know how we can achieve this.
  Thanks
  Ambuj

  Dear Ambuj,
  There is no possibility to view the credit card number unmasked in the sales order. You will always get the masked number even if you have C4 authorisation ('C4' action for the V_VBAK_AAT authorisation object). You can view the unmasked credit card number in transaction XD02/XD03.
  If you use BAPISDORDER_GETDETAILEDLIST to view the order then the C4 authorisation will be checked and the unmasked number will be displayed (if the user has this authorisation).
  If you have access to OSS notes then please check 836079 (FAQ: Credit card encryption and master data) and 766703 (FAQ: Credit card encryption in R/3 systems).
  I hope this helps.
  Best regards,
  Ian Kehoe.

• API for decrypt the encrypted credit card details

  Hi Friends,
  Is there any PLSQL API for decrypt the encrypted credit card detail in oracle application R12.
  Thanks,

  First, to prevent this from happening again, turn off "In App purchases" in the Restrictions settings on your iPad. You may also want to turn off the ability to install apps, to prevent purchases in case the child gets hold of your iTunes Store account information, and set the password to be required immediately. For more information, see:
  http://support.apple.com/kb/HT4213
  As to a refund, that's not automatic since the terms of sale for the iTunes Store state that all sales are final. You can contact the iTunes Store, explain the reason for your request, and ask, though:
  http://www.apple.com/support/itunes/contact.html
  They're usually pretty lenient in the case of inadvertent purchases by children. No guarantees, though, just as if your child was in a store and ate a bunch of food (in other words, something that can't just be returned).
  Good luck.

• Need to decrypt credit card number

  Hi Team,
  Payments BC has field called Account Number (CC_NUM), it stores encrypted value in database.
  Is there any program to get it from database and decrypt it to send external system?
  Regards,
  Sankar.P

  Hi,
  This may not be a proper answer to your question but it works for your requirement.
  Store Credit card number to some other column before encrypting then send that to external system.
  Thanks,
  Ram.

• Bank Account number encryption similar to Credit card

  Hi All,
  Standard SAP supports the encryption of credit card in ECC and CRM but not for bank account details. Does anyone have experience in implementing/enhance the program to encrypt/decrypt bank account number or bank key?
  Cheers
  Vinod

  Any comments please?

• Credit Card Number Encryption Feature in SAP

  Hi,
  I am interfacing between legacy system and SAP(probably through BAPI). The Credit card master table is VCNUM.
  The requirement is to have the Credit card number in the encrypted form. Does SAP has any feature that supports encryption feature?
  Please do reply with valuable suggestions.
  Thanks & Regards,
  Rajesh

  Hi,
  You can refer to below <b>threads</b>:
  Encryption / Decryption of Credit Card Number
  Re: Password encryption in SAP
  Re: Information regarding encryption.
  Hope you find your solution here.
  Reward points for useful answers
  Rgds,

• Encrypt Credit card data - table level

  Hi Team,
  We want to encrypt the credit card data, please let me know how to do this.
  We want to encrypt the data at the table level so that the specific column cannot be viewed by others and also encrypting the column at the OS level.
  11i Version:
  Database: 10.2.0.5.0
  Apps: 11.5.10.2
  Thanks,

  Hi;
  1. Check what Shree has been posted
  2. If those note are not help you can try to use Scrambling- Data masking,see
  Re: How to prevent DBA from Seeing salary data
  3. If even its not help than rise SR ;)
  PS:Please dont forget to change thread status to answered if it possible when u belive your thread has been answered, it pretend to lose time of other forums user while they are searching open question which is not answered,thanks for understanding
  Regard
  Helios