Credit card encryption in table BUT0CC & CCARD

Similar Messages

• Credit card encryption not working

  Hi CRM - Payment card experts,
  We have a issue, where in the CRM is interfaced with Paymetric for credit card processing. As per the design, the credit card encryption should work. But, i see no encryption happening in the crm order.
  Please suggest, where could  be the problem.
  Thanks.
  Regards,
  Phaniraj

  Hi,
  Can you please be more specific with your problem.
  Can you please let us know where exaclty you are doing the card number encryption(BAPI/BADI/RFC/FM).
  Please let us know if you are calling some third party for doing this encryption.
  If you are doing the encryption internally(not calling any external third party) than you can check by debugging whether your encryption code is getting called or not,
  If its a third party validation/encryption than check for the rfc connections.
  If you want to write the new logic for encryption than write it in the same place where card number validation(Luhn's formula credit card validation) code is written.
  Regards,
  Arshi
  Edited by: Arshi Arshi on Jun 15, 2009 9:38 AM
  Edited by: Arshi Arshi on Jun 15, 2009 9:42 AM

• Credit Card Encryption & System Copy

  Hi All,
  We have done a system copy from PRD back to QA (credit card encryption is activated on both servers). The customer would like to be able to read the PRD data including the credit card details but of course the QA system can only de-crypt its own data and not the PRD data. Is there a way of de-crypting the PRD data that is already within QA and then re-encrypt using QA key?
  I didn't set up the original encryption so I am learning about this as I go.
  Thanks.

  >
  Natalie wrote:
  > Well, I have advised this to my customer, but at the end of the day the customer owns the system and he wants to be able to see the Productive data in the QA system.
  Well, the upper management of this customer is finally (legally) responsible to ensure that access to this sensitive data is controlled and restricted (no matter where it is stored - if the data is replicated then all storages need to be protected with the same strong mechanisms).
  Usually access to non-productive systems is much easier (less restrictive). So, the customer is taking quite a huge risk that this sensitive data might be less protected than (legally) required.
  Aside of legal consequences the loss of trust / reputation might impose an even higher (business) risk. I would consider twice ... (but I'm not the CEO nor the CIO of that customer) ...
  PS: for your own protection I'd strongly recommend that you inform the customer on those risks (in written form) and let him sign-off that you've warned him ... (otherwise you might be kept liable as well - if being engaged as adviser / consultant).

• Credit Card Encryption through RFC calls to third party software

  Dear All,
     I am working on credit card encryption in CRM. At our firm, we have SAP R/3 which is integrated with third party server for performing credit card encryption using RFC calls. We want to perform similar thing in SAP CRM. I was looking into SAP standard mechanism to perform encryption and it seems they use class CL_PCA_SECURITY -> External Encryption to encrypt credit card. Are there any BADIs available for me to change behaviour of this call and call our listeners (for third party server) instead of what standard SAP is calling. Here is what in the code:
  call C function 'SSFENVELOPE'
    CALL 'SSF_ABAP_SERVICE'                                 "#EC CI_CCALL
         ID 'OPCODE'             FIELD   SSF_OPCODES-ENVELOPE
         ID 'SECTOOLKIT'         FIELD   SSFTOOLKIT
         ID 'STRFORMAT'          FIELD   STR_FORMAT
         ID 'STRFORMATL'         FIELD   STR_FORMAT_L
         ID 'BINENC'             FIELD   B_INENC
         ID 'IOSPEC'             FIELD   IO_SPEC
         ID 'OSTRINPUTDATAL'     FIELD   OSTR_INPUT_DATA_L
         ID 'STRPAB'             FIELD   STR_PAB
         ID 'STRPABL'            FIELD   STR_PAB_L
         ID 'STRPABPASSWORD'     FIELD   STR_PAB_PASSWORD
         ID 'STRPABPASSWORDL'    FIELD   STR_PAB_PASSWORD_L
         ID 'OSTRENVELOPEDDATAL' FIELD   OSTR_ENVELOPED_DATA_L
         ID 'CRC'                FIELD   CRC
         ID 'OSTRINPUTDATA'      FIELD   OSTR_INPUT_DATA-SYS
         ID 'RECIPIENTLIST'      FIELD   RCPTAB-SYS
         ID 'OSTRENVELOPEDDATA'  FIELD   OSTR_ENVELOPED_DATA-SYS
         ID 'STRSYMENCRALG'      FIELD   STR_SYM_ENCR_ALG
         ID 'STRSYMENCRALGL'     FIELD   STR_SYM_ENCR_ALG_L.

  Vivek,
  While it may be technically possible to accomplish what you are suggesting (leveraging the encryption functionality provided by your third-party server) I would recommend strongly that you consider a token-based solution instead.  You can learn more about tokenization on this [blog|/people/eric.bushman4/blog/2009/01/02/tokenization-as-a-means-of-securing-credit-card-numbers ].
  There are many reasons why a token-based solution is superior to using application specific encryption (as outlined in the blog), but specifically in the case you describe where an SAP CRM and SAP R/3 are involved there is one specific reason to consider:
  When order data is replicated between SAP CRM and SAP R/3 the systems will attempt to decrypt the credit card numbers prior to passing the data and therefore the RAW card number will be stored in the middleware logs.  This is especially true when using SAP's native credit card encryption logic in the CRM and R/3-ECC applications. 
  For example, let's say a user enters a credit card as the form of payment during Order Creation in CRM.  At Order Save the system will send the credit card information to your third-party server for an authorization attempt and the results will be returned to CRM.  As the Order is saved and committed to the CRM database the standard SAP encryption functionality can be leveraged to encrypt the card data.  Based on your middleware configuration, eventually the Order data (including the credit card details) will be sent to the R/3 or ECC system.  In order to do so the CRM system will first decrypt the card number meaning that the CRM middleware logs will contain RAW card numbers.  When the Order is created in R/3 or ECC the native credit card encryption functionality in R/3 or ECC could be used to encrypt the card number prior to the Order being stored in the database.
  Should you choose to use a third-party server you may find, depending on how the third-party vendor's logic works in SAP, that you must utilize a BADI to decrypt the card number in CRM so that the CRM middleware has a RAW card and so that when the Orders is saved in the R/3 or ECC system it can be encrypted again with the third-party vendor solution.  In either case the RAW card number is present in all systems for some period of time and potentially stored in logs thus exposing your systems to risk and greater PCI audit scrutiny.
  Eric Bushman
  VP, Solutions Engineering
  [Paymetric|https://www.paymetric.com]

• Clearing Credit Card numbers from table FPLTC

  Hi Guys,
    Due to audit reasons we intend clearing all the Payment Card numbers for all the SD documents from the Payment Cards tab (VA03) from the doc header.
  1. Are there any side effects of it if delete the table 'FPLTC'  completely where all the Credit Card numbers are stored corresponding to the doc.
  2. Where can i find the link between the SD doc #'s corresponding Billing Plan and the credit card numbers. Credit Card #s  are corresponding to billing plan and we are having hard time finding the linking tables.
  Thanks a lot
  Amandeep

  Amandeep,
  The link between the order and the card number information in table FPLTC is through a field called the Payment Card Billing Plan Number.  In table VBAK it is field RPLNR.  In tables FPLA, FPLT and FPLTC it is field FPLNR.
  I would recommend that you not delete the FPLTC records, instead I would recommend that you consider simply updating hte FPLTC-CCNUM field with either a dummy value (EX: "DELETED") or a masked value (EX: Change 4444333322221111 to ************1111). 
  You can do this by writing a small ABAP program that will read the records in FPLTC (I'd recommend using function module BILLING_SCHEDULE_READ and then changing the CCNUM values and then updating the information with function module BILLING_SCHEDULE_SAVE.  Make sure to send field UPDKZ in XFPLT to 'U' to perform an update.
  Alternatively you could do a direct read from FPLTC, change CCNUM and do a direct UPDATE FPLTC command.
  Be aware that SAP discourages any direct table updates.
  The downside to all of this, of course, is that you'll never be able to find the card number again should you need it.  For that reason, I'd recommend that you only do this for records that are older than 6 months.  A customer has up to 6 months to dispute a credit card charge and you'll want to keep the card number for at least that period of time so you can locate the record.
  I'd also recommend you consider an alternate approach of encrypting the card numbers - either with SAP's encryption or a TOKENIZATION solution offered by a third-party.
  Regards,
  Eric Bushman
  VP, Solutions Engineering
  Paymetric

• Credit card encryption-decryption

  We are going in for credit card enryption.Once a credit card is encrypted,can it be decrypted back again?Is there any transaction to do that?
  Jen

  Hi Jennifer
  The link will answer your question
  http://help.sap.com/saphelp_47x200/helpdata/en/68/de611988ac11d194be00a0c92946ae/frameset.htm
  Thanks
  G. Lakshmipathi

• Credit Card Encryption Question

  Question from my customer (on EBS 11i):
  I have a question about the Visa VCF 4 Transaction Loader. We are working
  on automating this process and have installed a secured storage area to
  hold the file. It is my understanding that the bank is going to send us an
  encrypted file.
  Is the Visa VCF 4 Transaction Loader can process a PGP encrypted file?
  Your help is appreciated - thanks!

  The answer is that you do not store the ciphertext in the card number field. You create a reference number which is 25 bytes long that substitutes for the card number, and is stored in the card number field. The reference number, in turn, is also stored in a custom table with the ciphertext. The reference number is a unique key to that table.
  You then create translation routines to encrypt/decrypt the ciphertext based on the reference number that you stored. These routines would be passed the card number field, which contains the reference number. The input parameter list for these routines are standard. The routines that do the encryption/decryption are configured to be called at the appropriate times.
  - Brendan

• Credit Card Encryption - executing tcode SSFA

  Hi all,
  I have searched SDN and various other site for information on what the correct sequence is to execute the tcode SSFA.  We have applied the OSS Note 66462 requirements (see below) but cannot figure out how to execute step 5 - can anyone please give any advice?
  To activate encryption, your system must meet the following requirements:
  1. For Release 4.6C, you must import Support Package SAPKH46C46 and
  2. Kernel 4.6D must have patch level 1329 (see Note 565111).
  3. For Release 470, you must import Support Package SAPKH47022.
  4. For Release ERP 500, you must import Support Package SAPKH50007.
  5. Download and install SAPCRYPTOLIB (see Note 662340). You must use the CCARD application when you use Transaction SSFA to set up encryption.
  For what it is worth - we are on 4.6C and AFS3.0B

  The Basis and Security people got this done

• Credit Card Payment at time of SO creation - Basic questions

  Most of our customers pay by credit card at the time of Sales order creation. (80% of times)
  Now sometimes they pickup the order at the same time and sometimes we follow the normal delivery process and ship material to them.
  Now we are not sure what document type or process flow will fit this process.
  Should we be using two different document types/ process to meet this requirement.
  Thought of using standard order type but then as they have already paid at the time of order creation we Dont want to send Invoice at Billing stage
  Shall we use Rush order or cash order for our requirement. (But they dont pickup material all the time, sometime we ship)
  Also if we maintain credit card information at Customer Master level, will it flow down to sales order and Biiling process.
  Thanks in advance.

  Jeet,
  I have worked with over 350 SAP customers over the last 14 years who have implemented the SAP Payment Card Processing business logic.  The majority of them use an integrated solution so that SAP submits the Authorization requests through SAP's Cross Application Payment Card Interface (CA-PCI) during Sales Order Save.  Some of them use external devices\applications to perform the Authorizations outside of SAP and simply use the SAP business logic to record those transactions.
  I would recommend you consider continuing to use the SAP Payment Card Processing business logic with your external Authorization process so that you can take advantage of the GL posting automation that SAP performs when an Invoice is posted to Accounting.  Namely that SAP will CREDIT the Customer AR account and DEBIT the Credit Card Receivable account for the card type used.  This is of great benefit to the Merchant because it eliminates the need for someone to MANUALLY post the payments to clear the open items on the Customer AR account once the Settlement deposit is received.
  Another advantage is that, when researching customer orders in SAP, you'll be able to see the card details that were used for payment.  Just be certain to activate SAP's credit card encryption logic or use a third-party Tokenization solution to secure the data.
  Eric Bushman
  [www.paymetric.com|http://www.paymetric.com]

• How to see masked Credit Card number in Sales Order !!

  Hi,
  In our SAP system credit card enceryption is activated. Certain users want to see the credit card number in the sales order change/display screen.We are in SAP ECC 6.0.
  Please let me know how we can achieve this.
  Thanks
  Ambuj

  Dear Ambuj,
  There is no possibility to view the credit card number unmasked in the sales order. You will always get the masked number even if you have C4 authorisation ('C4' action for the V_VBAK_AAT authorisation object). You can view the unmasked credit card number in transaction XD02/XD03.
  If you use BAPISDORDER_GETDETAILEDLIST to view the order then the C4 authorisation will be checked and the unmasked number will be displayed (if the user has this authorisation).
  If you have access to OSS notes then please check 836079 (FAQ: Credit card encryption and master data) and 766703 (FAQ: Credit card encryption in R/3 systems).
  I hope this helps.
  Best regards,
  Ian Kehoe.

• How to get credit card number.

  Hi everybody,
  I'm trying to get a customer credit card number for use it on a form that is generated from a reversed document created when a credit card payment fails or if the card is declined.
  I found the credit card information on table VCNUM but how can I relate that information with the data that storages documents information like BKPF, BSEG, etc...
  If anyone can help me will be appreciated...

  Hi,
  Check this table VCNUM, this is Credit card master table. and CCNUM (Credit card number) is the field which you are looking for .
  Get the Card number from VCNUM and go to table <b>BSEGC</b> here you get all the info.
  Regards
  vijay

• Any API to upload Credit Card users, instead of entering them manually

  Hi,
  Is there an API to upload Credit Card users, instead of entering them manually in the Credit Cards window ?
  Thanks

  Based on my knowledge, only manual credit card entry window is available but transactions can be managed through credit card transaction interface table.
  if you will find.. please share on the thread
  thanks

• Is there any off the shelf credit card enryption/decrption tool available ?

  Since, Credit Card (CC) processing is very critical , my company is looking for options which are available in the market -ready to use !!!
  Is there any off the shelf credit card enryption/decrption tool available ?

  What is "credit card encryption/decryption"?
  1) Are you willing to encrypt and decrypt credit card numbers in a safe way, to store them in a database?
  - JCE and crypto
  2) Are you willing to communicate with the credit card companies to perform credit card transactions in a safe way?
  - Contact them; there are third-party companies that sell solutions for communicating with Visa, Mastercard etc; the credit card company can tell you what company they recommend
  3) Are you trying to validate the credit card numbers (no online processing needed, just validate the card numbers in Javascript)
  - search for Luhn's algorithm

• Encrypt Credit card data - table level

  Hi Team,
  We want to encrypt the credit card data, please let me know how to do this.
  We want to encrypt the data at the table level so that the specific column cannot be viewed by others and also encrypting the column at the OS level.
  11i Version:
  Database: 10.2.0.5.0
  Apps: 11.5.10.2
  Thanks,

  Hi;
  1. Check what Shree has been posted
  2. If those note are not help you can try to use Scrambling- Data masking,see
  Re: How to prevent DBA from Seeing salary data
  3. If even its not help than rise SR ;)
  PS:Please dont forget to change thread status to answered if it possible when u belive your thread has been answered, it pretend to lose time of other forums user while they are searching open question which is not answered,thanks for understanding
  Regard
  Helios

• Credit Card Number - Encryption

  Hello,
  I have a custom table (Z - table) which stores credit card related information. This table is getting updated from multiple programs. I would like to make the credit card number stored in encrypted form. Can any settings be done at table level which will ensure that credit card number is stored in encrypted form ?
  Thanks
  John

  hi,
  go thru this link..
  http://it.toolbox.com/wiki/index.php/How_to_encrypt_credit_cards_and_other_information_in_SAP_R/3_for_PCI_compliance_on_DB2_on_zOS_and_other_platforms
  hope this helps...