Credit Card Encryption & System Copy

Hi All,
We have done a system copy from PRD back to QA (credit card encryption is activated on both servers). The customer would like to be able to read the PRD data including the credit card details but of course the QA system can only de-crypt its own data and not the PRD data. Is there a way of de-crypting the PRD data that is already within QA and then re-encrypt using QA key?
I didn't set up the original encryption so I am learning about this as I go.
Thanks.

>
Natalie wrote:
> Well, I have advised this to my customer, but at the end of the day the customer owns the system and he wants to be able to see the Productive data in the QA system.
Well, the upper management of this customer is finally (legally) responsible to ensure that access to this sensitive data is controlled and restricted (no matter where it is stored - if the data is replicated then all storages need to be protected with the same strong mechanisms).
Usually access to non-productive systems is much easier (less restrictive). So, the customer is taking quite a huge risk that this sensitive data might be less protected than (legally) required.
Aside of legal consequences the loss of trust / reputation might impose an even higher (business) risk. I would consider twice ... (but I'm not the CEO nor the CIO of that customer) ...
PS: for your own protection I'd strongly recommend that you inform the customer on those risks (in written form) and let him sign-off that you've warned him ... (otherwise you might be kept liable as well - if being engaged as adviser / consultant).

Similar Messages

  • Credit Card Encryption through RFC calls to third party software

    Dear All,
       I am working on credit card encryption in CRM. At our firm, we have SAP R/3 which is integrated with third party server for performing credit card encryption using RFC calls. We want to perform similar thing in SAP CRM. I was looking into SAP standard mechanism to perform encryption and it seems they use class CL_PCA_SECURITY -> External Encryption to encrypt credit card. Are there any BADIs available for me to change behaviour of this call and call our listeners (for third party server) instead of what standard SAP is calling. Here is what in the code:
    call C function 'SSFENVELOPE'
      CALL 'SSF_ABAP_SERVICE'                                 "#EC CI_CCALL
           ID 'OPCODE'             FIELD   SSF_OPCODES-ENVELOPE
           ID 'SECTOOLKIT'         FIELD   SSFTOOLKIT
           ID 'STRFORMAT'          FIELD   STR_FORMAT
           ID 'STRFORMATL'         FIELD   STR_FORMAT_L
           ID 'BINENC'             FIELD   B_INENC
           ID 'IOSPEC'             FIELD   IO_SPEC
           ID 'OSTRINPUTDATAL'     FIELD   OSTR_INPUT_DATA_L
           ID 'STRPAB'             FIELD   STR_PAB
           ID 'STRPABL'            FIELD   STR_PAB_L
           ID 'STRPABPASSWORD'     FIELD   STR_PAB_PASSWORD
           ID 'STRPABPASSWORDL'    FIELD   STR_PAB_PASSWORD_L
           ID 'OSTRENVELOPEDDATAL' FIELD   OSTR_ENVELOPED_DATA_L
           ID 'CRC'                FIELD   CRC
           ID 'OSTRINPUTDATA'      FIELD   OSTR_INPUT_DATA-SYS
           ID 'RECIPIENTLIST'      FIELD   RCPTAB-SYS
           ID 'OSTRENVELOPEDDATA'  FIELD   OSTR_ENVELOPED_DATA-SYS
           ID 'STRSYMENCRALG'      FIELD   STR_SYM_ENCR_ALG
           ID 'STRSYMENCRALGL'     FIELD   STR_SYM_ENCR_ALG_L.

    Vivek,
    While it may be technically possible to accomplish what you are suggesting (leveraging the encryption functionality provided by your third-party server) I would recommend strongly that you consider a token-based solution instead.  You can learn more about tokenization on this [blog|/people/eric.bushman4/blog/2009/01/02/tokenization-as-a-means-of-securing-credit-card-numbers ].
    There are many reasons why a token-based solution is superior to using application specific encryption (as outlined in the blog), but specifically in the case you describe where an SAP CRM and SAP R/3 are involved there is one specific reason to consider:
    When order data is replicated between SAP CRM and SAP R/3 the systems will attempt to decrypt the credit card numbers prior to passing the data and therefore the RAW card number will be stored in the middleware logs.  This is especially true when using SAP's native credit card encryption logic in the CRM and R/3-ECC applications. 
    For example, let's say a user enters a credit card as the form of payment during Order Creation in CRM.  At Order Save the system will send the credit card information to your third-party server for an authorization attempt and the results will be returned to CRM.  As the Order is saved and committed to the CRM database the standard SAP encryption functionality can be leveraged to encrypt the card data.  Based on your middleware configuration, eventually the Order data (including the credit card details) will be sent to the R/3 or ECC system.  In order to do so the CRM system will first decrypt the card number meaning that the CRM middleware logs will contain RAW card numbers.  When the Order is created in R/3 or ECC the native credit card encryption functionality in R/3 or ECC could be used to encrypt the card number prior to the Order being stored in the database.
    Should you choose to use a third-party server you may find, depending on how the third-party vendor's logic works in SAP, that you must utilize a BADI to decrypt the card number in CRM so that the CRM middleware has a RAW card and so that when the Orders is saved in the R/3 or ECC system it can be encrypted again with the third-party vendor solution.  In either case the RAW card number is present in all systems for some period of time and potentially stored in logs thus exposing your systems to risk and greater PCI audit scrutiny.
    Eric Bushman
    VP, Solutions Engineering
    [Paymetric|https://www.paymetric.com]

  • Becouse of expire of credit card I updated billing information by providing data of new credit card but system just says "We're sorry, the billing information on file could not be used for this payment. Please update your information.". What exactly is wr

    Becouse of expire of credit card I updated billing information by providing data of new credit card but system just says "We're sorry, the billing information on file could not be used for this payment. Please update your information.". What exactly is wrong?

    Are you 100% sure that every detail of your information is the same in each place?
    Make sure that EVERY DETAIL is the same in every place you enter your information
    -right down to how you spell and punctuate the parts of your name and address
    Change/Verify Account https://forums.adobe.com/thread/1465499 may help
    -Credit card https://helpx.adobe.com/utilities/credit-card.html

  • HT5622 pls apple team, i want to register for apple id on my iphone 4 any number i enter from my credit card , the system tells me that it is wrong.

    pls apple team, i want to register for apple id on my iphone 4 any number i enter from my credit card , the system tells me that it is wrong.

    Thanx very much Amishcake , your link was very helpful. i followed the steps and when i got to the part where you enter card details on my iphone , i discovered that the last two options  after amex that is 4. discover 5. None , are not part on the options i get on my iphone so i dont get to choose the none option. Am really worried.

  • Credit card encryption not working

    Hi CRM - Payment card experts,
    We have a issue, where in the CRM is interfaced with Paymetric for credit card processing. As per the design, the credit card encryption should work. But, i see no encryption happening in the crm order.
    Please suggest, where could  be the problem.
    Thanks.
    Regards,
    Phaniraj

    Hi,
    Can you please be more specific with your problem.
    Can you please let us know where exaclty you are doing the card number encryption(BAPI/BADI/RFC/FM).
    Please let us know if you are calling some third party for doing this encryption.
    If you are doing the encryption internally(not calling any external third party) than you can check by debugging whether your encryption code is getting called or not,
    If its a third party validation/encryption than check for the rfc connections.
    If you want to write the new logic for encryption than write it in the same place where card number validation(Luhn's formula credit card validation) code is written.
    Regards,
    Arshi
    Edited by: Arshi Arshi on Jun 15, 2009 9:38 AM
    Edited by: Arshi Arshi on Jun 15, 2009 9:42 AM

  • HT1918 When I try to purchase a apps, system require me to verify my credit card account.  I've provided all the complete information of the credit card but system always ask me to contact iTunes support to finish this transition, why ?

    When I try to purchase a apps, system require me to verify my credit card account.  I've provided all the complete information of the credit card but system always ask me to contact iTunes support to finish this transition, why ?

    Answered in your Other post on this Topic...
    https://discussions.apple.com/message/24053626#24053626

  • Credit card encryption-decryption

    We are going in for credit card enryption.Once a credit card is encrypted,can it be decrypted back again?Is there any transaction to do that?
    Jen

    Hi Jennifer
    The link will answer your question
    http://help.sap.com/saphelp_47x200/helpdata/en/68/de611988ac11d194be00a0c92946ae/frameset.htm
    Thanks
    G. Lakshmipathi

  • Credit card encryption in table BUT0CC & CCARD

    Hi,
    We are on SAP IS-UT release 604. We are capturing Customer credit card information at business partner level (FPP2). The credit card information is displayed as masked on the BP screens. However this is not stored as encrypted in underlying SAP tables BUT0CC and CCARD.
    Can you please let me know how it is possible to store encrypted card in these tables?
    Thanks
    Shadab

    Shadab,
    there are various notes available explaining how to encrypt data in SAP:  e.g. 662340, 842087, 836079, ...
    You migh also check-out the IMG activity SPRO -> Cross Application Components -> Payment Cards ->           
    Basic Settings -> Maintain Payment Card Type -> "Encryption" (Flag)
    Cheers,
    Fritz

  • Credit Card Encryption Question

    Question from my customer (on EBS 11i):
    I have a question about the Visa VCF 4 Transaction Loader. We are working
    on automating this process and have installed a secured storage area to
    hold the file. It is my understanding that the bank is going to send us an
    encrypted file.
    Is the Visa VCF 4 Transaction Loader can process a PGP encrypted file?
    Your help is appreciated - thanks!

    The answer is that you do not store the ciphertext in the card number field. You create a reference number which is 25 bytes long that substitutes for the card number, and is stored in the card number field. The reference number, in turn, is also stored in a custom table with the ciphertext. The reference number is a unique key to that table.
    You then create translation routines to encrypt/decrypt the ciphertext based on the reference number that you stored. These routines would be passed the card number field, which contains the reference number. The input parameter list for these routines are standard. The routines that do the encryption/decryption are configured to be called at the appropriate times.
    - Brendan

  • Credit Card Encryption - executing tcode SSFA

    Hi all,
    I have searched SDN and various other site for information on what the correct sequence is to execute the tcode SSFA.  We have applied the OSS Note 66462 requirements (see below) but cannot figure out how to execute step 5 - can anyone please give any advice?
    To activate encryption, your system must meet the following requirements:
    1. For Release 4.6C, you must import Support Package SAPKH46C46 and
    2. Kernel 4.6D must have patch level 1329 (see Note 565111).
    3. For Release 470, you must import Support Package SAPKH47022.
    4. For Release ERP 500, you must import Support Package SAPKH50007.
    5. Download and install SAPCRYPTOLIB (see Note 662340). You must use the CCARD application when you use Transaction SSFA to set up encryption.
    For what it is worth - we are on 4.6C and AFS3.0B

    The Basis and Security people got this done

  • How to see masked Credit Card number in Sales Order !!

    Hi,
    In our SAP system credit card enceryption is activated. Certain users want to see the credit card number in the sales order change/display screen.We are in SAP ECC 6.0.
    Please let me know how we can achieve this.
    Thanks
    Ambuj

    Dear Ambuj,
    There is no possibility to view the credit card number unmasked in the sales order. You will always get the masked number even if you have C4 authorisation ('C4' action for the V_VBAK_AAT authorisation object). You can view the unmasked credit card number in transaction XD02/XD03.
    If you use BAPISDORDER_GETDETAILEDLIST to view the order then the C4 authorisation will be checked and the unmasked number will be displayed (if the user has this authorisation).
    If you have access to OSS notes then please check 836079 (FAQ: Credit card encryption and master data) and 766703 (FAQ: Credit card encryption in R/3 systems).
    I hope this helps.
    Best regards,
    Ian Kehoe.

  • Accounting document while VF01 for credit card payments

    Hi Friends,
    While creating billing document for credit card payments, system creates accounting document as under. One FI document for all the below line items.
    Dr. Customer
    Cr. Revenue
    Cr. Customer
    Dr. Card receivable.
    Instead is it possible to generate two documents, like ...
    1. Dr. Customer Cr. Revenue
    2. Cr. Customer Dr. Card receivalbe. (document type is different, i want to take DZ)
    Pl let me know.
    Thanks in advance,
    Srini

    Hi,
    Have a look to below blog, it is regarding e-payment, but you can refer this for your approach.
    /people/aashish.sinha/blog/2011/02/24/e-payment-a-customized-solution-other-than-sap-integration-package-swift-150-part-1
    Regards
    Aashish Sinha

  • Credit Card Payment at time of SO creation - Basic questions

    Most of our customers pay by credit card at the time of Sales order creation. (80% of times)
    Now sometimes they pickup the order at the same time and sometimes we follow the normal delivery process and ship material to them.
    Now we are not sure what document type or process flow will fit this process.
    Should we be using two different document types/ process to meet this requirement.
    Thought of using standard order type but then as they have already paid at the time of order creation we Dont want to send Invoice at Billing stage
    Shall we use Rush order or cash order for our requirement. (But they dont pickup material all the time, sometime we ship)
    Also if we maintain credit card information at Customer Master level, will it flow down to sales order and Biiling process.
    Thanks in advance.

    Jeet,
    I have worked with over 350 SAP customers over the last 14 years who have implemented the SAP Payment Card Processing business logic.  The majority of them use an integrated solution so that SAP submits the Authorization requests through SAP's Cross Application Payment Card Interface (CA-PCI) during Sales Order Save.  Some of them use external devices\applications to perform the Authorizations outside of SAP and simply use the SAP business logic to record those transactions.
    I would recommend you consider continuing to use the SAP Payment Card Processing business logic with your external Authorization process so that you can take advantage of the GL posting automation that SAP performs when an Invoice is posted to Accounting.  Namely that SAP will CREDIT the Customer AR account and DEBIT the Credit Card Receivable account for the card type used.  This is of great benefit to the Merchant because it eliminates the need for someone to MANUALLY post the payments to clear the open items on the Customer AR account once the Settlement deposit is received.
    Another advantage is that, when researching customer orders in SAP, you'll be able to see the card details that were used for payment.  Just be certain to activate SAP's credit card encryption logic or use a third-party Tokenization solution to secure the data.
    Eric Bushman
    [www.paymetric.com|http://www.paymetric.com]

  • HT2534 Are we no longer able to create accounts without a credit card?

    I saw the instruction of how to create an account without a credit card on the support website, but I can't create my account doesn't matter whether I use my laptop or my ipad.
    Why? why??
    Everytime I choose "none" as an option for credit card, the system tells me to seek assisstance on this support website.
    I watched a video on how to make a no credit card account online, the system didn't stop him, so I wonder if we have to choose a credit card when creating an account now     I have a point card but I can't use it now because of my account.....

    Those instructions do still work, I used them yesterday in response to another thread and was able to download a free app with it. Are you currently in the country where that is account is based ? You need to be in a country to be able to use its store.
    If you are getting a message to contact iTunes Support then you can do so via this link and ask them for help (we are fellow users, we won't know why the message is appearing) : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page, then Purchases, Billing & Redemption

  • I Haw Problems With Congfirming my Credit Card! HELP

    Hello... I Haw Some Problem To Verify/Confirm My Credit Card.I Haw 4 Digits Code from my bank. This is The Reasion when i click Continue! What to do The Credit Card Verification System used by PayPal is currently unavailable. Please try to add your credit card at a later time. We apologize for this inconvenience. Can Anyone Help ME!

    Hi there,
    You may find the article below helpful
    Apple ID: Changing your Apple ID password
    http://support.apple.com/kb/HT5624
    -Griff W.

Maybe you are looking for

  • IC WebClient - Business Partner

    Hi, Can anyone help me in finding where exactly the view for Business Partners is defined in IC WebClient?  I couldnt find out the the IC parameter 0X23456789! How can I prepopulate the input field adjacent to the 'Go' button on the Business Partner

  • Time Capsule causes Internet to move at a snails pace.

    I've had my Time Capsule for a few months now, and only recently has it began to function like so. My first instinct was to blame Time Warner for the slow internet, yet after testing the speed with and without the router, I've narrowed it down to the

  • Report output "MCTA"

    Hi guys, I am trying to take the customer wise sales report using Tcode "MCTA" .But I see that  the output  of this reports doesnt show few customer .Where as those customer are see int he Trial balace in FI and also in the out put of te report "S_AL

  • Java.io.FileNotFoundException

    Hello! I am getting this error "java.io.FileNotFoundException" when I try to run my program.I know that the file is there.The code seems to work fine in Eclipse but when I try to run it through dos then it gives me this error.I have already looked th

  • Events & Listeners

    Hi, I'm trying toget a handle on events and listeners and am studying the following classes for this purpose. I'm pretty comfortable with understanding regular applets, but am confused by a couple of things in the following. 1.) How is the Dots class