cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to prevent the logging of a single field in XI ?

Former Member

on ‎08-20-2008 4:04 PM

0 Kudos

Hi Guys,

we have developed the interfaces for payment card services using the Enterprise services and the major problem what we are facing is to prevent the logging of the 3 digit security code in XI.

According to the payment card industry standards you should not store it as well as you should not encrypt this 3 digit CVV code.

Is there any way we can prevent the logging of this single field in XI ?

Is it possible if we develop our own custom adapters then we can acheive this ? Do we have full control over the DB in the custom adapters?

any help or suggestions or other alternatives would be really appreciated. I want to hear some solution from the experts.

Thanks in advance,

Srini

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

bhavesh_kantilal
Active Contributor
‎08-20-2008 4:07 PM
0 Kudos

Similar requirement on the same day.

Maybe this link helps, though not the answer , maybe a start.

Regards

Bhavesh

Show replies
Show replies
Former Member
‎08-20-2008 4:14 PM
0 Kudos

Hi Srinivas,

We also have the same issue.

Bhavesh has some useful inputs.

http://help.sap.com/saphelp_nw04/helpdata/en/a0/64f6413a15e23ee10000000a155106/content.htm

Please update the thread if you get some solution.

Because as per my knowledge credit card information should not be visible to anyone.

Thanks,

Beena.

Former Member
‎08-20-2008 4:20 PM
0 Kudos

Hi Bhavesh & Beena,

I was going through the link and i have updated the link provided by Beena.

This will be the major issue in the payment card industry. we have developed our own tool for the encryption which can be used for encrypting the credit card sensitive data before sending to XI.

Thanks,

Srini

Former Member
‎08-20-2008 4:28 PM
0 Kudos

Hi Srinivas,

We are sending the data to third party and so third party needs to decrypt it before processing the information.

Currently they are not decrypting the data.

Thanks,

Beena.

Former Member
‎08-20-2008 4:31 PM
0 Kudos

Hi Beena,

They should have a encrption technology implemented so that they can decrypt the data.

Thanks,

Srini

Former Member
‎08-20-2008 4:36 PM
0 Kudos

Hi Beena,

I think you are aware of PCI standards and rules, you should do something by keeping these rules in mind, because if they audit and if they find some thing against to the rules the penalities will be huge.

Thanks,

Srini

Former Member
‎08-20-2008 5:01 PM
0 Kudos

Thanks Srini,

I am not aware of all rules but there was a requirement to not to log SSN, Credit Card No and CVV no anywhere in the XI and it should not be visible to anybody.

I think SSN and Credit card no can be encrypted but not CVV no.

Also as you said making all debugging off is not the solution and XI stores this information at atleast 4 to 5 places.

J2EE and Integration engine trace files, RFC trace files, HTTP trace files and it also says:

To avoid unauthorized tracing here, make sure that only a very restricted number of administrators have permission to use the J2EE Visual Administrator or to access the J2EE Engineu2019s file system where the trace files are stored.

To avoid unauthorized tracing here, make sure that only a very restricted number of administrators have permission to use the J2EE Visual Administrator, access to the J2EE support page (ABAP role SAP_XI_ADMINISTRATOR_J2EE), access to the J2EE Engine file system, or access to transaction SM59 or SICF.

and this is not the solution and we will have to avoid any calls which sends CVV no through XI and think of some other means to send data.

Thanks for your valuable inputs.

Beena.

Former Member
‎08-20-2008 6:41 PM
0 Kudos

Hi Beena,

You can encrypt the credit card no and SSN and that should not be a problem, but you should not store or encrypt the CVV no.

as i said we have our own tools many customers are using with respect to RFCs where you can encrypt and decrypt the card numbers and also not storing the values of CVV.

The above scenario works fine with no issues and it is according to the PCI standards. If you use PI 7.1 and use adaptive controlling the values are stored at a single place ie you can acheive single persistance and even this will not be our solution.

with the single persistsnce, if there is a adapter module or custom adapter which takes the payload and prevents the stroage of the value of a single field then it would be our solution.

Thanks,

Srini

Edited by: Srinivas Reddy on Aug 20, 2008 7:42 PM

Edited by: Srinivas Reddy on Aug 20, 2008 7:57 PM

Ask a Question