05-25-2006 4:20 PM
For obvious security reasons, we would like to simply erased credit cards Number in the SAP and CRM databases after one year, even if the documents that reference them were not archived (Sales Orders for example).
Does SAP have a "standard" solution for that? Wil using brute force and simply erasing the contents of the CCNUM fields in various tables work? Anybody did something like that in their system?
Ron Herrmann
05-25-2006 4:25 PM
05-25-2006 4:49 PM
I don't think there is any such solution. If there are pending transactions associated with a credit card, then you cannot simply wipe them out. If security is the concern, then there are various credit card applications in the market that encrypt the numbers and store. There are some certified by SAP packages as well. May be buying one such solution is more viable than using 'brute' force to wipe them out.
05-26-2006 1:18 PM
We encrypt credit card information in both R/3 and CRM.
But our Legal department has a good point that even if the Credit Card number is encrypted, it's still a security risk to keep a huge database of (encrypted) credit card numbers that we really do not need. Basically, probably a year after the sale is done, we really do not need to keept the credit card number on file.
Ron
07-23-2006 5:16 PM
Ron,
I am not sure if you have found any standard solution for this problem. We have faced a similar issue in a recent internal audit. What we came up was a simple solution that may not be the most elegant but works just fine without compromising the integrity of the SAP system. You can replace all the real credit cards with dummy credit card numbers. Depending on the middleware product you are using, a small routine in ABAP needs to be written, which will decrypt the original cards, replace them with dummy cards that pass the Luhn check and re-encrypt them back. This retains the integrity of the SAP system and if you were to display the Sales order, it does not cause dumps. I hope this is helpful and should you need more details, please do not hesitate to reach me anytime at ryann@kaizencg.com.
Ryan
01-27-2009 12:18 AM