Function documentationSecurity for Payment Card Data

 

You can encrypt payment card numbers when they are saved to the database. All encrypted numbers are shown in masked format and can be accessed by authorized users only.

Prerequisites

  • You have implemented the SAP Cryptographic Library (SAPCryptolib) as described in SAP Notes 662340Information published on SAP site and 1014619Information published on SAP site.

    The SAP Cryptographic Library is the default security product delivered by SAP for performing encryption functions in SAP systems. For a list of SAP Notes that provide further information on encryption, see SAP Note 1034482Information published on SAP site.

  • You have activated encryption in Customizing for Customer Relationship Management under Start of the navigation path Basic Functions Next navigation step Payment Cards Next navigation step Basic Settings Next navigation step Maintain Payment Card Type End of the navigation path.

    If encryption is active for a payment card type, but no external tool is connected, the payment card number is saved without being encrypted.

Features

  • Masking of card numbers

    The default masking format is 51000*********08. You can define a different format in Customizing for Customer Relationship Management under Start of the navigation path Basic Functions Next navigation step Payment Cards Next navigation step Basic Settings Next navigation step Make Security Settings for Payment Cards End of the navigation path.

  • Access to masked data

    To display the full credit card number in the business partner master data, in a business transaction, or in a billing document, the authorization object B_CCSEC must be assigned to a user.

  • Access log

    You can log user access to unmasked payment card data in order to track which user displayed which card number at which time. You activate the log in Customizing for Customer Relationship Management under Start of the navigation path Basic Funcitons Next navigation step Payment Cards Next navigation step Basic Settings Next navigation step Make Security Settings for Payment Cards End of the navigation path by selecting Logging of Unmasked Display.

    You use the report RCCSEC_LOG_SHOW or transaction CCSEC_LOG_SHOW to display the log. To display the access log, you require authorization for the activity 71 in the authorization object B_CCSEC.

    You can delete log records if they are at least one year old. You do this using report RCCSEC_LOG_DEL or transaction CCSEC_LOG_DEL. To use the deletion report, you require authorization for the object B_CCSEC with the activity 06.

  • Retroactive encryption

    You can encrypt payment card data in the database using the report PCA_MASS_CRYPTING or CRM_ORDER_PC_RETROGR_ENCRYPT.

    Note Note

    Retroactively encrypted card numbers are not masked.

    End of the note.

  • Archiving

    For more information about archiving, see SAP Library for SAP ERP Central Component in SAP Help Portal at http://help.sap.com/erpInformation published on SAP site. Search for “Archiving of Encrypted Payment Card Data”. Note that the rest of the SAP ERP documentation for payment card security is not relevant for SAP CRM.