Verizon 2014 PCI Compliance Report revealed that approximately 89% organizations failed their baseline assessment in 2013. Nowadays, meeting the PCI DSS on regular systems, applications, or devices, which have numerous related tools on the market, has become much easier. SAP applications are also within the scope of the PCI DSS as they store credit card data. However, the support for them is insufficient, which significantly complicates compliance management.
The understanding of credit card data storage and accessibility in SAP systems is essential. There is an array of over 50 different tables that store encrypted or plain text data. The data can be accessed with different methods, such as transaction reports, remote function calls or direct table access. There are even methods that enable complete access to plain text credit card data, even if the tables themselves are encrypted. Since critical data can be accessed without much effort, reviewing access details is of utmost importance.