RE: [sap-log-sd] Payment Card issue
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by ebushman (VP, Solutions Engineering) on Feb 28 at 10:52 PM |  Mark as helpful |
Robert,
For what it is worth, the 4 steps you propose below will result in the unencrypted card being exposed inside SAP for a short time. Given that, I would propose that you consider the following:
1) Get authorization only for the stock that is available on the web and not for complete order
2) Pass the order to SAP with the authorization details and an UNENCRYPTED card number
3) The card number will be encrypted in ECC (either in a BAPI "wrapper" or in the USEREXIT_SAVE_DOCUMENT_PREPARE if not using the standard SAP encryption or it will be encrypted by the standard SAP encryption during order save)
4) Then carry out the authorization normally as and when the delivery takes place
I'm certain that there is a concern about passing an unencrypted card from the Web to SAP, but this one change will be no different in terms of exposure to PCI DSS scope than what you've proposed.
That said, as for the "dummy authorization" I suggested - yes, I do mean a manual authorization. If your finance team has already settled the amount manually with the clearinghouse then there shouldn't be any problem entering a "dummy" manual authorization on the Sales Order (click on the Manual Authorization button and enter an amount and dummy authorization code) and then you'll be able to release the invoice to accounting.
As you state, there is NO link to the interface - it is simply a way that you can manually enter authorization details on a sales order such as in cases where the authorization was obtained over the phone. This will allow you to release the invoices to accounting to properly reflect the money you have already manually settled outside SAP. Just be certain to settle those transactions separately so they aren't sent to the clearinghouse as they may result in a double charge. The easiest way to do that is to disable the interface when you run the settlement job so that the communication fails.
Regards,
Eric Bushman | Vice President, Solutions Engineering
www.paymetric.com<http://www.paymetric.com/>
________________________________
From: Robert Singh via sap-log-sd [mailto:sap-log-sd@Groups.ITtoolbox.com]
Sent: Saturday, February 27, 2010 11:27 PM
To: Eric Bushman
Subject: RE: [sap-log-sd] Payment Card issue
[http://userimages.toolbox.com/user/b_1160781.jpg]
Posted by Robert Singh
on Feb 28 at 12:50 AM
[http://images.ittoolbox.com/vt/icons/vote.png]Mar k as helpful<http://it.toolbox.com/api/ContentVote/33382 14/1/1/>
Thanks a tonne Eric the info was very helpful,
We use the BAPI to create SO .
The card data is encrypted on the Web and comes in the same format to ECC .
When we run the program batch for authorization we get the message of invalid PAN as ECC send the data to clearing house and since the card data came in an encrypted formated to ECC which even ECC cannot decrypt this functionality doesnt work.
We have recommended the change as below
1) Get authorization only for the stock that is available on the web and not for complete order
2) Encrypt card data on web by 256 bit key and send to ECC
3) ECC to use the key and decrypt the card data and encrypt it again in ECC
4) Then carry out the authorization normally as and when the delivery takes place
For the stuck billing doc ... Dummy authorization ... do u mean manual authorization?
anyways finance has already settled the amount manually with the clearing house.
Can we use manual authorization and then release the amount to accounting .
I am not sure how manula authorization works. I suppose it does not have any link with the
interface as the users are supposed to call the clearing company and then put manual authorizations. Now that we have got the money we can do the manual/ dummy auth.
Please advise.
regards,
Robert
Please advise
Regards,
Robert.Singh
--- On Wed, 24/2/10, ebushman via sap-log-sd <sap-log-sd@Groups.ITtoolbox.com> wrote:
From: ebushman via sap-log-sd <sap-log-sd@Groups.ITtoolbox.com>
Subject: RE: [sap-log-sd] Payment Card issue
To: "Robert Singh" <robertsingh_2000@yahoo.com>
Date: Wednesday, 24 February, 2010, 12:18 PM
Posted by ebushman (VP, Solutions Engineering)
on Feb 24 at 12:17 PM
Mark as helpful
Robert,
A few questions:
* What encryption functionality is being used on the web?
* Is there a specific product name for the encryption solution or is this something that was home-built?
* What is the format of the "card number" that is being passed in to SAP?
* Is the order data passed into SAP via IDOCs or BAPIs? (BAPI_SALESORDER_CREATEFROMDAT2 perhaps?)
* Is the encrypted data stored outside of SAP or is it being stored in the SAP credit card number field?
I would look at trying to build an RFC call from SAP to this application during the Authorization and Settlement processes. Decrypt the card and then call the Authorization and Settlement functions.
As for releasing the stuck billing docs, sorry there isn't a better way that I'm aware of. The problem is that the check for authorization that is made in Function Module SD_CCARD_COPY_TO_INVOICE can't be overridden without a modification to the code. If there is NOT sufficient OPEN authorization on the Sales Order then SAP will block the Invoice from accounting. You could modify the SY-SUBRC code that is returned from the call to SD_CCARD_COPY_TO_INVOICE to 0 and that would let the Invoice post to Payment Terms, but I wouldn't recommend that. Instead I'll stick with my original recommendation to use a "dummy" authorization.
Eric W. Bushman
Vice President, Solutions Engineering
www.paymetric.com<http://www.paymetric.com/>
________________________________
From: Robert Singh via sap-log-sd [mailto:sap-log-sd@Groups.ITtoolbox.com]
Sent: Friday, February 19, 2010 12:56 AM
To: Eric Bushman
Subject: RE: [sap-log-sd] Payment Card issue
[http://userimages.toolbox.com/user/b_1160781.jpg]
Posted by Robert Singh
on Feb 19 at 3:28 AM
[http://images.ittoolbox.com/vt/icons/vote.png]Mar k as helpful<http://it.toolbox.com/api/ContentVote/33182 19/1/1/>
Hello Eric,
You are right . The change that we have suggested is that SAP (through some means not sure at this point of time) decrypt the credit card info obtained from Web and encrpt it agin within SAP without saving the sensitive credit card data and then do the authorizations from the ECC itself. We havent got any answers to this as of now because this is a unique requirement and we are checking how this can be done in SAP.
I think I have got the right person as paymetric deals with such issues. I would really appreciate if you could suggest / give your valuable inputs about how we can go about this new change which I mentioned above.
Also arent there any other possibilities to clear the stuck billing docs because they are piling up everyday . Even if we give manual authorization there can be issues during settlement .
Please advise me on the above 2 issues as I am totally clueless on these.
thanks ,
Robert
--- On Mon, 15/2/10, ebushman via sap-log-sd <sap-log-sd@Groups.ITtoolbox.com> wrote:
From: ebushman via sap-log-sd <sap-log-sd@Groups.ITtoolbox.com>
Subject: RE: [sap-log-sd] Payment Card issue
To: "Robert Singh" <robertsingh_2000@yahoo.com>
Date: Monday, 15 February, 2010, 9:55 AM
Posted by ebushman (VP, Solutions Engineering)
on Feb 15 at 9:54 AM
Mark as helpful
Robert,
One way that I know you can get around this issue is to go into the Payment Card Header screen on the Sales Order and enter a "dummy" manual authorization for the amount needed. This will at least let you post the invoice to accounting. You can then use transaction FBRC to reverse the invoice and place it back on the Customer AR Account as an Open Item if you wish. Or you can simply leave it as is.
NOTE: If your SAP system is integrated with a processor you'll want to settle that transaction (or that group of transactions) in a separate batch from other "real" transactions or you may have problems.
I want to ask my question to you again, "What application is encrypting the card on the web and can that application be used to decrypt the encrypted card prior to a new authorization call from SAP?" Is that what you're requesting a change to?
Eric W. Bushman
Vice President, Solutions Engineering
www.paymetric.com<http://www.paymetric.com>
________________________________
From: Robert Singh via sap-log-sd [mailto:sap-log-sd@Groups.ITtoolbox.com]
Sent: Saturday, February 13, 2010 11:37 PM
To: Eric Bushman
Subject: RE: [sap-log-sd] Payment Card issue
[http://userimages.toolbox.com/user/b_1160781.jpg]
Posted by Robert Singh
on Feb 14 at 12:46 AM
[http://images.ittoolbox.com/vt/icons/vote.png]Mar k as helpful<http://it.toolbox.com/api/ContentVote/33052 27/1/1/>
Hello Eric,
Thanks for the response
I have requested this process to go as a change as the process was itself not implemented properly . But the major issue is the billing documents which are not posted to accounting due to this issue. They need additional re-authorization which is not possible because the Order is fully authorised on web and then interfaced to ECC hence we do not carry any additional authorizations in ECC.
Do you have any idea how I can post the documents to accounting without any addional authorization? any way in which I can by-pass this check and post all the documents to accounting.
I appreciate all your help.
Regards,
Robert.
--- On Wed, 10/2/10, ebushman via sap-log-sd <sap-log-sd@Groups.ITtoolbox.com> wrote:
From: ebushman via sap-log-sd <sap-log-sd@Groups.ITtoolbox.com>
Subject: RE: [sap-log-sd] Payment Card issue
To: "Robert Singh" <robertsingh_2000@yahoo.com>
Date: Wednesday, 10 February, 2010, 12:02 PM
Posted by ebushman (VP, Solutions Engineering)
on Feb 10 at 12:15 PM
Mark as helpful
Robert,
What application is encrypting the card on the web and can that application be used to decrypt the encrypted card prior to a new authorization call from SAP?
Eric W. Bushman
Vice President, Solutions Engineering
www.paymetric.com<http://www.paymetric.com>
________________________________
From: Robert Singh via sap-log-sd [mailto:sap-log-sd@Groups.ITtoolbox.com]
Sent: Wednesday, February 10, 2010 10:10 AM
To: Eric Bushman
Subject: [sap-log-sd] Payment Card issue
[http://userimages.toolbox.com/user/b_1160781.jpg]
Posted by Robert Singh
on Feb 10 at 11:25 AM
The scenario here is that we take orders on the web along with credit card and its authorization is also done on the web itsefl and we then interface all thi data to SAP ECC. Since the credit card no is encrypted when it is interfaced to SAP ECC we cannot re-authorise the card in the SAP. We authorise for the full amount of the SO on the web. The issue is when we create partial deliveries the 1st delivery gets processed and the billing is also posted to accounting. The 2nd delivery --> billing has issues and does not post the billing to accounting beacuse we had authorised the entire SO amount on the web and this authorization is consumed by the 1st delivery so the 2nd delivery's billing will always have issue of insufficient authorization. We cannot re-authorise the SO again beacuse we have encrypted card info interfaced from web which even SAP does not understand so it cannot re-authorise . How can I correct this issue and post the billing documents to
accounting
__.____._ For what it is worth, the 4 steps you propose below will result in the unencrypted card being exposed inside SAP for a short time. Given that, I would propose that you consider the following:
1) Get authorization only for the stock that is available on the web and not for complete order
2) Pass the order to SAP with the authorization details and an UNENCRYPTED card number
3) The card number will be encrypted in ECC (either in a BAPI "wrapper" or in the USEREXIT_SAVE_DOCUMENT_PREPARE if not using the standard SAP encryption or it will be encrypted by the standard SAP encryption during order save)
4) Then carry out the authorization normally as and when the delivery takes place
I'm certain that there is a concern about passing an unencrypted card from the Web to SAP, but this one change will be no different in terms of exposure to PCI DSS scope than what you've proposed.
That said, as for the "dummy authorization" I suggested - yes, I do mean a manual authorization. If your finance team has already settled the amount manually with the clearinghouse then there shouldn't be any problem entering a "dummy" manual authorization on the Sales Order (click on the Manual Authorization button and enter an amount and dummy authorization code) and then you'll be able to release the invoice to accounting.
As you state, there is NO link to the interface - it is simply a way that you can manually enter authorization details on a sales order such as in cases where the authorization was obtained over the phone. This will allow you to release the invoices to accounting to properly reflect the money you have already manually settled outside SAP. Just be certain to settle those transactions separately so they aren't sent to the clearinghouse as they may result in a double charge. The easiest way to do that is to disable the interface when you run the settlement job so that the communication fails.
Regards,
Eric Bushman | Vice President, Solutions Engineering
www.paymetric.com<http://www.paymetric.com/>
________________________________
From: Robert Singh via sap-log-sd [mailto:sap-log-sd@Groups.ITtoolbox.com]
Sent: Saturday, February 27, 2010 11:27 PM
To: Eric Bushman
Subject: RE: [sap-log-sd] Payment Card issue
[http://userimages.toolbox.com/user/b_1160781.jpg]
Posted by Robert Singh
on Feb 28 at 12:50 AM
[http://images.ittoolbox.com/vt/icons/vote.png]Mar k as helpful<http://it.toolbox.com/api/ContentVote/33382 14/1/1/>
Thanks a tonne Eric the info was very helpful,
We use the BAPI to create SO .
The card data is encrypted on the Web and comes in the same format to ECC .
When we run the program batch for authorization we get the message of invalid PAN as ECC send the data to clearing house and since the card data came in an encrypted formated to ECC which even ECC cannot decrypt this functionality doesnt work.
We have recommended the change as below
1) Get authorization only for the stock that is available on the web and not for complete order
2) Encrypt card data on web by 256 bit key and send to ECC
3) ECC to use the key and decrypt the card data and encrypt it again in ECC
4) Then carry out the authorization normally as and when the delivery takes place
For the stuck billing doc ... Dummy authorization ... do u mean manual authorization?
anyways finance has already settled the amount manually with the clearing house.
Can we use manual authorization and then release the amount to accounting .
I am not sure how manula authorization works. I suppose it does not have any link with the
interface as the users are supposed to call the clearing company and then put manual authorizations. Now that we have got the money we can do the manual/ dummy auth.
Please advise.
regards,
Robert
Please advise
Regards,
Robert.Singh
--- On Wed, 24/2/10, ebushman via sap-log-sd <sap-log-sd@Groups.ITtoolbox.com> wrote:
From: ebushman via sap-log-sd <sap-log-sd@Groups.ITtoolbox.com>
Subject: RE: [sap-log-sd] Payment Card issue
To: "Robert Singh" <robertsingh_2000@yahoo.com>
Date: Wednesday, 24 February, 2010, 12:18 PM
Posted by ebushman (VP, Solutions Engineering)
on Feb 24 at 12:17 PM
Mark as helpful
Robert,
A few questions:
* What encryption functionality is being used on the web?
* Is there a specific product name for the encryption solution or is this something that was home-built?
* What is the format of the "card number" that is being passed in to SAP?
* Is the order data passed into SAP via IDOCs or BAPIs? (BAPI_SALESORDER_CREATEFROMDAT2 perhaps?)
* Is the encrypted data stored outside of SAP or is it being stored in the SAP credit card number field?
I would look at trying to build an RFC call from SAP to this application during the Authorization and Settlement processes. Decrypt the card and then call the Authorization and Settlement functions.
As for releasing the stuck billing docs, sorry there isn't a better way that I'm aware of. The problem is that the check for authorization that is made in Function Module SD_CCARD_COPY_TO_INVOICE can't be overridden without a modification to the code. If there is NOT sufficient OPEN authorization on the Sales Order then SAP will block the Invoice from accounting. You could modify the SY-SUBRC code that is returned from the call to SD_CCARD_COPY_TO_INVOICE to 0 and that would let the Invoice post to Payment Terms, but I wouldn't recommend that. Instead I'll stick with my original recommendation to use a "dummy" authorization.
Eric W. Bushman
Vice President, Solutions Engineering
www.paymetric.com<http://www.paymetric.com/>
________________________________
From: Robert Singh via sap-log-sd [mailto:sap-log-sd@Groups.ITtoolbox.com]
Sent: Friday, February 19, 2010 12:56 AM
To: Eric Bushman
Subject: RE: [sap-log-sd] Payment Card issue
[http://userimages.toolbox.com/user/b_1160781.jpg]
Posted by Robert Singh
on Feb 19 at 3:28 AM
[http://images.ittoolbox.com/vt/icons/vote.png]Mar k as helpful<http://it.toolbox.com/api/ContentVote/33182 19/1/1/>
Hello Eric,
You are right . The change that we have suggested is that SAP (through some means not sure at this point of time) decrypt the credit card info obtained from Web and encrpt it agin within SAP without saving the sensitive credit card data and then do the authorizations from the ECC itself. We havent got any answers to this as of now because this is a unique requirement and we are checking how this can be done in SAP.
I think I have got the right person as paymetric deals with such issues. I would really appreciate if you could suggest / give your valuable inputs about how we can go about this new change which I mentioned above.
Also arent there any other possibilities to clear the stuck billing docs because they are piling up everyday . Even if we give manual authorization there can be issues during settlement .
Please advise me on the above 2 issues as I am totally clueless on these.
thanks ,
Robert
--- On Mon, 15/2/10, ebushman via sap-log-sd <sap-log-sd@Groups.ITtoolbox.com> wrote:
From: ebushman via sap-log-sd <sap-log-sd@Groups.ITtoolbox.com>
Subject: RE: [sap-log-sd] Payment Card issue
To: "Robert Singh" <robertsingh_2000@yahoo.com>
Date: Monday, 15 February, 2010, 9:55 AM
Posted by ebushman (VP, Solutions Engineering)
on Feb 15 at 9:54 AM
Mark as helpful
Robert,
One way that I know you can get around this issue is to go into the Payment Card Header screen on the Sales Order and enter a "dummy" manual authorization for the amount needed. This will at least let you post the invoice to accounting. You can then use transaction FBRC to reverse the invoice and place it back on the Customer AR Account as an Open Item if you wish. Or you can simply leave it as is.
NOTE: If your SAP system is integrated with a processor you'll want to settle that transaction (or that group of transactions) in a separate batch from other "real" transactions or you may have problems.
I want to ask my question to you again, "What application is encrypting the card on the web and can that application be used to decrypt the encrypted card prior to a new authorization call from SAP?" Is that what you're requesting a change to?
Eric W. Bushman
Vice President, Solutions Engineering
www.paymetric.com<http://www.paymetric.com>
________________________________
From: Robert Singh via sap-log-sd [mailto:sap-log-sd@Groups.ITtoolbox.com]
Sent: Saturday, February 13, 2010 11:37 PM
To: Eric Bushman
Subject: RE: [sap-log-sd] Payment Card issue
[http://userimages.toolbox.com/user/b_1160781.jpg]
Posted by Robert Singh
on Feb 14 at 12:46 AM
[http://images.ittoolbox.com/vt/icons/vote.png]Mar k as helpful<http://it.toolbox.com/api/ContentVote/33052 27/1/1/>
Hello Eric,
Thanks for the response
I have requested this process to go as a change as the process was itself not implemented properly . But the major issue is the billing documents which are not posted to accounting due to this issue. They need additional re-authorization which is not possible because the Order is fully authorised on web and then interfaced to ECC hence we do not carry any additional authorizations in ECC.
Do you have any idea how I can post the documents to accounting without any addional authorization? any way in which I can by-pass this check and post all the documents to accounting.
I appreciate all your help.
Regards,
Robert.
--- On Wed, 10/2/10, ebushman via sap-log-sd <sap-log-sd@Groups.ITtoolbox.com> wrote:
From: ebushman via sap-log-sd <sap-log-sd@Groups.ITtoolbox.com>
Subject: RE: [sap-log-sd] Payment Card issue
To: "Robert Singh" <robertsingh_2000@yahoo.com>
Date: Wednesday, 10 February, 2010, 12:02 PM
Posted by ebushman (VP, Solutions Engineering)
on Feb 10 at 12:15 PM
Mark as helpful
Robert,
What application is encrypting the card on the web and can that application be used to decrypt the encrypted card prior to a new authorization call from SAP?
Eric W. Bushman
Vice President, Solutions Engineering
www.paymetric.com<http://www.paymetric.com>
________________________________
From: Robert Singh via sap-log-sd [mailto:sap-log-sd@Groups.ITtoolbox.com]
Sent: Wednesday, February 10, 2010 10:10 AM
To: Eric Bushman
Subject: [sap-log-sd] Payment Card issue
[http://userimages.toolbox.com/user/b_1160781.jpg]
Posted by Robert Singh
on Feb 10 at 11:25 AM
The scenario here is that we take orders on the web along with credit card and its authorization is also done on the web itsefl and we then interface all thi data to SAP ECC. Since the credit card no is encrypted when it is interfaced to SAP ECC we cannot re-authorise the card in the SAP. We authorise for the full amount of the SO on the web. The issue is when we create partial deliveries the 1st delivery gets processed and the billing is also posted to accounting. The 2nd delivery --> billing has issues and does not post the billing to accounting beacuse we had authorised the entire SO amount on the web and this authorization is consumed by the 1st delivery so the 2nd delivery's billing will always have issue of insufficient authorization. We cannot re-authorise the SO again beacuse we have encrypted card info interfaced from web which even SAP does not understand so it cannot re-authorise . How can I correct this issue and post the billing documents to
accounting
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
ebushmanSAP Logistics Sales and Distribution Enthusiast
Contributed 100 posts in a group to earn a Bronze Achievement
Related Content
In the Spotlight
White Papers
In the Spotlight
Earn Recognition for Your Contributions at Toolbox for IT. Gain Points for Community Achievements
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
