The Verizon 2014 PCI Compliance Report found that approximately 89% organizations failed their 2013 baseline assessment. Managing PCI-DSS on regular systems, applications or devices that have numerous related tools and products in the market became much easier nowadays. However, SAP applications are within the scope of PCI-DSS assessments as they store credit card data have minimal coverage and hence makes compliance management very difficult.
Understanding how credit card data is stored and data accessibility of SAP systems in this arena is essential. With an array of over 50 different tables that are responsible for storing encrypted or plain text form credit card data, access to this data can be made available using different methods, e.g. transaction reports, remote function calls or direct table access. There are even methods that allow for complete access to plain text credit card data even if these tables are encrypted. Since, critical information is easily accessed without much effort reviewing access details is of utmost importance.