Merchants using SAP for their electronic payment systems need to secure their networks and keep customer data safe – or it could cost them. SAP systems are complex, with numerous components and huge extensibility. They are also full of security holes that can show up in the most unassuming places.
"Average SAP systems have 16 vulnerabilities in custom code that can lead to a total compromise."
There are 1.97 million lines of custom ABAP code in a typical SAP setup, according to VirtualForge's Business Code Quality Benchmark 2016, and even though only 0.011 percent of those have critical security errors, that accounts for almost 2,200 additional security vulnerabilities in an SAP system.
Most distressingly, the VirtualForge report found that systems have, on average, 16 vulnerabilities in custom code that can lead to a total system compromise. Keeping a system's security patches up to date is a no-brainer, but security teams should also scrutinize the custom code in a SAP system.
Hackers break in through the front door
TechTarget contributor Christine Parizo identified a few of the common access points where vulnerabilities can be exploited to gain high-level access to an SAP system – SAP Enterprise Portal connects to the Internet, and SAProuter acts as an application network gateway. The source also identified remote function call connections as a weak link in the security chain.
Unsurprisingly, any technology that lives on a network will be the most convenient point to launch an attack, so it is not as though a SAP environment is the only tech stack vulnerable to cyberinstrusions. The usefulness of SAP systems trumps any incentive to abandon the platform. But because of its wide acceptance and extensibility, SAP technologies are big targets for hackers.
The best practices for securing an SAP system are similar to the tactics of any well-managed security environment, according to ComputerWeekly. Configuring SAP away from default settings and securing generic accounts, properly segregating duties to keep too much data from being accessible by a single user, and regular security reviews and updates are critical to keeping a system safe from intrusion.
PCI is mandatory
But when dealing with customer data, a secure SAP system is only one half of the puzzle: The other side is PCI Data Security Standard compliance. Staying compliant might seem burdensome and expensive, but the standard really does play a part in protecting merchants from data breaches.
The Verizon 2015 PCI Compliance report stated that no company that Verizon investigated had been fully PCI compliant at the time of a data breach, and less than 30 percent of businesses that were compliant in 2013 stayed compliant the next year.
The report recommended that in order to make achieving and maintaining compliance simple, businesses should reduce the scope of their systems that work with cardholder data, and the best way to do so is to isolate that data environment from other systems. Reducing PCI scope means that IT security teams can spend less on compliance and remove data breach liability.
Trust tokens to trim PCI territory
One of the best ways to reduce scope is to implement tokenization. Even if a data breach leads to the exfiltration of customer data, when in token form, that information is useless – there's no way to reverse-engineer cardholder data from one token, a token associated to an account number or even multiple token/account number combinations.
A secret that nobody knows is a secret that no one can find out. With tokenization, a merchant's database doesn't need to store sensitive information. By only working with tokens, the merchant doesn't have to navigate through a complex series of barriers to access customer data, and it doesn't have to worry if that data gets compromised.
Since tokens are formatted similarly to the data they represent, they require very little restructuring of existing payment systems to accept tokens. As the Verizon report noted, tokenization still allows for robust data management and detailed analytics, so a business doesn't have to compromise flexibility and performance for security and PCI compliance.
Keeping data secure is the cornerstone of PCI DSS, so it's incredibly important for merchants using SAP to implement tokenization to minimize the harm of attacks. A business can further reduce its compliance scope by outsourcing the token vault where customer data is stored. This shifts those compliance requirements to the tokenization provider, as PCI's tokenization guidelines pointed out.
However, outsourcing doesn't completely eliminate a merchant's need to implement PCI's standards, the guidelines said, and a merchant should understand its own role alongside the token provider in securing user data. That said, tokenization in concert with other security technologies such as point-to-point encryption can drastically reduce the resource investment of PCI compliance.
It's important for any SAP system to use good security controls, yet a secure SAP environment isn't enough to truly protect customer data. Only with PCI compliance and with strategies such as tokenization to reduce that scope can merchants really know that their customers' data is secure.