Background
One of Canada’s largest media organizations has evolved into a full service multimedia publishing across four major platforms: print, online, mobile and video. Handling high volumes of credit card transactions and credit card data is daily business; therefore PCI DSS compliance is a must for the organization.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that store, process or transmit cardholder data. Introduced in 2004 by five major card companies (Visa, Master Card, American Express, Discover and JCB), the primary goal of the standard is to protect cardholder data and to reduce data theft and credit card fraud.
Failure to comply with the standard can result in substantial penalties, restrictions or even barring. Payment Card Industry Security Standards Council, for example, has established fines of up $500,000 per incident for security breaches at non-compliant organizations.
One of the major requirements regarding PCI DSS compliance is to develop and maintain secure systems and applications. After an initial assessment, the media corporation decided to bring all card data into their SAP systems and encrypt it. A lot of work went into moving credit card data from a multitude of less secure databases and files into SAP. Now that SAP was storing cardholder data, it needed to meet PCI DSS standards.
The organization has used SAP solutions since 2002. In order to adapt its SAP solutions to specific requirements of the North American market, they had to put a lot of ABAP custom development into its SAP systems, with most of the major developments done by external companies.
Challenge
Improve custom ABAP code to meet PCI DSS requirements and pass external audit on SAP systems
Solution
Onapsis scans all ABAP code for vulnerabilities or misconfigurations against PCI DSS requirements so developers know exactly what to fix. The media corporation can produce reports from Onapsis and share these with external auditors to prove their code meets compliance. The time and resources needed to make their code compliant and prove that compliance has been significantly reduced, allowing internal teams to focus on development and accelerate application delivery
- Fast reliable and automated identification of code issues
- Tight integration into SAP change management processes
- Accelerate application delivery
- Easily produce documentation and third-party audits
- Ensure PCI CSS compliance at code levels
Solution
With Onapsis code analysis, the organization was able to scan their ABAP code to see if it complied with PCI DSS. Onapsis testing is comprehensive and tightly integrated with SAP and can be customized to test code specifically against PCI DSS requirements. This way developers know exactly what to fix.
Using Onapsis also enabled the media corporation to easily produce reports and documentation that they could share with external auditors regarding the current state of their code, which significantly reduced the time and resources needed for the audit process. After a couple rounds of testing and fixing, the organization was able to use these reports to prove to auditors that their ABAP code was compliant with PCI DSS. By building Onapsis code analysis into their development process, they can now ensure these compliance baselines are implemented from the start and all new code will be compliant.
Results
- Ensure PCI DSS compliance at code level
- Fast, reliable and automated identification of security and compliance risks in SAP’s ABAP custom code
- Tight integration into SAP change and transport management processes with enforced ABAP code auditing (“ABAP Code Firewall”)
- Easily produce documentation for third party audits, freeing up development resources to focus on core competencies instead of audit preparation
- Accelerate application delivery by building compliance checks early in the development process and providing actionable remediation guidance
