Paymetric XiSecure Payment Card Tokenization Solution

by SAPGuy on January 28, 2010

in SAP Implimentation Tips

The Problem

Securing credit card data in business systems can be costly and complex. And when you have multiple systems that use the credit card information, it becomes more complex. While some systems like SAP allow you to encrypt the data, if procedures are not followed, there can be glitches that expose the data (see previous articles for examples). And very few systems (including SAP) have an elegant standard system to track who accessed the data over a period of time.

A breach in security that exposed the payment card information can be extremely expensive as discussed before. And there is a very real possibility of people losing their jobs as a result of this negligence.

A Possible Solution

One solution I have seen is not to store credit card data at all or only store it temporarily. This is not ideal and can only work in certain industries. Even though the data is encrypted, all credit card data is purged from the system that is older than say 30 days. Not a great customer experience if the customer requests that you simply use the credit card they used on the last transaction. As your system is not designed for this, this is where credit card information suddenly gets written down and stored in desk drawers, simply to provide good customer service. That is just asking for trouble.

But what if we could use this idea of not storing the payment card data to achieve what we want?

A New Paymetric Solution

In August 2007, Paymetric announced a new product called XiSecure.  XiSecure comes in 2 flavors: an Onsite Server or an On Demand SAAS solution.

Basically it is a tokenization server. It removes the  credit card data from the business systems and replaces them with a 25 digit token.

A simple analogy could be a spreadsheet with 2 columns. In 1 column, we have all the credit card numbers and in the next column we have a 25 digit  number or token. There is a 1:1 relationship between the credit card # and the token. While the token represents the credit card, if you only have the token, you cannot do anything with it.

This spreadsheet represents that database in XiSecure.

How does it work?

  1. It removes all credit card numbers stored in your business applications – such as SAP – and places them in a highly secure, centralized system that can be protected and monitored utilizing robust encryption technology.
  2. It replaces the stored credit card numbers in enterprise applications with encryption tokens. These are unique tokens that reference the credit card number.
  3. Should the business application experience a security breach, the token would have no value. This adds a new layer of protection against theft and misuse of credit card data.
  4. It provides key management and key rotation capabilities outside of enterprise applications – Traditionally a pain.
  5. It provides comprehensive access logging.

  6. It provides comprehensive monitoring of decryption requests

Advantages

  1. This solution makes PCI compliance much easier. Particularly if you use XiSecure On Demand solution.
  2. As there is only a token in all your business systems, it is not necessary to encrypt the business data.
  3. If you use an on demand system,  (such as XiSecure On Demand), you can focus on your core business and allow a 3rd party to focus on what they do best, ensure the security of your data.

Conclusion

Credit Card Tokenization can provide a simple solution to shield you from costly credit card data security breaches. I believe that the Paymetric XiSecure solution appears to be a viable solution that you should investigate in your business.

To be clear, I have not implemented the solution. However, I have worked with Paymetric’s XiPay solution and I was very impressed. As such, I suspect that this will be a robust and solid product as well.

Feel free to add Comments and Questions.

The SAPGuy has been implementing SAP in the trenches for the last 16 years. Feel free to contact me to discuss any challenging consulting needs.

Be the first to comment

XiPay – The Paymetric Payment Card Acceptance System

by SAPGuy on January 26, 2010

in Credit Cards and SAP, SAP Implimentation Tips

The Big Problems

The biggest problem with processing payment cards (processing credit cards, debit cards & corporate buying cards) with SAP, is the integration with the payment card gateway or the bank. If you plan to develop your own, it takes many months of development. Then the interface needs to be certified by the financial institution to meet certain standards (different for different banks). At the end of the day, you now have this custom interface that needs to be maintained each time there is a change in the requirements. The question you need to ask yourself is: What is my core business? Do I really want to be in software development?

The second issue is that SAP only provides a framework for payment card processing. While fairly comprehensive, there are some notable gaps. I will just mention one here. If an order is placed without a credit card and processed through to billing, there is no standard way in SAP to pay for the invoice by credit card after the fact.

The Solution

Find a third party company that specializes in payment card processing and integration into SAP. There are several of them, but the market leader (they have approximately 80% of the market) is Paymetric. The company has been in that space for over 10 years and has a few very sharp individuals at the helm. They offer 2 main products:

  1. XiPay – Payment Card Processing
  2. XiSecure – New Product that handles Payment Card Tokens (discussed in another article)
I will discuss XiPay in this article.

History of the XiPay Solution

XiPay has come a long way. I first saw it in 2002 and then it was just a collection of SAP programs designed to address the gaps within SAP. So they were attempting to address the second problem with the SAP functionality, namely, the functionality gaps. You still had to develop your own interface with the bank.

I next saw it in 2007 and it now offered a fairly comprehensive solution. It now also comprised of a separate server that took care of the interfaces with a slew of different payment processors and banks. To activate an interface with your bank or payment card processor,  you needed to add that banks software “cartridge” and make a few configuration settings.   A pretty elegant design.  That solved the biggest problem described in the first paragraph.

In the latter part of 2007, the payment card industry introduces a set of new data security standards (discussed in a previous article) that had to be complied with if you wanted to process payment with credit cards. This PCI Compliance changed the face of the payment card industry much the same as SOX changed the face of businesses several years ago.

Fast forward to 2010. One of the results of the PCI Compliance and accompanying annual Audit is that it now makes sense to process (and store) the payment card information off-site and off your systems. This saw the introduction of XiPay On Demand, a SAAS solution that replaces the on-site server solution.

What does it give you?

One big plus of the on demand solution, I think, is that it gets rid of the XiPay server that you need to maintain at your site  (in practice, this was at least 2 servers, 1 for your development and QA environment and 1 for your production environment). It was fairly specialized and I found that despite spending time with the Paymetric technical resource, our Basis person (who was good), still had to schedule time with Paymetric anytime an installation or patch had to be applied.  This created several delays in our implementation.

With the introduction of the on demand solution, instead of having to support about 1000 customers server installations, paymetric now only has to support one. And all the clients hook into this server.

With the XiPay On Demand solution, that technical maintenance aspect goes away, allowing you to focus on your core business again.

An additional benefit is that the PCI Compliance aspect becomes less as Paymetric is now responsible for maintaining PCI compliance on the way to the payment processor and bank.

If you also implement a payment card token system, such as XiSecure (discussed in an upcoming article), the PCI Compliance become even less of an issue.

Conclusion

The paymetric XiPay solution simplifies your payment card processing in your SAP implementation and the on demand aspect provide some real advantages on an on-going basis.

Feel free to add Comments and Questions.

The SAPGuy has been implementing SAP in the trenches for the last 16 years. Feel free to contact me to discuss any challenging consulting needs.

Be the first to comment

What is Credit Card Tokenization?

January 24, 2010

A brief article on what credit card tokenization is. Why it exists. What problems it resolves. What it does. And why you should consider using it.

Read the full article →

What is the Payment Card Industry Data Security Standard?

January 21, 2010

Paymetric Implementation masks a Looming Change to the Payment Card Industry
In 2007, I was implementing the Paymetric XiPay module for a client. We were integrating Paymetric with their SAP system. At the time, I remember having a conversation with the IT guy regarding an annual audit that they needed to pass for accepting credit cards. [...]

Read the full article →

Working with Paymetric SAP Credit Card Solution

October 3, 2007

I have spent the past 5 months working with Paymetric’s solution for SAP credit cards and I must say I have been impressed.
I first came across Paymetric in 2002 when supporting Credit Cards from the CRM side and they have come a long way since then. I was impressed with their expertise at that stage [...]

Read the full article →

Change Mangement in SAP

September 29, 2007

This morning I was musing over the fact that I had not heard a large emphasis on change management for a few years now. When I started with SAP (early 90’s), change management was the big buzz word. Every project had a dedicated raaa raaa change management team. Am we were made very conscious [...]

Read the full article →

Crazy Projects, Meeting Mania & Seeing the Future

May 4, 2007

I recently came across an email with a Quote from a daily progress meeting (by the project manager ) which I had forgotten about:
“We are going to continue having these meetings, everyday, until I find out why no work is getting done.”
This was a project from hell. We did great work and I have good [...]

Read the full article →

Digital Life – Keeping you Life in Order with Online ToDo List Software – RememberTheMilk

April 5, 2007

We all only have 168 hrs a week.
Lets say we sleep for 8 hrs a night, or 56 hrs a week
Lets say we spend an additional 12 hrs a week eating
So we now have 100 hrs remaining.
Say we sell 40 hrs to our boss and use about 8 hrs commuting.
This leaves use with about 52 [...]

Read the full article →

SAP Screen Designs – Usability is not an option

March 8, 2007

For some time now, I have been looking for a flexible, user friendly script, that would allow me to create a testimonial gathering page. While I could get a script developed, it makes absolutely no sense if I can buy a ready made script for under $50. And it includes all the bells and whistles. [...]

Read the full article →

SAP Outsourcing Part 3 – Tips and Strategies

March 5, 2007

In the previous article, I gave two examples where outsourcing cost way more than was apparent. In this article I will begin to delve into some strategies and tips you can use to make outsourcing work. Firstly, let’s examine some concepts and questions you need to answer for yourselves before you embark on the outsourcing [...]

Read the full article →

← Previous Entries