Security Guide Fraud Watch Document Version: 1.0 2017-06-05
Document History Version Date Change 1.0 2017-06-05 First release of the Security Guide for Data Protection and Privacy. 2 2017 SAP AG or an SAP affiliate company. All rights reserved. Document History
Table of Contents 1 Introduction... 4 2 Before You Start... 5 3 Data Protection and Privacy... 6 3.1 Deletion of Personal Data... 6 3.2 Reports... 7 Table of Contents 2017 SAP AG or an SAP affiliate company. All rights reserved. 3
1 Introduction Data protection is associated with numerous legal requirements and privacy concerns. This section describes the specific features and functions that SAP provides to support compliance with the relevant legal requirements and data privacy in Fraud Watch. Caution This guide does not replace the administration or operation guides that are available for productive operations. Target Audience Technology consultants Security consultants System administrators This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all life cycle phases. Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security apply likewise to Fraud Watch. To assist you in securing Fraud Watch we provide this Security Guide. About this Document The Security Guide provides an overview of the relevant data protection and privacy information that applies to Fraud Watch 3.5. 4 2017 SAP AG or an SAP affiliate company. All rights reserved. Introduction and Privacy
2 Before You Start Important SAP Note The SAP Note that applies to Fraud Watch is shown in the table below. Title SAP Note Comment Data Protection and Privacy for Fraud Watch 2461960 Compliance with: SEC-256 Deletion: SAP software shall support erasure of personal data. SEC-254 Read Access Logging: SAP software shall be able to log read access to sensitive personal data. SEC-255 SAP software shall provide a report or display function which can be used to inform the data subjects about the personal data stored about them. SEC-265 SAP software shall be able to log changes to personal data. Before You Start and Privacy 2017 SAP AG or an SAP affiliate company. All rights reserved. 5
3 Data Protection and Privacy This section and any other sections in this Security Guide do not give any advice on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any advice or recommendations with regard to additional features that would be required in a particular environment; decisions related to data protection must be made on a case-bycase basis and under consideration of the given system landscape and the applicable legal requirements. Note In the majority of cases, compliance with data privacy laws is not a product feature. SAP software supports data privacy by providing security features and specific data-protection-relevant functions such as functions for the simplified blocking and deletion of personal data. SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken from any given legal source. Glossary Term Personal data Business purpose Blocking Deletion Definition Particulars about personal or material circumstances of an identified or identifiable natural person (data subject). A legal, contractual, or in other form justified reason for the processing of personal data. The assumption is that any purpose has an end that is usually already defined when the purpose starts. A method of restricting access to data for which the primary business purpose has ended. Deletion of personal data so that the data is no longer usable. 3.1 Deletion of Personal Data Use The purge private data process deletes, from the database, all the data related to personal information by a cutoff date. The personal information is deleted from the following tables in the client database: Tables in the client database tbl_tempordercustomer 6 2017 SAP AG or an SAP affiliate company. All rights reserved. Data Protection and Privacy and Privacy
Tables in the client database tbl_tempordertenderinfo tbl_summultcredcard tbl_summultcredcardmonth tbl_summultcredcardweek tbl_summultcustcardmonth tbl_summultcustcardweek tcredcardsumexc??? tcustsumexc??? tordercustomer?? tordertenderinfo?? tbl_cardnum tbl_customerinfo Note 1. All temporary tables are purged regardless of the date in which the record is inserted. Do not run this function during data load. 2. For any given period, the purge private data function should be used after the regular purge. 3.The weekly and monthly summaries will be purged up to the previous week or month of the cut-offdate. 3.2 Reports View Private Data Access The View Private Data Access report lists all accesses to the private data in a specific period. The following actions are monitored: Action Description Users/Roles Administration Change Email Change Password Password Functionality Page URL admin/display_user.asp change_email.asp change_password.asp admin/list_ds02.asp Data Protection and Privacy and Privacy 2017 SAP AG or an SAP affiliate company. All rights reserved. 7
Action Description Delete Alerts from Other Users Maintain Distribution List Unmask Card Number Complex Query Run Custom Query on Production Database Users/Roles Administration Change Email Change Password Password Functionality Delete Alerts from Other Users Maintain Distribution List Unmask Card Number Complex Query Run Custom Query on Production Database User-Defined Data Sets Run Custom Query on Test Database Query Builder Native SQL Personal Information Alert Report Wizard Control Panel Run Scheme Credit Card Alert Transaction Detail Customer Ranking Report Credit Card Ranking Report Lookup Report Customer Fuzzy Search Credit Card Number Usage Customer ID Usage Personal Information Usage Purge Private Data Page URL deleteothersalerts MaintainDistributionList UnmaskCardNumber adhocquery.asp AdHocQueryProduction admin/display_user.asp change_email.asp change_password.asp admin/list_ds02.asp deleteothersalerts MaintainDistributionList UnmaskCardNumber adhocquery.asp AdHocQueryProduction maintainaqdataset.asp AdHocQueryTest maintainaqquery.asp maintainaquserrule.asp suspicious_info.asp FWFraudWizard.asp FWRunScheme1.asp suspicious_cc.asp rptorderdetail.asp rptcustrankingreport.asp rptcreditcardrankingreport.asp rptlookup.asp?lookup=customer FuzzySearch.asp checkcredcardnumusage.asp checkcustomeridusage.asp checkpersoninfousage.asp purgeprivatedata.asp 8 2017 SAP AG or an SAP affiliate company. All rights reserved. Data Protection and Privacy and Privacy
Action Description List Privacy Access Page URL checkprivate-access.asp Credit Card Number Usage The Credit Card Number Usage report lists, in various tables, all usage of a given credit card number. The results contain a list of the number of counts and the table names. Customer ID Usage The Customer ID Usage report lists, in various tables, all usage of a given customer ID. The results contain a list of the number of counts and the table names. Personal Information Usage The Personal Information Usage report lists, in various tables, all personal information usage based on the name, address, and phone number. The results contain a list of the number of counts and the table names. Note Due to how the Point-of-Sale system captures the information, there is no way to tell if the data in the database is actually about that individual. Data Protection and Privacy and Privacy 2017 SAP AG or an SAP affiliate company. All rights reserved. 9
www.sap.com/contactsap 2017 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ( SAP Group ) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. Material Number: NA