Skip to Content
avatar image
Former Member

SAP Short Dumps and PCI Compliance

We've run into an issue with our PCI Compliance audit around being able to see unencrypted credit cards in short dump messages in SAP. Has anyone run into this issue?

Only work around I've got at this point is to restrict all access to short dumps and require many documented signoffs before turning on and off access to a short dump. This is pretty cumbersome, and still leaves a hole in my overall security.

We've managed to purge restricted CC data from our XI logging, and done everything right with encryption, but this short dump issue just doesn't seem to have a solution.

Can anyone help? We're on 6.0.


Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Sep 09, 2008 at 04:30 PM

    Hi David,

    This is an interesting situation you have described. ABAP short-dumps or run-time errors as they are also known as, are unhandled exceptions during program execution. The conditions that cause such exceptions is unknown or cannot be handled at run-time. To help analyze what went wrong with the said program during execution, it is necessary for the dump to contain all possible information including data values passed between programs when the error occurs. Encryption of restricted data values is a program step in itself. If the dump were to occur after this step then of course it would contain encrypted CC info. Unfortunately in your case it exposes restricted CC info because the dump occurs BEFORE this step.

    I don't believe there is a way to prevent this from happening -- for the same reason that the program logic does not know at run-time how to "handle" the exception. If occurrences of such dumps is fairly common in your system, you may want to investigate the likely causes -- for example, missing or incorrect customization. Analyzing the short dumps will probably give you a clue. Your customization team may be able to identify a pre-condition that causes this unhandled exception. If this exception can then be handled (via a program change) that returns a meaningful error instead of a short dump you would be able to close the security hole. This however entails modification to SAP standard code. I don't usually recommend such changes, but given the sensitive nature of your data it may be worth consideration.

    I personally advocate restricted access to ST22. The steps you have undertaken to enforce this may be cumbersome despite efforts to keep it simple. I suppose that's the price we pay in administering the system. If you have not already done so, you may also want to ensure that short-dumps that contain restricted CC info are not saved (using the "Keep" feature in ST22) for easy retrieval at a later point in time or they are saved, it be available only to 'restricted eyes'. Short-dumps are normally saved in the system for 7 or 14 days (not sure of exact # of days). The bigger challenge in my opinion is: How do you prevent the restricted info from being viewed by the user who during the course of program/transaction execution encounters the said short dump? No amount of security controls around ST22 will mitigate this risk. The only option that remains is program change (as mentioned above). But to get there you first need to know what causes the exception. 😊



    Add comment
    10|10000 characters needed characters exceeded