How to encrypt credit cards and other information in SAP R/3 for PCI compliance
October 2008 by Ulf Mattsson, CTO, Protegrity Corporation
Some organizations are encrypting the credit card information and other information in SAP R/3 tables by using third party encryption solutions that are PCI compliant. My experience is that it is important to carefully pick the tables to encrypt. You should consider operational aspects including performance and patching. With SAP Retail and SAP BW (PIPE) encryption can be added to the SAP Z tables with decryption of credit card numbers in the file creation process in PIPE, decryption of the card numbers with store key and encrypt the with the PIPE key and encrypt a credit card number in the search module.
I suggest that you review some additional resources on best practices for data encryption: http://www.developersdex.com/gurus/articles/881.asp , http://www.seouc.com/Presentations/Best_Practices_Mattsson.pdf , http://hosteddocs.ittoolbox.com/UM070805.pdf and http://www.revealnet.com/newsletter-v6/1105_B.htm and http://database.ittoolbox.com/documents/peer-publishing/database-encryption-how-to-balance-security-with-performance-4503 Please also review http://www.db2mag.com/showArticle.jhtml?articleID=199203560 and http://db2mag.stikipad.com/main/show/ENCRYPTING+DATA+IN+DB2 for some additional information about database encryption solutions from different vendors.