Banking on secure test data: How DSM protects SAP financial landscapes

The banking and financial services sector is one of the most tightly regulated industries in the world. With consumer trust at the centre of every transaction, banks operate under intense scrutiny from regulators, shareholders and their own customers. Behind the scenes, SAP landscapes form the backbone of these operations, handling everything from core banking to payments to compliance reporting.

These landscapes are large, complex, and full of sensitive information, a combination presenting a unique challenge: how can financial institutions move quickly to innovate and modernise, while protecting sensitive data that is distributed across multiple systems?

As Andries Breedt, Senior Software Engineer at EPI-USE Labs, explains:

Why SAP testing is so critical (and risky) in the finance world

Banks are under pressure to innovate faster and more frequently. Digital-first challengers, Fintech competitors, and customer expectations for seamless mobile banking experiences mean new features and services must be rolled out regularly. At the same time, RISE with SAP and cloud-first strategies are pushing institutions to modernise infrastructure and make decisions about migration.

Every change, no matter how small, carries risks. In an industry where even a single decimal point error in an interest calculation can affect millions of customers, testing is not optional. SAP changes must be thoroughly validated in non-production environments before they ever touch Production.

This poses a dilemma. Banks need production-like data to ensure testing is accurate. Yet regulators demand that sensitive customer information (account numbers, credit histories, personal addresses) never leaves the secure confines of Production. Without the right approach, this is a catch-22 that can leave banks exposed.

A global regulatory minefield

Financial institutions operate across a patchwork of global data privacy laws, each with strict requirements about how data must be handled, masked, and secured.

For example:

• Europe’s GDPR imposes heavy fines for breaches and requires organisations to protect Personally Identifiable Information (PII) wherever it exists, even in test systems.
• South Africa’s POPIA places similar emphasis on protecting personal data, with penalties that can reach up to ZAR 10 million.
• Saudi Arabia’s Personal Data Protection Law (PDPL) has added another layer of complexity for financial institutions in the Middle East. It requires strict consent and data handling measures, making it clear that sensitive data cannot be exposed outside of Production.
• California’s CCPA grants consumers rights over how their personal information is used, extending to non-production systems if data is copied for testing.

For multinational banks, compliance needs to satisfy all of the privacy laws simultaneously. This complexity makes manual approaches to test data management unworkable.

How does DSM give financial institutions agility and security?

EPI-USE Labs’ Data Sync Manager™ (DSM) Suite is designed to give banks both agility and compliance, removing the trade-offs that often slow innovation.

• Client Sync, part of the DSM suite, enables financial institutions to copy only the data they need to create smaller, more agile non-production systems. Refreshes that once took days can now be done in hours, with disk space savings of up to 90%. Faster refreshes mean faster development and fewer issues making their way into Production.
• Data Secure, also part of the DSM suite, ensures that all sensitive information is scrambled during these refreshes, protecting PII – in line with global regulations. Even when Client Sync isn’t part of the strategy, Data Secure can mask data in place, ensuring that existing QA and test environments remain compliant.

“Client Sync makes short work of vast amounts of data, and it’s been proven in the SAP industry to date. Shorter refresh cycles enable shorter development cycles, and that in turn has proven to decrease the likelihood of issues in Production.”

But agility without security is dangerous. That’s why Data Secure is needed:

“While Client Sync does allow you to shorten the intervals between your refresh cycles, this is a bit of a double-edged sword since it means you can more frequently introduce potentially sensitive information into less tightly controlled QA environments. Data Secure integrates with Client Sync to ensure that all sensitive information is masked before it actually leaves Production.”

Together, these tools give banks confidence that they can accelerate innovation while protecting sensitive data and meeting global regulatory standards.

Example case study: Rabobank

The story of our client Rabobank shows what this balance looks like in practice. As one of the Netherlands’ largest cooperative banks, Rabobank faced strict mandates from the Dutch Banking Authority requiring all non-production data to be scrambled.

Initially, their approach relied on a 94-page Runbook of manual steps for SAP refreshes. This process was slow, cumbersome, and resource-intensive, leading to infrequent refreshes and gaps in testing quality.

By adopting Client Sync and Data Secure, Rabobank transformed their process:

• Runbook reduced from 94 pages to just 4
• 5TB of disk space saved
• 10 hours less downtime per refresh
• Consistent masking across ECC and SRM systems
• Regulatory compliance achieved with confidence

Jan Huizinga, Technical Consultant at Rabobank, summed up the difference:

“We wanted to be 100% confident that all sensitive data was masked. We needed a product that would remove the manual effort, allow us to schedule jobs and enable us to comply with regulations. That product proved to be Data Secure.”

The quandary: Safeguarding customer trust while staying agile

Regulation is only one part of the story. For banks, customer trust is their most valuable asset. A single breach of sensitive information, even in a non-production environment, can have consequences for reputation and customer loyalty.

At the same time, financial services can’t afford to stagnate. Whether it’s migrating to the cloud, enabling open banking, or adopting real-time payments, agility is the lifeblood of competitiveness.

This is where the dual value of DSM can achieve both of the above:

Building a secure foundation for financial innovation

The financial industry is at a crossroads. Transformation is unavoidable, whether through cloud adoption, Fintech disruption, or new regulatory pressures. But the foundation for this change must be secure, compliant, and efficient.

DSM provides that foundation, with its ability to:

• accelerate refresh cycles and development timelines
• reduce infrastructure costs and disk space requirements
• ensure compliance with global data privacy laws like GDPR, POPIA, CCPA and PDPL
• protect sensitive data in every environment
• safeguard trust while enabling innovation.

DSM enables banks to innovate with confidence. By reducing refresh cycles, protecting sensitive information, and ensuring compliance with global regulations, it helps financial institutions modernise their SAP landscapes without unnecessary risk. This is not only a technology advantage, but also a practical step toward maintaining efficiency, security, and trust in a highly regulated industry.