STEP 8, Consider Security In Your Payment Process

Unlike the other steps where you would gain less costs, less effort doing the same work, or at least gain some more information regarding your business or payment process, the investment in security will not give you anything. The investment is similar to an insurance, you will sleep better. In the best scenario you will not need your insurance and regarding security every process is going as expected, no one will be able to do a fraud.

Security is a wide area and does not specifically have anything to do with cash management, but it is so important that we will have a discussion of this area as well.

The security regarding the payment process is in focus here and we will group it into these areas:

1. The network security of your enterprise, the ability of changing the payment requests (files)
2. The approving process and the power of procuration
3. The transport of the payment requests to the bank
4. The signature and crypting of the requests (files)
5. The control function of the payments
6. The description of your payment process from a security point of view

A very common question when discussing security is: Is the setup secure? This is very hard to answer as most developers know that nothing is a hundred per cent secure. So the answer would be: No, it’s not secure or… Nevertheless it should be possible to talk about the fact that when you are changing or focusing on one of the groups, you are going to do your system more secure than it was before.

We are working with a scale of security, and it looks like:

Every time you are taking care of one of the groups we have decided to give one point. You can make your own scale and rules. The important thing here is that you are aware of the different actions you can take of moving your payment process to a more secure state.

One of the most common methods of doing payment process is that the user is able to export his payments to a file and upload that file to his bank.

This will in many cases not be a secure way of doing the payment process, as it will score 1 point for the approving process and the power of procuration which always is done in the web bank itself.

You can try to calculate how many points your business will score.

The state of the art in payment process is to establish a host2host connection with the bank. In this setup we will have following situation:

1. The network security will be out of scope as we are not using any files (1 point)
2. The approving process is handled by a double or single signature of payment request (1 point)
3. The transport of the payment request is typically sFTP, FTPs or VPN. (1 point)
4. The request would be as an EDIFACT document or XML with signature (1 point)
5. The control function is user driven, so maybe we will not have it (0 points)
6. The description of the payment process would normally be documented (1 point)

Normally when we are using a host2host connection with the bank, we are scoring 5 out of 6 points, which is pretty good.

Why does not everybody use a host2host (Enterprise) solution since it is very secure?

There are several reasons for that:

1. The software which can handle the right connection and handle the different documents from and to the bank is quite expensive
2. The costs and fees to the bank for opening the host2host connection to the customer are quite expensive
3. Even if you buy the software and get the access from the bank, many banks require a project where you need to test the different documents going in and out of your ERP-system. This project itself requires specific knowledge, can only be done by specialized consultants in this area, and is expensive as well. A normal project could very well take about a week per country, which you would execute your payments from
4. 4. Even if you could get through the three obstacles above, some banks only allow important customers to do host2host connections as these projects normally are time consuming for the back office personnel too

What can we do for small and middle size businesses who focus on the security in their payment processes?

There are solutions, which are beginning to work for this market. Some companies in the cash management area are establishing “hubs” the customers can connect to and get the advantage of the host2host solutions without huge expenses and without the need of an IT-project. The way they are working is:

The great advantage is that the connection to the bank is already established and you only need to establish the connection to the provider. This is much easier as the provider has developed a standardized interface between your ERP-system (if it is a standard ERP and a relative new version) and the HUB. Normally this connection is established as a HTTPS webservice connection. The second great advantage is that the interface between the ERP and the HUB is bank independent which means, when you have established this connection, you are able to use the same software and connection if you choose to switch bank or you need more banks to communicate with.

AMC-Banking as a Classic+ solution does support exactly this kind of solution.