EFT Security Features
In addition to Sage 300 security settings, EFT Processing includes numerous features that strengthen your payment processes.
Sage Security Considerations
-
Limit access to information in Sage 300 by creating Security Groups with User Authorizations.
-
Consider using Sage UI Profile Maintenance to customize what is visible on the Sage 300 screens.
-
There is also standard Sage 300 security on EFT records to prevent some users from updating bank details. Refer to Adding Security.
Audit logging
Audit logging is enabled in EFT Processing out of the box.
Details of any changes to Vendor/Customer/Employee records are recorded in an audit log, including the Sage 300 user who did the change. There is also a detailed audit log of EFT Files created, including the account details in the file and if records were skipped.
Audit log inquiries and audit log reports should be reviewed periodically.
Approving changes of EFT Vendor/Customer/Employee details:
You can implement separation of duties when adding and updating EFT details using Sage 300 security groups and EFT Options. Changes to Vendor, Customer or Employee bank account details must be validated by a different staff member before they take effect.
To implement 2-step approval, refer to Approving changes of EFT Vendor/Customer/Employee details
EFT Options
Some EFT Options relating to EFT Vendors, Customers and Employees enhance the security of the payment processes:
Bank account number encryption:
Account numbers are stored in encrypted form, and masked when displayed. By default, users only see the last 4 characters of the account number. This applies to Sage 300 data entry screens and reports.
Only users who are in the Approve/View Unencrypted Vendor Bank Details can see the account numbers in full, unencrypted. Same applies to Customers and Employees.
Note: The Sage 300 ADMIN user can view unencrypted values.
Refer to EFT Options Screen Guide and Adding Security for details.
Password protect emailed Remittance Advices
EFT Processing includes the option to password the PDF with remittance details attached to emails.
Refer to the following topics for additional details:
Using password to protect Remittance Advices for Vendors
Using password to protect Remittance Advices for Customers
Using password to protect Payroll Advices and other Payroll PDF for Employees
File security
File output destination
You need to use Network security to protect the file that is created. In many cases, the user who has rights to create the EFT File in EFT Processing doesn't have access to upload and approve the file in the banking software.
Using SFTP
Many people create an FTP site - where the person creating EFT files has no access. Only the users who upload the file to the banking software have access to the FTP Site.
You can configure the EFT Banks to send the EFT files using SFTP, with a password or a key file.
Refer to Setup SFTP Output Destination and the EFT Banks screen guide for details.
File format
EFT Processing supports encryption using the MD5 algorithm as well as the SHA-256 algorithm
Note: Support for SHA-256 algorithm is only available in the latest product updates of EFT Processing v2016 and above.
Many bank files contains control totals pertaining to the number of rows, total value of debits, total value of credits so it is also hard (but not impossible) to change the file without the file becoming invalid. Other banks actually contain a hash total on the amounts – which is very hard to manually change without the file becoming invalid. If you were to edit the file manually, unless you knew the formula, the file would be rejected by the bank.
More recently, some EFT file formats also include ‘security question & answer’ fields that require encryption at the time of file creation. They are also supported in EFT Processing.
This is something that should be discussed with your particular bank.
Note: Bear in mind that the banking software which imports these files usually has levels of security and authority levels which can be defined. Typically the cheque signatories would be given the “approval” level. So instead of reviewing the source documentation and signing cheques, as they would have done in the past, they would review the source documentation and approve the EFT transfer. This ensures that only approved payments are made and that the banking system reflects what went through Sage 300 (Accpac).
Positive Pay:
EFT Processing supports Positive Pay files. Transitioning from paper cheques to secure electronic payments removes the opportunity for cheque fraud. Where payment by paper cheque is still required, EFT Processing can still help reduce the risk of cheque fraud by generating ‘Positive Pay’ files for participating banks. (The bank won’t honour presented cheques unless they match details on these files.)
A Positive Pay Format is a file format for check payments where the bank requires a file that contains the check number, check date, amount, and vendor name. EFT Processing supports a number of Positive Pay file formats for various banks.
Advanced options
You can also consider using Extender for more advanced encryption and approval options.
Refer to EFT & Other Orchid Modules