Digital payment security questions you need to ask

Digital payment security questions you need to ask

illustrated hand tapping a credit card on a card readerHeader imageHeader imageHeader imageHeader image

The other day, a woman asked me for my social security number in the middle of a very public place. Granted, she needed it for a business transaction. But I didn’t feel comfortable blurting the information out around 20-some pairs of ears. These days, there’s no such thing as “too safe.”

The same caution applies to accounts payable (AP) and accounts receivable (AR). You can’t assume that your payments process and payments themselves are secure. Whether you use BILL or another provider, you need to know that your company’s cybersecurity is taken seriously.

So what are the key security questions you need to ask to understand if you have data protection in place around business transactions?

1. Do you offer digital payments?

The right answer? Yes.

AR and AP solutions that offer digital payments—such as ACH transfers, EFTs, and credit card transactions—provide more security than paper checks. Checks are easy to steal, forge, or lose. Every time a paper check leaves your company, it exposes your business’ valuable banking account and routing numbers. That’s all the information someone needs to steal your money.

Digital payments, however, significantly limit your company’s risk through limited access and secured transmissions. The Payment Card Industry Data Security Standard (PCI DSS), created by Visa, MasterCard, American Express, Discover, and JCB, is a set of requirements that ensures all companies handling credit card information have security measures in place to maintain a secure environment for online payments. BILL has multiple security measures in place that contribute to being in PCI compliance, protecting against potential hackers and data breaches.

2. Does your AP and AR solution offer permissions-based access?

Regardless of whether it’s a small business, mid-sized business, or large corporation, an employee needs to review an invoice or a contract—can they do that without having full access to banking accounts and the general ledger?

Permissions-based access enables different tiers of access based on what role each person should play within a process. Someone reviewing a bill for marketing should see the bill, contracts, and payment history. Someone in accounting will need full access to all information and banking, as well as the ability to authorize and send secure payments. Now, everyone can complete their roles efficiently with little risk.

3. How does your AP and AR solution protect my banking information?

It should limit access to your banking account. Permissions satisfy some of that function, but there are security features above and beyond that contribute to personal data protection. First, the solution should never share your banking accounting information with vendors or customers in order to transfer payments. You and your customers can send payments, but never during that transfer should your banking information be exposed.

Want an extra level of security? Ask your provider what accounts payments are drawn from. For example, with BILL, all electronic and check payments are made through your digital wallet. Your bank account and routing numbers are never exposed. Multi-Factor Authentication adds an additional layer of security to your BILL account by requiring not only a username and password to log in, but also an additional code sent to your mobile device, making it extremely difficult for hackers to break into your account and make any unauthorized, new payments.

4. Does your AP and AR solution enforce automated workflows?

Some payment solutions focus primarily on digital payments. A person can log in (or use someone else’s login credentials), authorize and send a payment. Great, right?

Not quite.

Your business needs more than just the ability to send a vendor ACH or EFT. It also needs workflows that support standards such as the separation of duties. The same person reviewing the bill shouldn’t be the same person that authorizes payment. There’s no oversight in that process, and it could result in fraudulent activities.

An automated workflow supports the separation of duties, plus it makes sure every bill is approved by the appropriate individuals. It’s simple to create and customize the workflows based on everything from vendor to dollar amount. The system will then take the bill to each person in the workflow and even send automated reminders should they take too long to complete their task. These notifications help keep outstanding invoices top of mind.

5. Do you provide positive pay?

You should. In fact, you have to. This protection works at the bank level to assure that altered checks are not paid. Companies that allow checks and ACH transactions as payment methods should sign up for positive pay at their financial institution.

6. What behind-the-scenes technological standards and security do you provide for my AR and AP?

We talked about the AP and AR security your company can lean on immediately. But what about ongoing security efforts and enhancements on the technology itself?

Your provider should:

  • Ensure that data in transit is encrypted using industry-standard Transport Layer Security (TLS).
  • Regularly complete SOC 1 (Type 2) and SOC 2 (Type 2) Audits on security controls by a reputed third-party security audit firm.
  • Use SSL encryption certificates issued by trusted certificate authorities. This also adds to customer experience in reassuring visitors that your website is safe and secure.
  • Ensure that all funds are FDIC insured.

7. What industry organizations have endorsed your AP and AR solution?

Your solution should be endorsed and recommended by the American Institute of CPAs (AICPA) Service Organization. When you have an organization representing the most detail-oriented and risk-averse professionals around, you know the solution has been comprehensively vetted.

It’s time to feel confident about the security of digital payments.

The information provided on this page does not, and is not intended to constitute legal or financial advice and is for general informational purposes only. The content is provided "as-is"; no representations are made that the content is error free.