7 Security Questions You Need to Ask


The other day, a woman asked me for my social security number in the middle of a very public place. Granted, she needed it for a business transaction. But I didn’t feel comfortable blurting the information out around 20-some pairs of ears. These days, there’s no such thing as “too safe.”

The same caution applies to AP and AR. You can’t assume that your payments process and payments themselves are secure. Whether you use QuickBooks bill pay,, or another provider, you need know that your company’s security is taken seriously.

So what are the key questions you need to ask?

1. Do you offer digital payments?

The right answer? Yes.

AR and AP solutions that offer digital payments—such as ACH transfers, EFTs, and credit card transactions—provide more security than paper checks. Checks are easy to steal, forge, or lose. Every time a paper check leaves your company, it exposes your business’ valuable banking account and routing numbers. That’s all the information someone needs to steal your money.

Digital payments, however, significantly limit your company’s risk through limited access and secured transmissions.

2. Does your AP and AR solution offer permissions-based access?

An employee needs to review an invoice or a contract—can they do that without having full access to banking accounts and the general ledger?

Permissions-based access enables different tiers of access based on what role each person should play within a process. Someone reviewing a bill for marketing should see the bill, contracts, and payment history. Someone in accounting will need full access to all information and banking, as well as the ability to authorize and send payments. Now, everyone can complete their roles efficiently with little risk.

3. How does your AP and AR solution protect my banking information?

It should limit access to your banking account. Permissions satisfy some of that function, but there are features above and beyond that contribute to security. First, the solution should never share your banking accounting information with vendors or customers in order to transfer payments. You and your customers can send payments, but never during that transfer should your banking information be exposed.

Want an extra level of security? Ask your provider what accounts payments are drawn from. For example, with, all electronic and check payments are made through your account. Your bank account and routing numbers are never exposed.

4. Does your AP and AR solution enforce automated workflows?

Some solutions focus primarily on digital payments. A person can log in (or use someone else’s login credentials), authorize and send a payment. Great, right?

Not quite.

Your business needs more than just than the ability to send a vendor ACH or EFT. It also needs workflows that support standards such as the separation of duties. The same person reviewing the bill shouldn’t be the same person that authorizes payment. There’s no oversight in that process, and it could result in fraudulent activities.

An automated workflow supports the separation of duties, plus it makes sure every bill is approved by the appropriate individuals. It’s simple to create and customize the workflows based on everything from vendor to dollar amount. The system will then take the bill to each person in the workflow and even send automated reminders should they take too long to complete their task.

5. Do you provide Positive Pay?

They should. In fact, they have to. This protection works at the bank level to assure that altered checks are not paid.

6. What behind-the-scenes technological standards and security do you provide for my AR and AP?

We talked about the AP and AR security your company can lean on immediately. But what about ongoing security efforts and enhancements on the technology itself?

Your provider should:

  • Offer bank-level security for all transactions, including encryption and multi-factor authentication
  • Regularly complete SOC 1 (Type 2) and SOC 2 (Type 2) Audits on security controls by a reputed third-party security audit firm.
  • Use SSL encryption certificates issued by trusted certificate authorities
  • Ensure that all funds are FDIC insured

7. What industry organization have endorsed your AP and AR solution?

Your solution should be endorsed and recommended by the American Institute of CPAs (AICPA) Service Organization. When you have an organization representing the most detail-oriented and risk-averse professionals around, you know the solution has been comprehensively vetted.

It’s time to feel confident about the security of digital payments.

August 7, 2017
Stephanie Aparicio
Director of Payment, Risk & Compliance Operations,
Stephanie is the Director of Payment, Risk & Compliance Operations at She has 15 years of experience in the Fintech industry and over 7 years in Fraud Risk. When she's not fighting internet crime, Stephanie enjoys doing all things sports with her two boys.