6 Security Measures that Protect Your Business
Most companies have experienced at least one instance of check theft, in which a bad actor washed a legitimate check and cashed it. Cases of check theft dipped in the early 2010s as companies and banks shored up their security. But according to听, 82% of companies experienced fraud in 2018鈥攖he highest number in a ten-year period. The fraud was a blend of old-school check and new electronic payment security threats. This is because as companies adopt more processes for each payment type they utilize, another set of potential听security threats听also emerges.
Electronic payment fraud occurs most commonly when AP teams make changes to secure data鈥攚hich, in this case, refers to data such as bank account information, remittance email addresses, and recipient names.听Criminals听hack into company emails and request to update legitimate vendor records with their own temporary bank account number.
Fraud is often under-discussed, but should be a top consideration as you think about integrating a payment solution. It鈥檚 essential to know how potential payment automation solution providers (henceforth referred to as 鈥減rovider鈥) handle fraud cases, which can give you insight into how instances of fraud would be treated if your company became a victim.
Any company that you share sensitive data with should be protected by the highest industry security standard. The following list is a variety of compliance types and security procedures which potential providers may mention:
SSAE 16 and SOC compliance
SSAE 16 replaced SAS 70 as the definitive security guide in 2010. SSAE 16 compliance includes SOC auditing, which publicly tracks company compliance statuses. Three types of SOC auditing exist:
SOC 1
: Heavily audits internal controls of a service organization. This report can be used by an entity to assess a service organization for relevant and effective controls. Typical entities include, but are not limited to, publicly traded companies subject to SOX reporting (see below).
SOC 2
: Heavily audits data relating to the Trust Services Principles (TSPs) in information security: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 3
: Lightly audits IT controls relating to TSPs. This audit鈥檚 controls are more relaxed than SOC 1 and 2.
SOX compliance
Also known as Sarbox compliance (in reference to the Sarbanes-Oxley Act created in the early 2000s), SOX compliance is a set of government-mandated regulations to which publicly traded companies must adhere. These regulations offer transparency into companies鈥 financial records, as well as their wholly-owned subsidiaries. It was enacted to protect shareholders from dishonest internal practices. If your provider is either a publicly traded company or the wholly-owned subsidiary of one, they are legally required to be SOX compliant.
PCI DSS compliance
PCI DSS compliance鈥攐r 鈥淧CI compliance鈥 for short鈥攁udits companies associated with cardholder details, whether they store, transmit, or accept secure card data. This compliance ensures that companies have a secure protocol in place to limit fraudulent card payment instances. Please note, if a company is SSAE 16 compliant, they are also PCI DSS compliant, but the reverse is not always true.
Fraud coverage and assuming liability
Some providers are financially able to offer a guarantee on all payments through their insurance coverage. Sometimes their insurance plans can also benefit you in other ways than the guarantee鈥攆or example, you may be covered for forgery or other fraud instances. Before signing on with a provider, take a moment to ask them if you are also covered under their insurance plan, and for what instances.
Employee security training
Because fraud often occurs due to human error, staff security training is key to prevention. Ask your provider what sort of training their employees undergo鈥攅specially those who interface directly with your vendors. Many providers also have other protocols in place, such as using security questions to verify calls. Understand the measures your provider takes to protect your company鈥檚 financial wellbeing.
Positive Pay and Positive Payee tracking
A necessary evil of the AP staff鈥檚 day is听reconciling cashed check payments听against the issued payments in order to catch and prevent instances of fraud. Typically, banks will match client records against their own to determine if the account number, check number, and number of recently-cashed checks match up鈥攁 process known as Positive Pay. A related process, Positive Payee, tracks that same information along with the customer鈥檚 (payee鈥檚) name, which creates another layer of security. Some banks don鈥檛 offer Positive Payee tracking, which is a shame. In those cases, if a fraudster washed the name on a check, but kept the other information the same, the fraud would be undetectable until the intended recipient claimed no-receipt. Some providers offer Positive Payee tracking as a service, so be sure to ask if yours does.
At the end of the day, your company鈥檚 security standards will always听evolve听to protect against ever-shifting fraud threats. It鈥檚 important to find a provider that can scale to meet those changes without sacrificing your high security standards. While fraud prevention remains a priority, it鈥檚 also important to know how your provider handles fraud instances and repairs damage.
If you鈥檙e already searching for a payment automation solution, take some time to research each prospective provider鈥檚 security offerings, and learn about their protective measures. Doing so will ensure that you听choose a provider that prioritizes security听and has your company鈥檚 best interests at heart.
Switch to 91快活林
Discover how making the move to 91快活林 streamlines payments and strengthens your business.
Talk to an ExpertSmarter payments. Stronger growth. Keep business moving.
91快活林 powers payments for 800,000+ businesses worldwide. Let鈥檚 build what鈥檚 next for yours.