How secure is your payment process?

Companies are always subject to fraud and other financial crimes. The methods are numerous and the frauds are sophisticated. Security gaps in existing business processes are exploited, and the payment process is one of them. A very important one at that.

It is reasonable to believe that the majority of errors and attempts at fraud are detected in time thanks to experienced and competent staff within the company. However, in turbulent periods during reorganizations or company acquisitions, the situation often looks different. The control, overview, and detailed knowledge that previously always existed and created security have suddenly deteriorated, at least for a while, with new employees and processes to familiarize oneself with. These periods are often exploited by fraudsters.

Manual steps in the payment process always involve a risk

"Anyone who has access to the file can change both the recipient and the amount in an unprotected payment file. Open the file in Notepad, change the giro/account number and amount of a transaction, and save. It's that easy to manipulate transactions, and there are no traces left of who changed the file!"

Any activity that requires manual work to complete a task poses a security risk. A common example of a security breach is when a supplier payment is initiated. First, standardized payment files are created in the business system. The payment files are exported to a directory and are then often left there for a while until they are distributed manually by one or more employees in the organization. This poses a security risk because the content of the payment files can easily be changed in a standard text editor. Anyone who has access to the file can change both the recipient and the amount in an unprotected payment file. Open the file in Notepad, change the giro/account number and amount of a transaction, and save. It's that easy to manipulate transactions, and there are no traces left of who changed the file!

But it is possible to minimize the risk, even eliminate it completely.

Automate the process and protect payment files from change

Automating the process and protecting payment files from tampering with, for example, an HMAC seal is a good way to save time and minimize manual work, while also making the process significantly more secure, as the recipient of the payment file can immediately reject the file if it has been tampered with. All companies should have an interest in eliminating manual handling, such as manual uploading of payments. It is a simple measure aimed at preventing irregularities and freeing up time for supplier accounts. Manual handling should only occur in exceptional cases where clear rules and regulations govern certification.

Files sent to Bankgirot can always be HMAC sealed, while files sent to banks can sometimes be secured in other ways, such as through PGP encryption. Regardless of the method, automation is in itself a security measure, as it prevents individuals from accessing and modifying the files.

It may be high time to review how your company handles supplier payments. Raise awareness of potential shortcomings and clearly demonstrate what the company stands for and what it will not accept. No one will accept security breaches if something happens, that's for sure.

Start by reviewing your payment process. This is a good way to identify shortcomings and prevent fraud.

Three steps for increased security in the payment process

1. Document in detail all steps in your payment process, including which individuals have authorization and can access exported payment files.
2. Transition to an automated process for supplier payments and payroll
3. Ensure that payment files are protected against changes (or encrypted) immediately upon export from the financial system.

About the author

Mikael Kawa is a product owner at Betalkontroll and has 19 years of experience working with systems, development, and processes in the areas of scanning, EFH, and ERP.