TOPIC: Electronic Payment Information Security
OFFICE: Office of Comptroller
STATE: IL
DATE: 8/23/2011
QUESTION / ISSUE:
The following questions pertain to vendors accessing electronic payment information over the Internet, and the
security measures in place to ensure the safety of such information.
1. When signing up a new vendor for direct deposit, the state of Illinois requires a hard copy authorization
form signed by the vendor and then we prenote the account. How do you authenticate that the
individual who signed the authorization form is actually authorized to represent the company or is the
actual individual? Do you have an electronic procedure for the authorization or authentication
process?
2. The state of Illinois currently gives access to vendors to see their payments online (on our website) for
non-confidential payments. The vendor only needs to use their federal taxpayer ID to access the
information. The state wants to develop a more secure access procedure so vendors can look at
confidential payments also. What password/PIN security procedures does your state have to access
vendor payments? Again, how do you authenticate the individual who signed the request for access
form is actually authorized to represent the company or is the actual individual?
3. The state of Illinois wants to develop an email or text notification process to vendors when an electronic
payment has been made on their behalf. Does your state currently utilize an electronic notification
system and how do you authenticate the individual who signed up for this electronic notification is
actually authorized to represent the company or is the actual individual?
Alaska
1. When we receive an authorization form, we check if the vendor has a vendor record
already set up in our state accounting system. We do this for two reasons:
a. In order for Alaska to set a vendor up for direct deposit, we add their bank
account information to the state accounting system, which ties to their vendor
record. If the vendor does not have a vendor record in the state accounting
system, we can’t set the vendor up for direct deposit.
b. We compare the information from the authorization form to the existing vendor
record. If there is a discrepancy between the form and the record, such as
differences in the federal taxpayer ID or the vendor’s legal name, we follow up
with the vendor for clarification. The verification against the vendor record, in
addition to following up with the vendor for any discrepancies, is our
authentication that the vendor is truly the vendor.
We do not follow up with the vendor when the information on the form matches up
with the vendor record.
We do not have an electronic procedure in place for the authorization or
authentication process.
2. For a vendor to access our online payment system, they need their pay vendor
number (PVN), which is a combination of letters and numbers the state assigns to the
vendor when we set up their vendor record in our state accounting system. The
vendor can either call or email the state to get their PVN.
Our online payment system does not have the capability to have a strong
password/PIN process in place. I can’t remember if this is due to the software/web
application it’s running on or if it’s because our inquiry system is tied to our 25 year
old state accounting system. The state is in the early stages of an Enterprise
Replacement Project (ERP), where the goal is to replace our existing state
accounting system, payroll system, and human resources system (i.e., Workplace
AK). Once a new accounting system is in place, we might be able to implement a
more sophisticated password/PIN process.
We do not have a “request for access” form for vendors to use if they want to access
our online payment system. We notify vendors on our electronic payment website
that if they would like access to the system, they would need to contact the state.
When contacting us, whether it is by phone or email, we ask the vendor to provide
their federal taxpayer ID before we give the PVN.
We do not display confidential payments in our online payment system. For a
confidential payment, the agency may issue a paper warrant instead of doing direct
deposit so vendors have a way to get additional remittance information on the
payment. Or the vendor may follow up with the state agency that made the payment
to acquire more information. Once a new accounting system is in place, we may
explore the possibility of implementing a secure process so a vendor can view
confidential payments in our online payment system.
3. We do not have an email or text notification process when an electronic payment has
been made to a vendor. It is either due to the limitations of the software/web
application our online payment system is using or our 25 year old state accounting
system. Once we have our new state accounting system, something like this could be
looked into.
For now, if a vendor would like this type of notification, we just direct them to their
bank to see if their bank has such a service.
If you would like more information regarding the electronic disbursement process for the
state of Alaska, please check out our website at: http://doa.alaska.gov/dof/epay/index.html.
Massachusetts
1. The commonwealth also requires a hard copy authorization form signed by the
vendor and we do still prenote, although discussion to discontinue does come up
every year or so. Due to a fraud attempt last year we have strengthened our form for
account changes, the vendor must also include the routing and account numbers for
the current EFT account when requesting a change. The commonwealth does not
have an electronic procedure to authorize or authenticate the vendors’ data. Vendor
changes are handled by the department that is currently contracting or doing
business with that vendor. There is a Contractor Authorized Listing Signature form
that is filed with each contract for vendor signature confirmation during the life of the
contract as well as the direct business relationship the contractor and department
maintain. Departments certify to our office that they have verified data when they
submit a transaction to add or update vendor payment data to the accounting system.
2. The commonwealth does offer all payees access to all of their payment remittance
details on-line. The access is by logging in with the commonwealth assigned
Vendor/Customer Code and the last 4 digits of their TIN. Personally Identifiable
information of a payee is not accessible or displayed. Payment information includes
payment date, amounts (payment total and line amount(s)), invoice number(s),
contract number(s), department(s) and any adjustments to the payment.
3. No we do not offer this feature. While it is interesting, we have not received many
requests from vendors for it. Our website has been available for over 15 years now.
We do offer the ability to download payment data for the prior 2 years.
Montana
1. We have created a Substitute W-9 that includes the direct deposit information on the
form for vendors. This form has the standard language as required by the IRS in
regard to signing “under penalties of perjury”. We then require a cancelled check or
form signed by the bank to be attached to the Substitute W-9. We do not do prenotes
for vendor payments. We only do prenotes for an employee’s 1st check. Beyond the
Substitute W-9 we are not doing further authentication processes at this point in time.
2. At this time in Montana, the payment advice is not available on-line.
3. We do have the ability to send a vendor an email advice whenever an electronic
payment is made. The request for email addresses is also on the Substitute W-9
form discussed in question #1, which is signed under “penalties of perjury.” Beyond
the Substitute W-9 we are not doing further authentication processes at this point in
time.
Nevada
1. Effective July 1, vendors of the state of Nevada are required to receive funds
electronically. Each new vendor must complete a Registration form, a copy of which
is attached. Section 4 pertains to electronic payments.
KTLVEN-01_Registrat
ion_rev_ 07-11.pdf
The completion of this form plus support documentation for direct deposit is required.
The support documentation can be a copy of a voided imprinted check or a signed
letter on company letterhead that restates the bank information. (We accept the letter
as many businesses use depository only accounts.)
The banking information is put through prenote and a report is computer-generated
each morning for the previous day’s input. The Vendor Services supervisor verifies
that all vendor information was correctly input including the banking information. The
support documentation is also reviewed to make sure that the company (or individual)
and banking information matches the information on the Registration form.
Please note that the Registration form serves as a Substitute W-9 and the
certification in Section 5 requires a signature and the title of the signer.
The state does not have an electronic procedure for the authorization or
authentication process other than the prenote process.
2. Nevada does not give vendors on-line access to their payments.
3. When completing the Registration form, the vendor is asked to provide an email
address for receiving direct deposit advices. A test email is sent to that address at
the beginning of the prenote process to verify that the address is valid and
deliverable.
Although a generic email address such as EFTREMIT@XEROX.COM is requested,
some companies do use an individual’s company email address. Since the
Registration form is signed by an authorized representative of the company, we use
the email address as provided. Vendors are contacted if the test email (or direct
deposit advice) is returned as "undeliverable."
North Carolina
1. The NACHA Rules no longer require you to do a prenote. If you do, you must wait the
prescribed number of days before you can do a live transaction. The state of North
Carolina no longer prenotes for vendors, as the advantage is not that great. There is
a cost to originate a prenote. The main reason is however (banks generally will not
tell you this), that banks generally dump the prenote file without actually doing a
verification. Therefore, there is little value in the prenote. Our system does however
check a database to determine if the transit-routing number is a valid number.
Regarding verification: We require a hard copy authorization form, but we do not take
steps to authenticate the signature. Approximately 80% of our authorization forms are
accompanied by either a voided check or a bank authorization. On the forms that are
unaccompanied, we are not performing authentication, other than making a
reasonable determination.
However, states should be aware of a fraud scheme about a year ago, that involved
the states of North Carolina, Texas and FL. An individual incorporated several
companies with the Secretary of State using the name that was very similar (but
slightly different spelling) of well known companies (e.g., EDS Systems and
UNYISYS). Using the Articles of Incorporation of the dummy corporations, they
opened up bank accounts at a local bank. They then sent in requests to the state to
have the bank account info of the real company changed to the newly opened bank
account. One of the states made the change, and the next large vendor payment
(several million) went to the wrong bank. It was eventually detected, and the FBI
later caught the criminals, under a sting operation in North Carolina.
2. North Carolina does not currently have a website where vendors can see their
payments.
3. North Carolina sends either an email notification or a fax notification, depending on
the instructions on the authorization form. The system was originally provided by
BottomLine Technologies, but later brought in-house. Again, we do not authenticate
the notification address/number.
Tennessee
1. The state of Tennessee requires its vendors to complete an ACH authorization form
which includes their Tax ID number, payment routing information and signature of an
authorized signatory. In addition, we require a pre-printed, voided check or deposit
slip for support. If pre-printed support is not available, we require a letter from the
vendor’s bank listing the account name and payment routing information. These
forms are reviewed for propriety by experienced staff prior to processing. We have
and continue to research best practice techniques for mitigating the risk inherent in a
high volume ACH registration process.
2. The state utilizes the Oracle PeopleSoft eSupplier functionality providing suppliers
with secure, single sign-on access to information they may need or desire about their
account, such as changing or adding addresses and viewing invoice and payment
status. Only registered vendors are eligible to register as an eSupplier. This is
validated through the use of taxpayer identification matching. Vendor and bidder
password controls, such as auto expiration, are currently under review.
3. The state does not currently utilize an electronic notification system for trade vendor
payments.
Texas
1. Currently, the individual state agencies process the direct deposit setup forms for
their payees. With this approach, state agencies are encouraged to know who their
payees are which is important for helping to meet International ACH Transaction
(IAT) due diligence requirements as required by Federal law.
Not at this time.
2. The Texas Comptroller’s Vendor Payment Search is an option that payees can use to
access their state payment information using a Personal Identification Number (PIN).
The web search provides information for both confidential and non-confidential
payments issued by direct deposit or by state warrant (check). The Vendor Payment
Search link provides for a PIN registration option for payees to create a PIN. The
authentication process requires a payee to provide their direct deposit bank account
number or a 9-digit warrant number from an uncashed state warrant. Both pieces of
information are considered confidential. If the number entered matches the number
stored in the Comptrollers Texas Identification Number System, the payee will be
prompted to create a PIN.
3. Advance Payment Notifications (APNs) are automatically generated for payments
issued by direct deposit only (excludes payments issued by warrant). Email
notifications provide payees with a one business day advance notice that a direct
deposit payment has been issued prior to the payment posting. We encourage
payees to use the Vendor Payment Search to obtain payment detail. Payees may
sign-up for the APN option when completing the Direct Deposit Authorization –
Vendor.