Payroll requires more than your everyday security. It demands the same level of protection banks deploy to safeguard the money in their accounts. Just ask the city workers of Tallahassee, Florida. They woke up one payday expecting to see their salaries – but there was nothing. A hacker had managed to enter the system and divert the funds, totalling about half a million dollars. The attack was brazen, but it wasn’t unusual.
There have been numerous successful employee data breaches in the last few years alone, highlighting a stark reality – payroll is a top target for hackers. Vast amounts of money pass through payroll pipelines alongside a wealth of private information. The software most companies still use is decades out of date, with profoundly unreliable security.
That leaves the question that every finance and HR professional must answer: are your payroll and payment mechanisms protected?
While no system can ever be 100% hacker-proof, you want to aim for the highest level available. In today’s world, that means bank-level security.
Payroll and Payments Using Bank-Standard Security
Though banks have been making news for less than ideal reasons lately, they still maintain extremely high levels of security. After all, if hackers are attracted to payroll because of the potential money pickings, imagine the appeal of an entire bank.
So how do you find a payroll and payments system that meets the coveted bank standard? Look for a company like Papaya Global that has partnered with top-tier banks such as J.P. Morgan Chase and Citi. We created optimized payroll payment rails that rely on our partnerships with major banks.
Top banks not only implement the beefiest safety measures but also require their partners to meet those same high standards. For Papaya, which holds several money transfer licenses across the globe, there are additional measures government regulators require to ensure proper money movement, including fraud prevention and segregating funds for each client.
As a regulated financial institution, we perform Know Your Customer (KYC) and Anti Money Laundering (AML) processes for each new client and all their workers who are being paid through Papaya Payments. The KYC happens when we onboard a new client, and the onboarding continues after we perform successful Penny-Tests to all workers. We also run repeat rigorous screenings for every payment, every cycle. Our dedicated team and existing infrastructure also allow us, in most cases, to complete the KYC process within hours of receiving all required documents.
Additionally, because Papaya is a regulated financial service company via its foreign subsidiaries and a licensed and regulated payment provider, we are obligated to operate segregated bank accounts (‘Customer Money Accounts’) for all of our payments customers so our clients can see how much money is in their dedicated Papaya account at all times – in each funding currency if they use more than one. Our CMAs are held at J.P. Morgan.
We already place the highest priority in payroll security on protecting data privacy. All data is encrypted at rest and in transit, and we ensure that no unauthorized system or individual can access that data. But that’s not enough. To send ACH payments through J.P. Morgan banks, we use mutual TLS (transport layer security), an encrypted connection socket, so that our payment system can “talk” to J.P. Morgan’s. Additionally, we use only our validated IP’s whitelisted servers. We segregate tasks in the payroll and payment process so that no one can access all parts of the journey. Every request for data is “signed” and encrypted and can only be accessed through the proper signature.
Screening Out Fraud
Building systems that communicate with top-tier banks is only the beginning. We have additional layers of internal security designed to stymie even the most tenacious hackers.
The Papaya Payments platform was built using overlapping systems, all of which have access only to information necessary for their specific task. That way, no system can control multiple parts of the payment journey.
To illustrate the point, let’s say a Papaya client authorizes a payment of $5,000 to an employee in Germany. The payment begins in the virtual account (e-wallet), where the company’s funds are kept. When the payment authorization goes through, that money is locked for transfer with an encrypted signature. It can’t be changed or moved beyond the scope of authorization.
At that point, the payment, like all payments, must go through a screening to ensure the account is not associated with anyone suspected of criminal activity. The screening process typically takes just a few moments, but because of rigorous global standards, a particular payment could require a manual check – such as when a recipient has the same name as a terror suspect. In this case, the company will be asked to provide additional identification.
To ensure that the promised payment sum always lands on time in recipient accounts, Papaya runs daily simulations of the payment journey. These “dry runs” identify any obstacles that may occur, including the possibility that a screening may require additional information, which takes more time. Papaya can thus anticipate the exact amount of money that needs to be sent to reach the employee accurately, and the exact date it must be dispatched in order to land in its destination account on time. Any deviation will be spotted right away.
Minimizing the Risk of Data Breach
The screening is the second of multiple processes at work. One system might have the worker’s ID, but not their name or bank details. Another might have bank details but not the name or social security number. No system has access to all of the employees personal identifying information (PII) that could reveal who the individual is.
No person, and no part of the system, has access to all the private data – not even the top Papaya officials overseeing the process. No one can override or bypass the systems once the encryption is signed. Papaya maintains state-of-the-art data protection, such that even if a hacker manages to enter the system, there is little they could do once inside. They would need to break the encryption key to every other system to complete the payment journey. And they’d only yield a small amount of data, minimizing the possible danger.
Any attempt to increase the payment amount or divert payments from their intended recipient would also trigger a suspicious behaviour alert. In the same way credit card companies might notify a client if they see an unusual charge, the Papaya platform alerts us if there is unusual activity around a payment that requires additional authorization. And the same type of safeguard also protects our clients from internal fraud. No one is authorized to change any of the processes that have been signed as completed and encrypted.
Ensure Your Payroll and Payments Are Secure
Payroll payments security is the foundation of the trust between employees and companies. Papaya believes that making global payroll and payments more secure is a top priority. That’s why companies like Forter, GitLab, and Shopify choose Papaya OS. Schedule a demo to learn more.
