9Payments Security

This chapter contains the following:

You can implement application security options on the Manage System Security Options page as part of a complete security policy that's specific to your organization. Security options can be set for encryption and tokenization of credit cards and bank accounts, as well as for payment instrument masking. Security options are used for both funds capture and disbursement processes.

Note: Credit card services are currently not available in Oracle Financials Cloud implementations.
Note: Before you can import credit cards into Expenses, you must enable encryption or tokenization of credit cards in Payments.

To secure your sensitive data, consider the following security questions:

  • Which security practices do you want to employ?

  • Do you want to tokenize your credit card data?

  • Do you want to encrypt your bank account data?

  • Do you want to encrypt your credit card data?

  • How frequently do you want to rotate the master encryption key and the subkeys?

  • Do you want to mask credit card and bank account numbers, and if so, how?

In the Setup and Maintenance work area, use the following to set up application security options:

  • Offering: Financials

  • Functional Area: Payments

  • Task: Manage System Security Options

Best Security Practices

The following actions are considered best security practices for payment processing:

  • Comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is the security standard that is required for processing most types of credit cards.

    • Comply with all requirements for accepting credit card payments.

    • Minimize the risk of exposing sensitive customer data.

  • Create the master encryption key.

    • Rotate the master encryption key periodically.

Implementation Process of Master Encryption Key and Encryption

Before you can enable encryption for credit card or bank account data, you must automatically create a master encryption key. The master encryption key exists on the file system of Oracle Platform Security Services (OPSS). OPSS stores your master encryption key. The application uses your master encryption key to encrypt your sensitive data.

Automatic creation of the master encryption key ensures that it is created and stored in the proper location and with all necessary permissions.

Credit Card Tokenization

If you tokenize your credit card data, you are complying with PCI DSS requirements. PCI DSS requires companies to use payment applications that are PCI DSS compliant.

Tokenization is the process of replacing sensitive data, such as credit card data, with a unique number, or token, that isn't considered sensitive. The process uses a third-party payment system that stores the sensitive information and generates tokens to replace sensitive data in the applications and database fields. Unlike encryption, tokens can't be mathematically reversed to derive the actual credit card number.

You can set up your tokenization payment system by clicking Edit Tokenization Payment System on the Manage System Security Options page. Then, to activate tokenization for credit card data, click Tokenize in the Credit Card Data section.

Credit Card Data Encryption

You can encrypt your credit card data to assist with your compliance of cardholder data protection requirements with the following:

  • Payment Card Industry (PCI) Data Security Standard

  • Visa's PCI-based Cardholder Information Security Program (CISP)

Credit card numbers entered in Oracle Receivables and Oracle Collections are automatically encrypted. Encryption is based on the credit card encryption setting you specify on the Manage System Security Options page.

Note: If you bring card numbers into Payments through import, it's advisable to run the Encrypt Credit Card Data program immediately afterward.

Bank Account Data Encryption

You can encrypt your supplier and customer bank account numbers.

Bank account encryption doesn't affect internal bank account numbers. Internal bank accounts are set up in Oracle Cash Management. They are used as disbursement bank accounts in Oracle Payables and as remit-to bank accounts in Receivables.

Supplier, customer, and employee bank account numbers entered in Oracle applications are automatically encrypted. Encryption is based on the bank account encryption setting you specify on the Manage System Security Options page.

Note: If you bring bank account numbers into Payments through import, it's advisable to run the Encrypt Bank Account Data program immediately afterward.

Master Encryption Key and Subkey Rotation

For payment instrument encryption, Payments uses a chain key approach. The chain key approach is used for data security where A encrypts B and B encrypts C. In Payments, the master encryption key encrypts the subkeys and the subkeys encrypt the payment instrument data. This approach allows easier rotation of the master encryption key.

The master encryption key is stored on OPSS. OPSS stores data in an encrypted format. The master encryption key can be rotated, or generated, which also encrypts subkeys, but doesn't result in encrypting the bank account numbers again.

If your installation has an existing master encryption key, you can automatically generate a new one by clicking Rotate.

Note: To secure your payment instrument data, you're advised to annually rotate the master encryption key or rotate it according to your company's security policy.

You can also select the frequency with which new subkeys are automatically generated, based on usage or on the maximum number of days. To specify a subkey rotation policy, click Edit Subkey Rotation Policy.

Note: To secure your payment instrument data, you are advised to schedule regular rotation of the subkeys.

The security architecture for credit card data and bank account data encryption is composed of the following components:

  • OPSS

  • Payments master encryption key

  • Payments subkeys

  • Sensitive data encryption and storage

The following figure illustrates the security architecture of the OPSS repository, the master encryption key, and the subkeys.

This figure illustrates the security architecture
of Oracle Platform Security Services, the master encryption key, and
the subkeys.

Credit Card and Bank Account Number Masking

Payments serves as a payment data repository for customer and supplier information. Payments stores all of the customer and supplier payment information and their payment instruments, such as credit cards and bank accounts. Payments provides data security by allowing you to mask bank account numbers.

On the Manage System Security Options page, you can mask credit card numbers and external bank account numbers. To do it, select the number of digits to mask and display. For example, a bank account number of XXXX8012 displays the last four digits and masks all the rest. These settings specify masking for payment instrument numbers in the user interfaces of multiple applications.

Financial transactions contain sensitive information, which must be protected by a secure, encrypted mode. To protect your credit card and external bank account information, you can enable encryption. Encryption encodes sensitive data, so it can't be read or copied. To enable encryption, you must create a master encryption key. Oracle Platform Security Services (OPSS) is a repository that stores your master encryption key. The application uses your master encryption key to encrypt your sensitive data.

Note: Before you can import credit cards into Expenses, you must enable encryption or tokenization of credit cards in Payments. If you are using credit card data anywhere other than Expenses, you must enable tokenization in Payments.

To secure your credit card or bank account data, complete these steps:

  1. In the Setup and Maintenance work area, go to the following:

    • Offering: Financials

    • Functional Area: Payments

    • Task: Manage System Security Options

  2. On the Manage System Security Options page, click Apply Quick Defaults.

  3. Select all the check boxes:

    • Automatically create wallet file and master encryption key

    • Encrypt credit card data

    • Encrypt bank account data

  4. Click Save and Close.

Setting Up a Supplier's Bank Account: Explained

If any of your suppliers want to receive payments by EFT to their bank accounts, you can set up a supplier bank account. A supplier bank account can be created at the following levels:

  • Supplier level

  • Supplier address level

  • Supplier site level

Each bank account assignment is comprised of the following entities:

  • Supplier

  • Bank account

  • Bank account assignment

You can set up a bank account by doing the following:

  • Find your existing supplier.

  • Set up a bank account at the supplier, supplier address, or supplier site level.

  • Provide additional information that is relevant to the bank account.

  • Optionally, add joint bank account owners.

  • Optionally, specify intermediary accounts.

  • Optionally, assign a joint bank account to a supplier.

Find Your Existing Supplier

On the Manage Suppliers page, you can search for an existing supplier.

  1. On the Manage Suppliers page, in the Search region, enter your supplier name or supplier number in the Supplier or Supplier Number field and click the Search button. Supplier details appear in the Search Results region.

  2. In the Search Results region, select the supplier name and click the Edit icon. The Edit Supplier: <Supplier Name> page appears.

Set Up a Bank Account at the Supplier, Supplier Address, or Supplier Site Level

You can set up a supplier's bank account at the supplier, supplier address, or supplier site level.

  1. To set up a bank account at the supplier level, on the Edit Supplier: <Supplier Name> page, select the Profile tab. Select the Payments tab. Select the Bank Accounts subtab. Go to step 8 and continue.

  2. To set up a bank account at the supplier address level, on the Edit Supplier: <Supplier Name> page, select the Addresses tab. Click a specific address name link. On the Edit Address: <Location> page, select the Payments tab. Select the Bank Accounts subtab. Go to step 8 and continue.

  3. To set up a bank account at the supplier site level, on the Edit Supplier: <Supplier Name> page, go to step 4 and continue.

  4. Select the Sites tab. The supplier's various sites display.

  5. Click a specific site link. The Edit Site: <Supplier Site Name> page appears.

  6. Select the Payments tab.

  7. Select the Bank Accounts subtab.

  8. On the Bank Accounts subtab, click the Create icon. The Create Bank Account page appears. On the Create Bank Account page in the Bank Account region, you set up basic information about the bank account.

  9. In the Bank Account region, select an option from the Country choice list.

    Note: Validation of the bank account is based on the country for which the bank account is set up.
  10. In the Account Number field, enter the bank account number.

  11. From the Bank Name choice list, select a bank.

    Note: If the country of the supplier's bank account and the country of the bank account's branch through which the payment is made is the same, then the payment is considered a domestic payment.
  12. From the Branch choice list, select the branch where the bank account will reside.

    Note: You can set up a supplier's bank account for making domestic payments by check without specifying a bank or branch. To make electronic international payments, however, you must specify both a bank and a branch.
    Note: If the country of the supplier's bank account and the country of the bank account's branch through which the payment is made is not the same, then the payment is considered an international payment.
  13. To make international payments to a supplier's bank account, select the Allow international payments check box.

    Note: The Allow international payments check box can be selected only when you provide bank and branch details. If you do not select the Allow international payments check box, international payments are not created.
  14. If you are setting up a supplier's bank account in a European country, enter the International Bank Account Number (IBAN) in the IBAN field.

    Note: Validation of the IBAN is based on the country for which the bank account is set up.
  15. From the Currency choice list, select the currency in which payments are made.

    Note: If you select a currency, then the supplier's bank account is used to pay invoices in that currency only. If you do not select a currency, then the supplier's bank account is considered multicurrency and can be used to pay invoices in any currency.

Provide Additional Information That is Relevant to the Bank Account

On the Create Bank Account page, in the Additional Information region, you can enter additional information that is relevant to the bank account you are setting up.

  1. In the Account Suffix field, enter the value that appears at the end of the bank account number, if applicable.

    Note: An account suffix is required in some countries.
  2. From the Conversion Rate Agreement Type choice list, select the type of conversion rate agreement you have with the supplier.

  3. In the Conversion Rate field, enter the conversion rate for which one currency can be exchanged for another at a specific point in time.

  4. In the Conversion Rate Agreement Number field, enter the number of the conversion rate agreement with the supplier that specifies the currency in which payments are made.

  5. In the Check Digits field, enter one or multiple digits used to validate a bank account number.

  6. In the Secondary Account Reference field, you can optionally enter additional account information.

  7. In the Agency Location Code field, enter the eight-digit value that identifies a Federal agency as the supplier.

  8. Select the Factor account check box if the purpose of the bank account is to receive funds that are owed to the supplier, but are being collected on behalf of the supplier by the bank or a third party. The supplier receives payments from the funds collected, minus a commission.

    Note: If you select the Factor account check box, then you must select the account owner that provides the factoring services. A factor bank account can be assigned to any supplier without first adding that supplier as a joint owner.

Optionally, Add Joint Bank Account Owners

On the Create Bank Account page, in the Account Owners region, you can optionally add other suppliers to the supplier's bank account as joint bank account owners.

  1. In the Account Owner field, select a joint bank account owner from the list.

  2. In the From Date field, select a starting date for the joint bank account owner.

    Note: Every supplier's bank account has one or more owners. If the supplier wants to share the bank account with another supplier, then there will be multiple owners of the bank account. For multiple bank account ownership, you must specify one owner as the primary owner. The primary owner is the supplier for whom you set up the bank account.
  3. To specify the primary bank account owner among multiple owners, click the check mark icon and then click the Primary field in the applicable bank account row. The check mark icon appears in the row you selected.

  4. To add a row from which to select another joint bank account owner, click the Create icon.

Optionally, Specify Intermediary Accounts

On the Create Bank Account page in the Intermediary Accounts region, you specify intermediary bank accounts for this supplier. If there are restrictions on the transfer of funds between two countries, you can specify an intermediary bank account. An intermediary account is used to transfer funds between the originator's bank and the beneficiary's bank.

Optionally, Assign a Joint Bank Account to a Supplier

From the Bank Accounts subtab at the supplier, supplier address, or supplier site level, you can optionally assign a joint bank account to a supplier.

  1. On the Bank Accounts subtab, select the Create icon. The Search and Select: Bank Account dialog box appears.

  2. In the Search and Select: Bank Account dialog box, select the applicable joint bank account you want to assign to your supplier and click the OK button. The bank account you selected now appears in the Bank Accounts subtab.

Updating Bank, Branch, and Bank Account Numbers on External Bank Accounts: Explained

You can now edit the bank account number of external bank accounts in these modules:

  • Suppliers

  • Customers

  • Expenses

  • Payroll

  • Bill Management

  • Higher Education

  • Human Capital Management

On the simplified bank account page, you can also update the bank and branch if you created the bank account with the Oracle Cash Management profile option named Use Existing Banks and Branches set to Yes. When you update the bank and branch, you must select the same profile option.

Importing Supplier Bank Accounts: How They Are Processed

The Import Supplier Bank Accounts process imports supplier bank accounts and associated data into Oracle Payments Cloud. Service administrators, on-premise administrators, and on-premise users can run this process in the Scheduled Processes area.

Note: You can load data to interface tables using predefined templates and the Load Interface File for Import scheduled process, which are both part of the External Data Integration Services for Oracle Cloud. For more information about file-based data import, see the File Based Data Import guide for your cloud services.

How Importing Supplier Bank Accounts Are Processed

The process to import supplier bank accounts and associated data from interface tables into the application is as follows:

  1. Before you can import supplier bank accounts and associated data, you must create the following:

    • Suppliers

    • Payment methods

    You must also create the following entities if the supplier's bank account is used for international payments:

    • Banks

    • Bank branches

    The necessity for creating banks and bank branches is apparent if you entered the value Y in the Allow International Payments column in the ibysupplierbankaccimport.xlsm spreadsheet. For information about the ibysupplierbankaccimport.xlsm spreadsheet, see step 2.

  2. From the File-Based Data Import for Oracle Financials Cloud guide, download the data file template named SupplierBankAccountImportTemplate.xlsm in the Supplier Bank Account Import. This spreadsheet file provides instructions in the Instructions and CSV Generation tab, as well as the button that generates the CSV file. The three interface tables in which you must enter data are represented by the following tabs in the spreadsheet:

    • IBY_TEMP_EXT_PAYEES

    • IBY_TEMP_EXT_BANK_ACCTS

    • IBY_TEMP_PMT_INSTR_USES

    For details on entering data in the spreadsheet tabs, you can refer to the help text that is provided for each column in each tab. Then, using a SQL loader tool, you can upload data from the three tabs into the three interface tables.

  3. To load data into the interface tables, follow the instructions under the section titled Loading the Data in the Instructions and CSV Generation tab of the ibysupplierbankaccimport.xlsm spreadsheet.

  4. To import data from the interface tables into Payments tables, follow the instructions under the section entitled Importing the Loaded Data in the Instructions and CSV Generation tab of the ibysupplierbankaccimport.xlsm spreadsheet.

  5. The Import Supplier Bank Accounts process first validates the supplier bank accounts and associated data and then imports the data from the three interface tables into the following Payments tables:

    • IBY_EXT_BANK_ACCOUNTS

    • IBY_EXTERNAL_PAYEES_ALL

    • IBY_PMT_INSTR_USES_ALL

  6. After you run the Import Supplier Bank Accounts process, the following data is created in Payments:

    • Supplier bank accounts

    • Payment preferences, such as payment delivery, payment specifications, and separate remittance advice delivery method

    • Relationship of supplier with supplier bank account

  7. The log output of the Import Supplier Bank Accounts process reports the number of successful and rejected records.

  8. You can import supplier bank account data at any one of the following levels if you have their associated identifiers:

    • Supplier level requires the Supplier Number.

    • Supplier site level requires the Supplier Site Code.

    If only the Supplier Number is provided, the supplier bank account is created at the supplier level.

    If the Supplier Number and the Supplier Site Code are provided, the supplier bank account is created at the supplier site level.

  9. The Primary indicator in the SQL loader file must be set for only one bank account per supplier per level.

    If you set the Primary indicator for multiple bank accounts, then Payments accepts only the first bank account with the indicator set to be the primary account at that level.

    If the indicator is not set for any bank account, Payments accepts the first bank account as the primary.

  10. The Import Supplier Bank Accounts process does not allow you to import the following data:

    • Intermediary accounts

    • Factor accounts

    Intermediary account details and creation of factor accounts can be managed manually through the Manage Suppliers page.

FAQs for Payment Security

What happens if I create a corporate card and didn't enable encryption?

If you created corporate cards in Oracle Expenses without first enabling encryption in Oracle Payments, encryption of your credit card numbers is automatically enabled. Payments doesn't allow credit card creation without enabling security. You can secure your credit cards with encryption or tokenization.