Bank Account Number Masking in Payroll Reports
To prevent display of sensitive bank account information, you can use the option of masking or encrypting bank account information in these reports:
-
Payslips
-
Payment Register
-
Third-Party Payment Register
Masking involves displaying only a few specific characters of the account number or IBAN number, usually characters at the start or end of the number. The remaining characters are obfuscated and you can't see them on the reports. For example, a customer may want to display only the last 4 characters of the account number. In such cases, an account number ABC123456 displays as XXXXX3456 in reports and UIs that support masked account numbers.
Encryption requires a secure key for decoding the encrypted account number and IBAN number through an API. The application displays the truncated account or IBAN number when the encryption is turned on and the full, clear number when the encryption is turned off.
Settings that Affect Account Number Masking
The application stores the bank account number and IBAN number information in these columns of the database tables:
-
Original column that stores the visible unmasked portion of the numbers.
-
Masked column that stores the masked numbers. When masking isn't enabled, these columns store the full numbers.
-
Secured column that stores the encrypted numbers and requires a secure key to retrieve the data.
This table shows how the bank account numbers are stored in the tables depending on how you configure masking and encryption.
|
Actual Account Number |
Configuration - Masking |
Configuration - Encryption |
Original Column |
Masked Column |
Secured Column |
|---|---|---|---|---|---|
|
ABC123456 |
No |
No |
ABC123456 |
ABC123456 |
ABC123456 |
|
ABC123456 |
Yes |
No |
ABC123456 |
XXXXX3456 |
ABC123456 |
|
ABC123456 |
Yes |
Yes |
3456 |
XXXXX3456 |
ABC123456 |
-
The first row in the table shows the default settings where both masking and encryption is turned off. The original full number is stored in all the three columns.
-
The second row in the table depicts a scenario where masking is turned on but encryption is turned off. In this case the masked column displays only the last four characters of the account number.
-
The third row depicts a scenario where both masking and encryption is turned on. In this case the original column contains the truncated four-digit account number. You need the secure key to retrieve the full account number from the secured column.
When you turn on encryption, the unsecured account number and IBAN columns only shows the visible characters as defined by masking. This means that to turn on encryption, you must turn on masking. However, you can turn on masking without turning on encryption.
How Account Number Masking Works
Use the new Extract Unmasked Bank Information (ORA_PAY_UNMASKED_ACCOUNT_INFO) process configuration parameter to display either the masked or full numbers in the reports. This new parameter ensures:
-
Consistency across the three reports
-
Control how you display the numbers on the reports
The figure shows the following:
-
The first stream layer shows the table columns that store the account number information.
-
The second stream layer shows the XML tags and process configuration groups.
-
The third stream layer shows the RTF fields shown on the report template.
As explained in the previous section, the application stores the account number information in three separate columns.
The new ORA_PAY_UNMASKED_ACCOUNT_INFO process configuration parameter controls the MASKED_ACCOUNT_NUM tag to display:
-
The masked account number when the process configuration parameter is by default or set to No, or
-
The clear or full account number when the process configuration parameter is set to Yes.
For example, if you mail a copy of the Third-Party Payment Register to the payee, you may want to mask the sensitive bank account information. If the same report is shared securely within the Payroll Department to verify the bank account details, you may run the report with the process configuration parameter set to Yes.
All the three reports use the MASKED_ACCOUNT_NUM XML field to display the Account Number.
You can use the BANK_ACCOUNT_NUM field if you use an older copy of the three reports. If you do so
and you have turned on encryption, you can use the ORA_PAY_DECRYPTED_ACCOUNT_INFO parameter to switch between
a clear and truncated number.