Encrypting Sensitive Data

The product provides support for encrypting certain sensitive data, which may be necessary if your implementation wants to meet security standards such as those for credit card transactions, as specified by the Payment Card Industry Security Standards Council.

Please be sure that you are familiar with the information documented in Database Encryption and Masking before reading further.

The remaining details in this section provide information about the fields in the product that support encryption along with the suggested configuration for the Encryption feature configuration entry if your implementation opts to encrypt the data.

External Account ID and Credit Card Number Encryption

If your implementation would like to encrypt credit card IDs, the following entry should be added to the Encryption feature configuration so that the data stored in the External ID column on the Account Automatic Payment table is encrypted:

table='CI_​ACCT_​APAY', field='EXT_​ACCT_​ID', encryptedField='ENCR_​EXT_​ACCT_​ID'

Note:
  • The External Account ID field also exists on other tables such as Auto Pay Clearing Staging table (CI_​APAY_​CLR_​STG) and Payment Event Upload Staging table (CI_​PEVT_​DTL_​ST) . Feature configuration options do not need to be configured for the External Account ID field on these tables as the field on these related tables is encrypted based on the feature configuration specified above for the Account Automatic Payment table (CI_​ACCT_​APAY).
  • A customer’s bank account ID or credit card number may also be stored in a column when an order is completed. A field encryption feature configuration for the Order Field table (CI_​ENRL_​FLD) does not need to be configured if the customer’s bank account ID or credit card number is referenced on this table. The encryption for the field should be handled by a Column Reference - Preprocessing algorithm. The base product provides an Encrypt Account Auto Pay External Account Id Column Reference Value algorithm type for this purpose.
  • A field encryption feature configuration option needs to be configured for each schema field to be encrypted that represents a customer’s bank account ID or credit card number. If the value of an encrypted schema field will later be populated on or compared against an encrypted table field, the schema field and the table field must share the same key alias.

If your implementation is integrated with a self-service application and one time payment details are captured in Person Self-Service Payment Option (C1_​PER_​SS_​PAYOPT) , the product supports encryption of the Credit Card Number and External Account ID fields on this table. In addition, the product supports a hash representation of this fields for searching purposes. To encrypt Credit Card Number and External Account ID, add the following entries to the Encryption feature configuration:

  • table='C1_​PER_​SS_​PAYOPT', field='CREDIT_​CARD_​NBR', encryptedField='ENCR_​CREDIT_​CARD_​NBR',hashField='HASH_​CREDIT_​CARD_​NBR'

  • table='C1_​PER_​SS_​PAYOPT', field='EXT_​ACCT_​ID', encryptedField='ENCR_​EXT_​ACCT_​ID', hashField='HASH_​EXT_​ACCT_​ID'

Bank Account Number Encryption

If your implementation would like to encrypt the bank account number stored on the back account table, the following entry should be added to the Encryption feature configuration:

table='CI_​BANK_​ACCOUNT', field='ACCOUNT_​NBR', encryptedField='ENCR_​ACCOUNT_​NBR'

MICR ID Encryption

The product provides support for encrypting MICR ID associated with payments. In addition, the product supports capturing a hash representation of this field for searching purposes. This field is captured on three tables and entries should be added to the Encryption feature configuration for each as follows:

  • table='CI_​PEVT_​DTL_​ST', field='MICR_​ID', encryptedField='ENCR_​MICR_​ID', hashField='HASH_​MICR_​ID'
  • table='CI_​PAY_​TNDR_​ST', field='MICR_​ID', encryptedField='ENCR_​MICR_​ID', hashField='HASH_​MICR_​ID'
  • table='CI_​PAY_​TNDR', field='MICR_​ID', encryptedField='ENCR_​MICR_​ID', hashField='HASH_​MICR_​ID'
Note: All configurations must share the same key alias.

Person ID Number Encryption

The product provides support for encrypting an identifier associated with a person. In addition, the product supports capturing a hash representation of this field for searching purposes. Because the ID collection on Person includes an ID type, your implementation may decide to encrypt all IDs captured for the person or may choose to only encrypt IDs of one or more specific ID types. If you want to encrypt multiple ID types, you must configure a field encryption option type for each ID type. The following shows an example of an encryption feature configuration entry for encrypting an ID with the type “SSN”:

table='CI_​PER_​ID', field='PER_​ID_​NBR', encryptedField='ENCR_​PER_​ID_​NBR', hashField='HASH_​PER_​ID_​NBR', where='ID_​TYPE_​CD=SSN’

Note:
  • The Person ID Number also exists on the Order Person ID table (CI_​ENRL_​PER_​ID) table. Feature configuration options do not need to be configured for the Person ID Number field on this table as the field is encrypted based on the feature configuration specified above for the Person Identifier table (CI_​PER_​ID).
  • The Person ID Number may also be stored in a column when an order is completed. A field encryption feature configuration for the Order Field table (CI_​ENRL_​FLD) does not need to be configured if the Person ID Number is referenced on this table. The encryption for the field should be handled by a Column Reference - Preprocessing algorithm. The base package provides an Encrypt Column Reference Value algorithm type for this purpose.
  • A field encryption feature configuration option needs to be configured for each schema field to be encrypted that represents a Person ID Number. If the value of an encrypted schema field will later be populated on or compared against an encrypted table field, the schema field and the table field must share the same key alias.

Company ID Encryption

The product provides support for encrypting the Company ID that is populated into automatic payment extract files. If your implementation would like to encrypt company IDs on the Auto Pay Route Type table (CI_​APAY_​RT_​TYPE), the following entry should be added to the Encryption feature configuration:

table='CI_​APAY_​RT_​TYPE', field='CO_​ID', encryptedField='ENCR_​CO_​ID'

In addition, if your implementation allows Company ID overrides by CIS Division, the following entry should be added to the Encryption feature configuration so that the Company ID on the CIS Division Route Type table (C1_​CIS_​DIV_​RTYP) is encrypted.

table='C1_​CIS_​DIV_​TRYP', field='OVRD_​CO_​ID', encryptedField='ENCR_​OVRD_​CO_​ID'