Open Forum

 View Only
  • 1.  Auditors asked if we can protect Safepay file

    Posted Aug 31, 2022 04:54 PM
    Currently, the safepay file that is sent to the bank can be edited by finance staff. We never do but you can. Our auditors asked if we can make this file read-only so that they know the records sent to the bank is the same as the checks printed. I don't know if the file could be protected but also allow Finance to overwrite it each day and then access that folder to send it to bank.

    Darrell Hodge
    Austin TX

  • 2.  RE: Auditors asked if we can protect Safepay file

    Posted Sep 01, 2022 12:56 AM
    @Darrell Hodge

    Using GP Power Tools, we can run a trigger after the safepay file has been generated and perform whatever actions you want on it.

    We could use the command line Attrib command to make it read only, we could zip it with a password, we can encrypt and sign it, anything really.

    However, the issue is that it still needs to be readable by the bank's software or website.  Marking the file as read only​ does not stop someone copying the contents to another file and editing that, nor does it stop someone using the Windows File Properties window to remove the read only.

    The best solution would be automating the upload to the Bank immediately after it is generated so it cannot be altered manually. We could probably achieve this to with GP Power Tools as we can call a webservice or access a website from code.



    David Musgrave MVP, GPUG All-Star

    Managing Director
    Winthrop Development Consultants

    Perth, Western Australia

  • 3.  RE: Auditors asked if we can protect Safepay file

    Posted Sep 01, 2022 09:03 AM

    Good morning,

    @David Musgrave, has some great suggestions (as usual :) )​.  We had similar requirements, and we also transmit ACH files, so had security concerns with sensitive account information being stored in text files accumulating in directories that all the accounting staff had access to. 

    If you're using Office 365 and have access to Power Automate, we chose to implement a Power Automate flow that waits for a file to be generated, and as soon as it's generated (usually it's in the folder less than 30 seconds), it sends it to the bank via a secure FTP (SFTP), then removes the file from the GP shared directory, and places a copy (for backup) in a secure SharePoint folder where the general accounting staff does not have access. As David mentions, you can protect the file in a multitude of ways, we use a re-naming strategy that makes it easier to archive and locate at a later date. It had the added benefit of saving time by manually uploading files, and having less of a need to share bank login credentials. If you change banks, Power Automate is also a quick switch to change out a connector with the new bank credentials and/or transmission method, which may be simpler than a coded solution.

    Jeff Woodard
    Chief Technical Officer
    Transportation Financial Services, Inc.
    West Palm Beach FL

  • 4.  RE: Auditors asked if we can protect Safepay file

    Posted Sep 02, 2022 10:04 AM
    I am not the developer so I can not give great detail as to what we did but here is the general layout of the process we put in place.  First, the EFT and safepay files are placed in folders on the network with only rights to that folder to those who will upload the files to the bank.  Second, the developers added some code to the file creation process that hashes the file and then stores the value of the files hash in a database table that is secured.  Then when the files are transmitted, the file being submitted is hashed again and the hash value is checked against the created hash value.  If the file had been altered, those values will not be equal and the transmission is aborted.

    Bill Jones
    Systems Engineer, Financial Systems
    Universal Service Administrative Company
    Washington MD

If you've found this thread useful, dive deeper into User Group community content by role