Sage 100

Has anyone else received a question from their client about security of customer or vendor stored information in SAGE 100 ERP as it relates to ACH Bank Account Number and Routing Numbers. Here is the email my client received from their bank. Has SAGE addressed these new NACHA requirements? : ***************************************************************************************************************** The NACHA Operating Rules and Guidelines have been amended. The ACH Security Framework amendment is aimed at protecting the security and integrity of certain ACH data throughout its lifecycle. The new ACH Security Framework rule requires ACH originators to establish, implement and, as appropriate, update security policies, procedures and systems to related to initiation, processing and storage of entries and resulting protected Information. The protected information is the non-public personal information, including financial information, of a natural person used to create, or contained within an entry and any related Addenda Record. Customer name Bank account number and routing number Social Security numbers Addenda information These policies and procedures, and systems must: 1) Protect the confidentiality and integrity of the protected information 2) Protect against anticipated threats or hazards to the security and integrity of Protected information 3) Protect against unauthorized use of protected information that could result in a substantial harm to a natural person What this means for you as an Originator: As an ACH originator you have already entered into an agreement to comply with the existing data security requirements of the rules, as well as the all NACHA Operating Rules and Guidelines. This new rule requires that you, as the originator, have policies procedures and commercially reasonable technology to protect the Protected Information (as stated above) from the point of entry through the lifecycle of the ACH transaction, to include the 6-year retention period. This rule requires you to establish policies and procedures for; any system, access devices, electronic storage or paperwork containing the Protected Information. If your company has policies in place you will want to review and, as appropriate, make any necessary adjustments to ensure you are in compliance with the ACH Security Framework. As the Financial Institution we are required annually to ensure you, as our originator, are complying with the this and all NACHA Originating Rules and Guidelines. A complete guide to Rules governing the ACH Network is available to you online: www.achrulesonline.org ******************************************************************************************************************

Oh, no, not more security crap. :-(

Would you want your bank account info accessible to just anybody? I know it has been convenient to get a copy of the customer's data to use in our own sandboxes, but its a liability nightmare if the data includes bank or credit card data. We need to get into the habit of requiring each customer to have their own sandbox virtual machine for dev and test of mods and upgrades.

It's pretty rare that I take any customer data to my own site. If we are doing extended upgrade/conversion/etc - it's on the customers site and we access via RDP. I've been afraid of this potential liability for quite some time (especially as it relates to payroll).

It's not just the payroll info., but also 1099 data and ACH. As the email above states this relates to ""natural person"" but what difference does it make if it's a ""person"" or ""company"" bank account/ids/etc. stored in the system, it should be secure, like what we go through for PCI compliance. It seems that there are two parties involved in securing the data the ""originator"" and the software provider, aka, Sage. We can help the client setup security in the system to prevent unauthorized access, export, or other means of compromise but after you've set it up, there is always the chance of say, the CFO's crazy son demanding access, or a lazy customer not maintaining the security. In any case, we should all have a clause in our contracts to release us from responsibility, a hold harmless clause.