R2R Series Blog #16: Delivering security when approving payments in SAP S/4HANA
This is Blog #16 in our Record to Report Blog Series. You can find the complete series outlined HERE.
Author: Josef Schlenkrich, Product Manager SAP S/4HANA Payments and Bank Communication
Security in payment transactions is a topic that must be challenged and checked on a regular basis, either by internal or external audit. The outbreak of COVID-19 has made working remotely from home one of the standard working models and it is expected to continue long into the future. Hence there is a huge need to establish more sophisticated security mechanisms to work securely from home. The current situation of uncertainty often wipes out the user’s concerns related to security quite easily and so there are a lot of articles about phishing attacks or fraud via social engineering, see also https://en.wikipedia.org/wiki/Social_engineering_(security).
So, companies face a double-edged challenge or dilemma. On the one hand, they are expected to make their payment processes as efficient and inexpensive as possible. On the other hand, the responsibility is on them to introduce stringent security measures to prevent financial losses caused by fraud and cybercrime. According to a recent study every company loses 5% of its revenues to fraud. So, it has a severe impact on the profitability of their organization. Therefore, it is vital and a business imperative to make payments more secure and avoid unauthorized payments.
Dual control principles and segregation of duties are no longer sufficient
The dual control principle and segregation of duties are well established in the processes of the finance departments for decades. But it is no longer sufficient to just simply use passwords for authentication.
The ever-growing computing power, provided by “normal” standard computers, makes brute force attacks (testing password combinations by an automatic system) no longer an exotic form of attack from the Darknet, but quite feasible for everyone. Personal information and background information can be easily found in social media. These hints can help to crack passwords much easier than in the past.
This makes security mechanisms such as Two-Factor authentication (2FA), also known as MFA (multi-factor authentication) a business imperative. You may have heard of it in the context of Payment Service Providers Directive (PSD) and the amendment PSD2. For online shopping, for example with PayPal, Amazon, or your own house bank, it is already a business standard.
Since January 1st, 2021, the EU Payment Services Directive requires strong authentication (SCA = Strong Customer Authentication), for example for online card payments as well. Then two out of three safety factors must be met: knowledge, possession, and inheritance. There are, however, legally stipulated exceptions and exclusions from this rule. This means that online merchants can and will continue to make card payments more convenient and keep the number of cancelled purchases in the payment process low (see EXEMPTIONS FROM STRONG CUSTOMER AUTHENTICATION).
Two-Factor authentication (2FA)
Procedures for Two-factor authentication should also be set up for the payment approval processes in your SAP system.
In contrast to the user´s private environment, an e-mail is not the best choice as a second factor for SAP access. A business mobile phone would be an option, where an app sends a push notification (alternatively via SMS) with a code to the user’s smartphone when requested in the approval process, who then enters and confirms it.
In addition to the password (something you know = knowledge), the mobile phone is used here as a hardware component (something you own = possession). Access to the phone is usually secured by biometric characteristics (something you are = inherence) and the system, consisting of the phone as the “hard” component and the password as the “soft” component, is best practice in many cases.
Two-Factor authentication in SAP S/4HANA Finance
Two-Factor authentication (2FA) is supported in SAP S/4HANA Finance via workflow-based payment approvals for both On Premise/Private Cloud and Public Cloud:
Remark: BNK_APP (On Premise) still supports authentication via username and password and the confirmation of a transaction (for example the approval of payment batch) by entering the password again. From a security perspective this is of course weaker than the 2FA described above.
SAP Cloud Platform Authentication (IAS):
- Supports all deployment options and applications (FIORI Application Approve Bank Payments and GUI Transaction BNK_APP)
- Authentication by IAS: users must enter a passcode generated by the SAP Authenticator app on their mobile device before the payment batches are submitted.
- UPDATE – 15-May-2021: SAP Identity Authentication is a service which is now being bundled with many SAP Cloud Solutions and offered with SAP Business Technology Platform (BTP). This service is free for usage for Logon to SAP branded cloud applications as well as Platform apps.
- You can find more information via:
- Identity Authentication in general https://help.sap.com/viewer/product/IDENTITY_AUTHENTICATION/Cloud/en-US
- Identity Authentication 2FA:
- Identity Authentication user management: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/228428f9f476449cafd841a68d75b234.html
SAP Authentication 365 (SAP365):
- Is just available for On Premise/Private Cloud and FIORI Application Approve Bank Payments.
- Authentication by SAP365: user must enter a token sent in an SMS on registered mobile devices before the payment batches are submitted.
- Note that SAP Authentication 365 has been acquired by Sinch. Hence, if there are customers looking to enable SMS based MFA within Identity Authentication service, they would need a subscription to Sinch Authentication 365 (provided by Sinch).
- You can find more information about Sinch in general via: https://authentication.sapdigitalinterconnect.com/documentation/documentation_overview/
For new implementations of 2FA SAP recommends implementing and using SAP Cloud Platform Authentication (IAS) as it supports all different deployment and application scenarios, and it is part of the SAP Business Technology Platform (BTP).