R2R Series Blog #16: Delivering security when approving payments in SAP S/4HANA

This is Blog #16 in our Record to Report Blog Series. You can find the complete series outlined HERE.

Author: Josef Schlenkrich, Product Manager SAP S/4HANA Payments and Bank Communication

Security in payment transactions is a topic that must be challenged and checked on a regular basis, either by internal or external audit. The outbreak of COVID-19 has made working remotely from home one of the standard working models and it is expected to continue long into the future. Hence there is a huge need to establish more sophisticated security mechanisms to work securely from home. The current situation of uncertainty often wipes out the user’s concerns related to security quite easily and so there are a lot of articles about phishing attacks or fraud via social engineering, see also https://en.wikipedia.org/wiki/Social_engineering_(security).

So, companies face a double-edged challenge or dilemma. On the one hand, they are expected to make their payment processes as efficient and inexpensive as possible. On the other hand, the responsibility is on them to introduce stringent security measures to prevent financial losses caused by fraud and cybercrime. According to a recent study every company loses 5% of its revenues to fraud. So, it has a severe impact on the profitability of their organization. Therefore, it is vital and a business imperative to make payments more secure and avoid unauthorized payments.

The dual control principle and segregation of duties are well established in the processes of the finance departments for decades. But it is no longer sufficient to just simply use passwords for authentication.

The ever-growing computing power, provided by “normal” standard computers, makes brute force attacks (testing password combinations by an automatic system) no longer an exotic form of attack from the Darknet, but quite feasible for everyone. Personal information and background information can be easily found in social media. These hints can help to crack passwords much easier than in the past.

This makes security mechanisms such as Two-Factor authentication (2FA), also known as MFA (multi-factor authentication) a business imperative. You may have heard of it in the context of Payment Service Providers Directive (PSD) and the amendment PSD2. For online shopping, for example with PayPal, Amazon, or your own house bank, it is already a business standard.

Since January 1st, 2021, the EU Payment Services Directive requires strong authentication (SCA = Strong Customer Authentication), for example for online card payments as well. Then two out of three safety factors must be met: knowledge, possession, and inheritance. There are, however, legally stipulated exceptions and exclusions from this rule. This means that online merchants can and will continue to make card payments more convenient and keep the number of cancelled purchases in the payment process low (see EXEMPTIONS FROM STRONG CUSTOMER AUTHENTICATION).

Procedures for Two-factor authentication should also be set up for the payment approval processes in your SAP system.

In contrast to the user´s private environment, an e-mail is not the best choice as a second factor for SAP access. A business mobile phone would be an option, where an app sends a push notification (alternatively via SMS) with a code to the user’s smartphone when requested in the approval process, who then enters and confirms it.

In addition to the password (something you know = knowledge), the mobile phone is used here as a hardware component (something you own = possession). Access to the phone is usually secured by biometric characteristics (something you are = inherence) and the system, consisting of the phone as the “hard” component and the password as the “soft” component, is best practice in many cases.

Two-Factor authentication (2FA) is supported in SAP S/4HANA Finance via workflow-based payment approvals for both On Premise/Private Cloud and Public Cloud:

Remark: BNK_APP (On Premise) still supports authentication via username and password and the confirmation of a transaction (for example the approval of payment batch) by entering the password again. From a security perspective this is of course weaker than the 2FA described above.

SAP Cloud Platform Authentication (IAS):

  • Supports all deployment options and applications (FIORI Application Approve Bank Payments and GUI Transaction BNK_APP)
  • Authentication by IAS: users must enter a passcode generated by the SAP Authenticator app on their mobile device before the payment batches are submitted.
  • UPDATE – 15-May-2021: SAP Identity Authentication is a service which is now being bundled with many SAP Cloud Solutions and offered with SAP Business Technology Platform (BTP). This service is free for usage for Logon to SAP branded cloud applications as well as Platform apps.
  • You can find more information via:

SAP Authentication 365 (SAP365):

  • Is just available for On Premise/Private Cloud and FIORI Application Approve Bank Payments.
  • Authentication by SAP365: user must enter a token sent in an SMS on registered mobile devices before the payment batches are submitted.
  • Note that SAP Authentication 365 has been acquired by Sinch. Hence, if there are customers looking to enable SMS based MFA within Identity Authentication service, they would need a subscription to Sinch Authentication 365 (provided by Sinch).
  • You can find more information about Sinch in general via: https://authentication.sapdigitalinterconnect.com/documentation/documentation_overview/

For new implementations of 2FA SAP recommends implementing and using SAP Cloud Platform Authentication (IAS) as it supports all different deployment and application scenarios, and it is part of the SAP Business Technology Platform (BTP).

Calls to action:

To learn more about related solutions check out this on demand event:

SAP Treasury and Working Capital Management Live | TAC Events

Also check out: https://www.sap.com/products/erp-financial-management/treasury-management.html

And check out the rest of our series:

R2R Series Blog #1: Record to Report Blog Series Kick Off | SAP Blogs

R2R Series Blog #2: How to increase process efficiency in the financial close leveraging SAP’s Modern Finance and Risk Platform | SAP Blogs

R2R Series Blog #3: Why did the accountant cross the road? | SAP Blogs

R2R Series Blog #4: Ignite Your Growth of Bottom Line with SAP S/4HANA GR/IR | SAP Blogs

R2R Series Blog #5: Hard Close, Fast Close, Soft Close and Continuous Accounting | SAP Blogs

R2R Series Blog #6: Build vs Buy – 3rd Party Data Integration for SAP Central Finance | SAP Blogs

R2R Series Blog #7: Market Overview – SAP Contract and Lease Management | SAP Blogs

R2R Series Blog #8: Make your SAP S/4HANA for Central Finance implementation a success | SAP Blogs

R2R Series Blog #9 Automated Revenue Management | SAP Blogs

R2R Series Blog #10: Why You Need SAP Account Substantiation & Automation by BlackLine if you’re running SAP S/4HANA | SAP Blogs

R2R Series Blog #11: How SAP Account Substantiation and Automation by BlackLine Complements SAP Treasury Management | SAP Blogs

R2R Series Blog #12: Improving Compliance & Controls with SAP GRC & SAP Account Substantiation and Automation by BlackLine | SAP Blogs

R2R Series Blog #13: Modern Entity Closing using SAP S/4HANA Cloud for Advanced Financial Closing as a Cloud-based Hub | SAP Blogs

R2R Series Blog #14: Run Centralized Payment Operations on SAP S/4HANA Finance: A Platform Built for the Future | SAP Blogs