State Agencies Bulletin No. 2094.1

Subject
PayServ Direct Deposit Access Changes Per the National Automated Clearing House Association (NACHA) Data Security Requirements
Date Issued
January 19, 2023

This bulletin supersedes Payroll Bulletin No. 2094.

Purpose

The purpose of this bulletin is to notify agency payroll offices of a change in Direct Deposit access and visibility that is necessary to remain compliant with NACHA requirements.

Background

According to updated NACHA data security requirements, parties with large volumes of ACH payments are required to protect account numbers used for those payments. Account numbers must be unreadable anywhere they are stored, except when in use to make the payments.

Effective Dates

Changes described in this bulletin are effective beginning January 23, 2023.

OSC Actions

OSC will update the Account Number display on PayServ pages and in PS Query. OSC will update user roles to accommodate agency business processes related to auditing Direct Deposit changes.

PayServ Display Changes

OSC will update the Request Direct Deposit panel and Review Paycheck panel in PayServ to mask the Account Number field.

The Request Direct Deposit panel will display the last 4 digits of the Account Number field only. The Routing Number will continue to display in full.

The Review Paycheck > Paycheck Deductions panel will display the last four digits of the Account Number to which the funds have been disbursed. The Check/Advice Number, Account Type, Bank ID, and Amount will continue to display in full.

Direct Deposit User Security Changes

Users may be assigned to either (1) update or (2) audit the Direct Deposit panel. No user may be assigned both roles.

Users who currently have update access to the Request Direct Deposit panel will continue to be able to update the Account Number field; however, once an update has been saved the Account Number will be masked, displaying only the last 4 digits.

OSC has created a new role for audit access to the Request Direct Deposit panel for review purposes. Agency users assigned this role will have access to view the full, unmasked Account Number on the Request Direct Deposit panel. Users with this role will not have the ability to update the panel.

Users who currently have view access to the Request Direct Deposit panel will continue to be able to view the panel; the Account Number will be masked, displaying only the last 4 digits.

PS Query Changes

All existing queries that return the Direct Deposit Account Number field will display the last 4 digits of the Account Number only. This includes Locked Queries, public queries, and private queries. User Roles related to the Request Direct Deposit panel will not affect the results in PS Queries.

Agency Actions

Agencies should identify users who are responsible for the audit of Direct Deposit entries. Once the audit users have been identified, the Agency Security Coordinator should request the access to audit Direct Deposit for the users by contacting [email protected].

Note: Users may not have both the update and audit roles for the Request Direct Deposit panel. If audit access is requested for a user, any conflicting roles will be removed.

Questions

Questions related to this bulletin may be directed to the Direct Deposit mailbox.