Security

My ePay Window is a highly secure website and service:

  • All traffic to and from My ePay Window is sent via https encryption.

  • My ePay Window has a security certificate (PDF) issued from top level provider.

  • The portal is secured behind firewalls and is subject to weekly and annual 3rd party security tests.

  • Portal data and documents (where applicable) are encrypted at rest, using TDE, AES128.

  • All actions carried out on the portal are audited and traceable to individual user accounts.

Passwords must be at least 8 characters in length and contain 1 upper case, 1 lower case, 1 number and 1 special character. When the password is saved to the database, it is not saved in a text format, but is encrypted using hashing and therefore is unreadable.

Five successive attempts to login with illegal credentials will lock the user out for 1 hour, before allowing another login attempt. Additionally, My ePay Window will automatically log users out after 5 minutes of inactivity, in order to minimise the possibility of sensitive data being viewed on unattended devices.

Enforcing additional security

To allow My ePay Window to comply with prevailing corporate (At an Employer or Bureau) security guidelines,2-Step authentication (2SA) or 2-Factor authentication (2FA) can be enforced for use with all user accounts in a company:

Enforce for Payroll Department Users

Enable 2-Step authentication (2SA) or 2-Factor authentication (2FA) for your users via the Administration menu (access will depend on user permissions). All Bureau users will be forced to use the additional security method chosen at next logon.

Enforce for your Employer and Employee users

Enable 2-Step authentication (2SA) or 2-Factor authentication (2FA) for your Employer & Employee users via the Administration menu. All Employer & Employee users will be forced to use the additional security method you have chosen at next logon. Payroll Department users can enable this through Clients/Administration if they provide a fully managed service.

If additional authentication is not enforced, then 2SA/2FA Authentication can be optionally enabled by individual user via the My Settings/My Account pages. When an employer/ bureau enforces a different method of additional security to the method already used by the employee they will need to set-up the new method at next logon and the prior method will be replaced.

Benefits

  • Ensure compliance with company policies and that the most appropriate additional security is used to protect sensitive personal data and as per PSD2 banking directives.

  • If company policy does not mandate additional security, allow individual users the choice to set their own additional security preferences via their ‘My Settings’ option.

  • Provides an easy and fully self-service process to reset forgotten 2SA/2FA details without the need for Bureau or Employer user involvement.