256-bit encryption - all data transferred to and from MyPayCenter.com is encrypted using 256 bit encryption. The site can only be accessed via HTTPS, so there are no opportunities for hackers to capture login credentials or other personal information
Customizable Secret Questions - when registering, the client is required to enter a secret question and answer. If the user needs a new password, the user must know the secret answer, but is not given the secret question. This acts as a second password and further barrier to hackers changing a password.
Unique Logins and Passwords - each user selects their own unique username and password. Using usernames to login, instead of e-mail addresses, ensures that acquaintances cannot login using a known e-mail address.
Encrypted Passwords - passwords are encrypted and not visible to CSRs or even software developers.
User Lockouts - if someone attempts to login with a bad password 5 times, an account is locked out until a CSR speaks with the user.
Limited Registration - only client administrative users and CSRs can create new users. An employee cannot signup directly.
Client Security Matrix - screen-level security can be configured by user, so HR users, CPAs, or department managers can be provided access to only the data they need to see.
Data Stored by Client - many web products will have a single database containing all client data - as a result, one tiny bug could expose sensitive data to other clients. With MyPayCenter’s unique design, this is not possible.
No local data storage - MyPayCenter does not store private data in the user’s browser. On many websites, data is cached locally for performance and easier access. This means that after a user is finished, another individual could click the back button to access sensitive data. With MyPayCenter, the entire page is re-fetched every time - so once the user logs off (or is logged off automatically after 15 minutes), the data can no longer be accessed except by logging in again.
E-mail notifications when issues are detected - MyPayCenter will automatically e-mail the user when it detects an attempted security breach. Example cases:
An invalid password was entered. User automatically e-mailed if an invalid password was entered. If someone is trying to hack an account, the user would immediately know via e-mail
The user is locked out. If the login is locked due to too many invalid login attempts, the user will be notified
The user attempts to login from a different computer or location. MyPayCenter requires that clients confirm their identity, via an e-mail link, when moving to a new location. This ensures that a hacker cannot easily login - even if using a stolen laptop.
Change in e-mail address or password. If the user’s e-mail or password is changed, MyPayCenter sends out a confirmation message (to both addresses if the e-mail is changed).
Physical Security Measures at the Service Bureau:
Confidential data only visible to approved CSRs
CSRs must verify the identity of users requesting password resets or changes to confidential info
Confidential reports can only be printed in a secure area of the service bureau that is not accessible by most employees
All data is stored at the service bureau. Web and Database servers are maintained in a locked room that can only be accessed by a limited number of technical staff
Nightly backups are taken every day
Backups are stored in multiple locations to ensure a high degree of redundancy