Understanding Data Encryption for Payroll Interface

This topic provides additional information about the implementation of the bank account number encryption that is specific to Payroll Interface.

Note: This topic applies to Payroll Interface customers who are subject to the Nacha requirements and are maintaining bank account information in the system in order to export that information to a third-party payroll system.

The content is grouped into these sections:

Note: The HCM Encryption Framework is a shared data encryption tool that is used in products such as Payroll for North America and Payroll Interface. This list contains links to sections with common encryption information that is applicable to both products, as well as links to the sections that are specific to Payroll Interface only.

Video: Image Highlights, PeopleSoft HCM Update Image 40: HCM Encryption Product Uptakes

To comply with Nacha’s data security requirements, Payroll Interface uses the Encryption Framework to encrypt and mask bank account numbers stored in the database for direct deposits.

When the DIR_DEP_DISTRIB source record is encrypted, bank account numbers are masked in the database and on these pages:

Note: Users can still view unmasked bank account numbers on these pages after the encryption based on their user role and the installation options for Direct Deposit pages. For more information, see Delivered Role For Viewing Unmasked Data and Direct Deposit Installation Options and Data Masking.

Refer to Encryption Source Records for a list of source records that are delivered for bank account number encryption using the HCM Encryption Framework.

The encryption (or decryption) process for the bank account numbers should only be run when users are not allowed to access or update the bank account numbers in the database.

In most cases, the encryption process needs to be run only once unless there is compelling reason to do so again later (for example, changing to a new encryption profile). While it is not practical to prevent users from accessing the system during the encryption run, there are certain pages, and processes from which users must be locked out in order to prevent inconsistent or unpredictable outcomes. The pages and processes are:

  • Employee Self-Service Direct Deposit page.

  • Administer Request Direct Deposit page.

  • Export processes.

Payroll Interface uses the Bank Account Admin role to allow the administrator(s) to view unmasked account numbers for direct deposits on the Request Direct Deposit (administrator page).

See Also Grant Unmasked Access Page.

The Batch Process mapping is used to identify application batch processes that are required to include the actual account numbers. Without this configuration, application batch processes will always output masked account numbers.

Payroll Interface has one process, PI_INRUN, defined for on the Map Batch Processes Page of the encryption setup.

Account numbers are always unmasked on the export files even when DIR_DEP_DISTRIB is encrypted.

If you are using the delivered record view DIR_DEP_VW as the source of your bank account information, this uptake will handle this without additional changes. This record view is modified by this uptake and will only return rows when the Export process is running.

Note: The modified record view DIR_DEP_VW will retrieve data only when the Export process is running. If you want to query Direct Deposit data even though the account number is encrypted, use the new delivered view DIR_DEP_MASK_VW. This definition is a clone of the previous version of DIR_DEP_VW.

If you encrypted DIR_DEP_DISTRIB, and you find that there are masked account numbers in your export files, you might be using a record definition other than DIR_DEP_VW as the source of your bank account information.

This is an example of an Interface Definition record that uses DIR_DEP_DISTRIB as the PS record on the Interface Definition Record page.

 Example of an Interface Definition record using DIR_DEP_DISTRIB as the PS record on the Interface Definition Record page

This is an example showing that the ACCOUNT_NUM field from DIR_DEP_DISTRIB is used as an Interface Definition field on the Interface Definition Fields page.

 Example of the ACCOUNT_NUM field from DIR_DEP_DISTRIB being used as an Interface Definition field on the Interface Definition Fields page

To identify the ACCOUNT_NUM field in your Payroll Interface environment, you can run the Interface PS Record-Field Table report.

Navigation: Set Up HCM > Product Related > Payroll Interface > Interface Definition Reports > PS Record-Field Listing

This example displays the Interface PS Record-Field Table report, which shows that the ACCOUNT_NUM field is available from the DIR_DEP_DISTRIB record.

 Interface PS Record-Field Table report

If it is determined that the ACCOUNT_NUM field is drawn from a different record other than DIR_DEP_VW, you may have to create a new record view (or modify if using an existing record view) and JOIN the underlying tables to DIR_DEP_VW from where the bank account number will be drawn. You will need to configure this new record in your environment using these pages:

Set Up HCM > Product Related > Payroll Interface > Interface Control > PS Tables

Set Up HCM > Product Related > Payroll Interface > Interface Control > Field Definition Table

Set Up HCM > Product Related > Payroll Interface > Interface Controls > Definition Table

Important! If you create a new record view to retrieve bank account numbers, remember that the Build Sequence No (shown in Application Designer) of the new record view must be higher than that of DIR_DEP_VW.

After you have completed the review of your Payroll Interface definitions and made the corresponding changes, it is recommended to create a new baseline to serve as the new starting point to your next Export run.

Important! Do not run any Payroll Interface processes while you are making changes to your setup or creating the new baseline.

To create a new baseline, you need to remove the data from Payroll Interface tables. To do so, run the following SQL statements in your database.

Note: Back up the data for your Payroll Interface tables before running these SQL statements.

DELETE PS_PI_EMPLID_TBL;

DELETE PS_AERUNCONTROL WHERE AE_APPLID = 'PI_INRUN';

DELETE PS_PI_EXTIO;

DELETE PS_PI_PARTIC_EXTBL;

DELETE PS_PI_PARTIC_EXPT;

DELETE PS_PI_PARTIC;

DELETE PS_PI_MESSAGE;

DELETE PS_PI_RUN_TBL;

DELETE PS_PI_RUN_PYGRP;

DELETE PS_PI_RUNCTL;

Once you have backed up and removed the data from the Payroll Interface tables, review the configuration of your Payroll Interface system ID.

Navigation: Set Up HCM > Product Related > Payroll Interface > Interface Control > System Table

This example shows the three Convert field values on the Interface System Table 1 page.

 System Table page showing the three values for the Convert field

If the Convert field is Using Interface Employee Table, populate the PI_EMPLID_TBL table before running the Export process.

If the Convert field is Using National ID or Using Peoplesoft Employee ID, the Export process will populate the PI_EMPLID_TBL table automatically.

Once you have your data removed from the tables and reviewed your System Table configuration, you can perform a full Export to create the new baseline.

Navigation: Payroll Interface > Payroll Data Exchanges > Import/Export Payroll Data

This example displays the Import/Export Payroll Data page, which shows the export parameters to perform a full export to create the new baseline.

 Import/Export Payroll Data page showing the export parameters to perform a full export to create the new baseline