BACS Sign Submission
Purpose
When building an automated BACS submission workflow, this node is responsible for co-ordinating the digital signing of the submission.
Background
Before the BACS network will accept a new submission it must be signed using a digistal certificate issued to you by your bank. Signing the submission protects the submission from tampering because any changes to the submission after signing cause the signature to become invalid. Signing also helps to prove, to the BACS service, the the submission came form the correct, authorised source.
In a paygate workflow, submission signing is carried our automatically as part of the workflow using a certificate stored in our secure HSMs (Hardware Security Modules).
In paygate, signing must be carried out in strict order. Signing must be carried out immediatly after the submission has been checked and validated during the pre-submission validation stage and immediatly before the submision is approved.
We enforrce this strict order because it offers the most protection to your BACS submission. Digitally signing the submission protects the submission from changes or tampering. This means that we can guarantee that the submission has not changed or been tampered with at the approval stage.
Prerequisite
There are a anumber of prerequisites when building a workflow with automated signing
1 - Bank Issued Certificate
In corporate BACS and Faster payment, manual submission signing is carried out using special smart cards issued by your bank. Clearly an automated workflow cannot use a smartcard and so instead uses a special digital certificate, again issued by your bank. These certificate need to be very carefully protected and must be stored in a Hardware Security Module (HSM) - which leads to the second prerequisite.
2 - Hardware Security Module (HSM)
A Hardware Security Modules (HSM) is a deciated hardware device that employs very high levels of phsyical and network security. It has a number of uses but in the BACS and Faster Payments world a HSM is mostly used to store bank issued digital certificates. A HSM protects certificates against theft, tampering, accidental deletion and unauthorised usage. paygate offers a managed service that can be used to store your certificate in out own HSMs. When you store your certificate in our HSMs they can be used by your workflows to create automated or semi-automated BACS submissions.
Workflow Configuration
As stated above, the signing node must follow the pre-submission validation. To add a signing node to a workflow simple add the node to a workflow and connect the output of the pre-submission validation node to the input of the signing node.
Certificate
You might be asking, how does paygate know which certificate to use? It takes this information from the group. When you create a BACS group you configure how the submission will be digitally signed - smartcard or HSM. When you choose HSM the configuration page asked you to select a certificate to use. These certificates are those that payagte store on your behalf as part of our HSM managed service.
In the example above, the workflow will use the certificate ‘HsmCert2021’ to digitally sign the submission.