Navigation :

BACS Sign/Commit Submission

Terms

They have been joined into one node as they do similar jobs. When picking a Group in the Start Node, this node will react and pick the right one based on the group type of the selected group

Background

Before the BACS or Faster Payments networks will accept a new submission, it must be signed using a digital certificate issued to you by your bank. Signing the submission protects the submission from tampering because any changes to the submission after signing cause the signature to become invalid. Signing also helps to prove, to the BACS service,that the submission came from the correct, authorised source.

In a Paygate workflow, submission signing/commiting is carried out automatically as part of the workflow using a certificate stored in our secure HSMs (Hardware Security Modules).

In Paygate, signing/commiting must be carried out in a strict order. Signing/commiting must be carried out immediately after the submission has been checked and validated during the pre-submission validation stage and immediately before the submission is approved.

We enforce this strict order because it offers the most protection to your BACS submission. Digitally signing the submission protects the submission from changes or tampering. This means that we can guarantee that the submission has not changed or been tampered with at the approval stage.

Prerequisite

There are a number of prerequisites when building a workflow with automated signing (These are only necessary for direct submissions)

1 - Bank Issued Certificate

In corporate BACS and Faster payments, manual submission signing is carried out using special smart cards issued by your bank. Clearly an automated workflow cannot use a smartcard and so instead uses a special digital certificate, again issued by your bank. These certificates need to be very carefully protected and must be stored in a Hardware Security Module (HSM) - which leads to the second prerequisite.

2 - Hardware Security Module (HSM)

A Hardware Security Modules (HSM) is a dedicated hardware device that employs very high levels of physical and network security. It has a number of uses but in the BACS and Faster Payments world a HSM is mostly used to store bank issued digital certificates. A HSM protects certificates against theft, tampering, accidental deletion and unauthorized usage. Paygate offers a managed service that can be used to store your certificate in our own HSMs. When you store your certificate in our HSMs they can be used by your workflows to create automated or semi-automated BACS submissions.

Workflow Configuration

As stated above, the sign/commit node must follow the pre-submission validation. To add a signing node to a workflow simple add the node to a workflow and connect the output of the pre-submission validation node to the input of the signing node.

Signing

Direct Group Configuration

You might be asking, how does Paygate know which certificate to use? It takes this information from the group. When you create a BACS group you configure how the submission will be digitally signed - smartcard or HSM. When you choose HSM the configuration page asked you to select a certificate to use. These certificates are those that Paygate store on your behalf as part of our HSM managed service.

Group

In the example above, the workflow will use the certificate ‘HsmCert2021’ to digitally sign the submission. The group, that the workflow will use, is set in the workflow’s Start Node.

Indirect Group Configuration

Indirect submissions must be set to “None” for them to be progressed via workflow

Group2