Navigation :

BACS Sign Submission

Purpose

When building an automated BACS submission workflow, this node is responsible for coordinating the digital signing of the submission.

Background

Before the BACS or FAster Payments networks will accept a new submission, it must be signed using a digital certificate issued to you by your bank. Signing the submission protects the submission from tampering because any changes to the submission after signing cause the signature to become invalid. Signing also helps to prove, to the BACS service, the the submission came form the correct, authorised source.

In a Paygate workflow, submission signing is carried our automatically as part of the workflow using a certificate stored in our secure HSMs (Hardware Security Modules).

In Paygate, signing must be carried out in a strict order. Signing must be carried out immediately after the submission has been checked and validated during the pre-submission validation stage and immediately before the submission is approved.

We enforce this strict order because it offers the most protection to your BACS submission. Digitally signing the submission protects the submission from changes or tampering. This means that we can guarantee that the submission has not changed or been tampered with at the approval stage.

Prerequisite

There are a number of prerequisites when building a workflow with automated signing

1 - Bank Issued Certificate

In corporate BACS and Faster payments, manual submission signing is carried out using special smart cards issued by your bank. Clearly an automated workflow cannot use a smartcard and so instead uses a special digital certificate, again issued by your bank. These certificate need to be very carefully protected and must be stored in a Hardware Security Module (HSM) - which leads to the second prerequisite.

2 - Hardware Security Module (HSM)

A Hardware Security Modules (HSM) is a dedicated hardware device that employs very high levels of physical and network security. It has a number of uses but in the BACS and Faster Payments world a HSM is mostly used to store bank issued digital certificates. A HSM protects certificates against theft, tampering, accidental deletion and unauthorized usage. Paygate offers a managed service that can be used to store your certificate in out own HSMs. When you store your certificate in our HSMs they can be used by your workflows to create automated or semi-automated BACS submissions.

Workflow Configuration

As stated above, the signing node must follow the pre-submission validation. To add a signing node to a workflow simple add the node to a workflow and connect the output of the pre-submission validation node to the input of the signing node.

Signing

Certificate

You might be asking, how does Paygate know which certificate to use? It takes this information from the group. When you create a BACS group you configure how the submission will be digitally signed - smartcard or HSM. When you choose HSM the configuration page asked you to select a certificate to use. These certificates are those that Paygate store on your behalf as part of our HSM managed service.

Group

In the example above, the workflow will use the certificate ‘HsmCert2021’ to digitally sign the submission.

The group, that the workflow will use, is set the the workflow’s Start Node.