How to Speed Cash Flow and Streamline Treasury Operations in a Shaky Global Economy

With turbulent financial markets and credit remaining tight around the world, companies of every size and shape are scrambling to lower their administrative and project costs, wring more productivity out of existing operations, and maintain or grow revenues by delivering immediate, tangible benefits to their customers and trading partners.

To trim expenses, many are shedding staff and freezing budgets. Others are agreeing to buyouts or mergers to stave off competition or simply survive. Still more are adopting entirely different strategies and advanced technologies to help bolster their bottom line.

Treasury Workstations: In-house Versus Outsourced

One approach some companies are using to improve their cash flow is accelerating payment processing and simplifying financial transaction management through automation. Instead of stringing together a variety of financial software and reporting tools, more treasurers and cash managers are looking to treasury workstations to improve their accounts payable (A/P) and accounts receivable (A/R) processes, speed up collections, exercise greater control over their disbursements, decrease payment processing time and costs, and reduce errors and fraud risk.

Treasury workstations are computer systems that run specialised financial management software to help companies automate manually intensive, repetitive steps to more effectively manage their cash flow and streamline internal treasury operations – from A/P and A/R to cash management and reconciliation. These workstations also enable organisations to communicate seamlessly over the Internet with cash management banks, other financial institutions and customers or suppliers. The result is faster availability of funds, more reliable financial reporting and forecasting, centralised access to financial data, and more efficient handling of a company’s routine treasury functions.

Treasury workstations can either be a server-based, in-house system that runs software on a company’s own computers or they can be part of an outsourced service delivered over the Internet.

In-house, served-based solutions can incur steep ramp-up costs, such as initial software licensing fees, expenses for adding and installing computer servers plus vendor and internal IT resources for implementation and testing. Software license maintenance fees and continuing IT support also contribute to system lifecycle cost for the duration of the installation.

In addition, server-based workstations require companies to safeguard their own financial databases and customer records against hackers, as well as conform to rigorous Payment Card Industry Data Security Standards (PCI-DSS).

These standards, which have been adopted worldwide by the major credit card brands, require merchants who process, retain or transmit payment card data to encrypt that data wherever it is stored. PCI-DSS standards are considered the foremost benchmark for cardholder account security and certify that a vendor’s products and technologies meet the most stringent industry criteria for processing and storing confidential payment data. The PCI Security Standards Council also recently adopted a Payment Application Data Security Standard (PA-DSS) to ensure that payment applications marketed by software vendors support PCI standards as well.

With an outsourced, Internet-based workstation, a company’s financial information is centralised at a secure data centre of a third-party software-as-a-service (SaaS) provider, then distributed on demand to authorised treasury department computers via secure web connection. Software applications like these, which are hosted on the Internet and accessed using a web browser, are known as cloud computing.

In cloud-based environments, day-to-day responsibility for protecting a company’s stored financial data and meeting PCI requirements rests with the service provider, although the client company remains ultimately accountable for adhering to PCI requirements.

Historically, integrating a company’s financial management processes with a bank’s treasury management services was something only the very largest organisations could take on due to time, expense and complexity. With today’s advanced technologies, however, many smaller companies are finding Internet-based payment processing and data storage solutions more cost-effective, easier to implement and more secure than server-based systems because they require fewer treasury and IT resources, have shorter integration times so companies achieve transactional and operational efficiencies faster, and have multiple levels of encryption and other security controls in place to ensure confidential data is protected.

There is now a greater demand for online virtual point-of-sale solutions, which give business-to-business (B2B) and business-to-government (B2G) merchants a highly secure, easy and affordable means for processing credit cards, purchasing cards and other electronic payment transactions with minimal investment and no development uptime. Just as with other cloud computing tools, all that’s required for deployment is a web browser and Internet connection.

Data Security and Internal Controls

Whether server-based or cloud-based, all providers of treasury workstations and payment processing systems should be held to the highest standards for data security and internal controls.

While no treasury workstation or payment system on earth is 100% hack-proof, companies can and should manage the risk of a potential data breach by solving for the concept of ‘graceful failure’. By assuming your system will fail at some point and that perpetrators will gain access to your most sensitive information, regardless of the security countermeasures in place, treasurers and cash managers should plan to either build and protect their own data fortress at the outset or hire a trusted service provider to do it for them.

Any business that takes credit cards also needs to ask themselves whether they’re storing and safeguarding confidential, personally identifiable customer data in the best possible way – how much data should be retained, where it makes the most sense to store that data, and how best to protect it. Companies that try to secure card data themselves often find it’s very difficult to ensure proper safeguards, yet the responsibility for protecting customer cardholder data grows exponentially the larger a business becomes. Consider these sobering statistics:

• Forrester Research reported in its ‘2007 State of PCI Compliance’ study that more than 100 million personally identifiable customer records had been breached in the US over the past two years and that most of these breaches occurred at companies with household names. Forrester asked 677 information technology security executives from the US and Europe about their data retention practices and found that 81% store credit card numbers, 73% retain card expiration dates and 71% keep verification codes on file.
• The Ponemon Institute also reports that data breaches cost companies an average of US$197 per record in 2007, and the average cost of a data breach was US$6.3m, up from US$4.8m in 2006.
• In a report on the underground economy, antivirus software vendor Symantec highlights a disturbing new trend in cyber crime: hackers are not only after credit card data, they’re also seeking access to payment processing systems so that they can check whether stolen card numbers being sold on the black market are valid. Symantec estimates that the total value of so-called ‘goods’ being advertised for sale in the underground economy servers between 1 July 2007 and 30 June 2008 was over US$276m. Credit cards accounted for 59% of that total.

These reports serve as powerful reminders of the importance of safeguarding financial data and how difficult it can be for companies to ensure proper safeguards when they do it themselves.

Choosing a Treasury Workstation

When choosing a treasury or payment processing workstation, make sure your service provider can answer best practice questions like these:

• Are their products certified for PCI-DSS and PA-DSS compliance by an independent auditor?
• What risk mitigation and business continuity controls do they have in place to protect sensitive financial and cardholder data? For example, do they maintain a secure back up copy of important customer records? Can they provide detailed logs of transactions? And are those logs and reports accessible to meet the compliance requirements of Sarbanes-Oxley law requiring publicly traded US companies to have appropriate operational and audit controls in place?
• Will they help your company securely centralise and monitor business activity, manage cash and forecast accurately?
• Do they safely store payment level and receivables information, such as remittance and receipt data, to be used for processing payments?
• Do they enable customers to safely accept payments in various electronic formats including credit cards and purchase cards over the Internet?
• Do they enable secure, efficient distribution of payables and remittance information to payment processing networks?
• Does their solution support secure, real-time or file-based processing of financial data?
• For processing credit card payments, do they safely maintain cards-on-file for repeat customers, eliminate data re-entry for repeat customers and enable easy card record updates and additions in real time?
• Do they support major card processing platforms and allow card processing tools to be unbundled from the processing network itself?
• Do they provide an integrated, cost effective tool for outsourced data storage and retrieval, such as credit card and customer identification storage service?

One of the safest alternatives is eliminating storage of credit card data from a merchant altogether. If companies don’t keep credit card information themselves, there’s nothing for hackers to steal. A credit card and customer identification storage service relieves merchants of the burden of worrying about whether their confidential and sensitive customer data could be compromised or released in the event of a security breach.