|
|
Web Pay SECURITY
In order to offer our customers a secure and reliable web application experience, Paylocity implements numerous technological controls:
1. HTTPS Only - All Paylocity Web Applications (with the exception of Paylocity's public website) utilize Secure Socket Layer/ Transport Layer Security (SSL/TLS) technology. Any attempts to visit the non-secure (HTTP) version of Paylocity Web Applications are rejected, thus protecting end-user against man-in-the-middle (MITM) and SSL session hijacking type attacks. |
| |
2. Extended Validation Certificate (alias "Green Bar") - All communication between Paylocity's Web Applications and its customers is protected using Extended Validation Certificate (EV) utilizing 256 bit encryption by default. [Note: Although most modern web browsers (and Paylocity Web Applications) support 256 bit encryption by default, browsers unable to do so may fall back to a minimum 128 bit encryption.] Unlike a standard SSL certificate, an EV certificate goes beyond merely encrypting the communication between the end-user and server; allowing the end-user to visibly verify the company name, primary domain, and physical address of the website in question. (See example)  As the name suggests, acquiring an EV certificate is not as simple as acquiring a standard SSL certificate. Acquiring an EV certificate requires a website owner to:
- a. Establish the legal identity as well as the operational and physical presence.
- b. Establish the domain name ownership or prove exclusive control over the domain name.
- c. Confirm the identity and authority of the individuals involved and prove that the documents pertaining to legal obligations are signed by an authorized officer.
For more information on EV certificate, please refer to the Guidelines For The Issuance and Management Of Extended Validation Certificates (pdf). For more information on Paylocity's implementation of SSL/TLS, please refer to the Qualys SSL Labs report on Web Pay and Web Time. |
| |
 3. Security Image & Unique Passphrase - A Security Image is a picture chosen by the customer (from a large pool of images) to be displayed on the login screen. Along with the Security Image, customers must also specify a unique passphrase (with no character restrictions). In addition to the EV certificate, the Security Image and unique passphrase helps the customer distinguish between legitimate Paylocity Web Applications and illegitimate websites impersonating a Paylocity Web Application (Phishing attack). Once the user inputs their company ID and username, the Security Image and the customer specified unique passphrase appear automatically, thus reassuring the customer that he/she is on the legitimate Paylocity website and it is safe to enter the password. (See example)
For video demonstration on this technology, please click on the following tutorials:
|
| |
| 4. Session Timeout - To protect our customers from accidentally exposing their private financial data due to an inactive session, Paylocity implements automatic session timeouts. After two hours of inactivity, the user is automatically logged off, forcing the user to re-authenticate. Similarly, sessions are also terminated when the user closes the browser window without explicitly logging out. |
| |
| 5. Password Protected Pay Stubs - Customers are offered the opportunity to protect their downloadable pay stubs (PDF) using a password. The PDF is encrypted using the user supplied password prior to download, thus all cached instances of the PDF are also protected. |
| |
| 6. CAPTCHA - To protect Paylocity Web Applications against automated computer attacks, Paylocity utilizes a technology known as CAPTCHA. CAPTCHA attempts to establish the person on the other end is an actual human being and not a computer pretending to be human. By challenging the customer with a distorted image, the customer is required to identify the letters and numbers in the distorted image in its precise order and capitalization. Paylocity utilizes CAPTCHAs during user registration and password resets. |
| |
| 7. Account Lock-out - In order to protect our customers against targeted attacks, multiple successive failed login attempts result in an automatic account lock-out. To unlock the account, customers must either reset their password and try again or contact their employer's Human Resources department. |
| |
| 8. Self-Service Password Resets - For customers who sometimes forget their passwords, the self-service password reset feature is a convenient option; however it is also a very attractive target for malicious attackers therefore Paylocity Web Applications strike a delicate balance between convenience and security by utilizing a multi-step password reset wizard. |
| |
|
