RFPs & Rising Technology Demands

Rising technology demands across all types of commerce have steepened the curve when it comes answering RFPs. Our RFPs and Rising Technology Demands series examines the state of the modern RFP, what big customers want, and the path to winning the business.

In the Series:

Understanding Enterprise RFP Requirements: Security – Access Control and Authentication

Beyond basic username and password credentials, the RFP is likely to ask for one or more of several other authentication methods, including methods that allow nuanced access and that tie in spend management

When a company issues a Request for Proposal (RFP) for digital commerce, namely ecommerce and eprocurement, a natural consideration that follows is who will be able to access the sales/procurement platform and how that access is controlled. Beyond basic username and password, the RFP is likely to ask for one or more of several authentication methods. Enterprise engagements more and more dictate Multi-Factor Authentication, Single Sign On, and Permissions management.

This installment of our RFPs & Rising Technology Demands series details some of the criteria that RFPs may require for access control and authentication.

RFP Authentication Requirements Beyond Username and Password: MFA, 2FA, and SCA

Additional authentication may be something the cardholder knows (like the answer to a security question), something the cardholder has (like a code sent to your phone), or something the cardholder is (like a biometric like a fingerprint scan).

Username and password are only the most basic form of user access and authentication. Increasingly, ecommerce sites and other digital systems are requiring additional forms of authentication.

One reason for this is new regulations in Europe. As the General Data Protection Regulation (GDPR)ess spurred adoption of consumer privacy protections worldwide, Europe’s second Payment Services Directive (PSD2) is driving new authentication requirements worldwide.

The PSD2 took effect in 2001 and requires Strong Customer Authentication (SCA) for online transactions. SCA is, in short, a requirement that to provide authentication in addition to username and password in order to complete online transactions.

The additional authentication may be something the cardholder knows (like the answer to a security question), something the cardholder has (like a code sent to your phone), or something the cardholder is (like a biometric like a fingerprint scan).

One way to satisfy SCA is Multi-Factor Authentication (MFA), such as Two-Factor Authentication (2FA), MFA and 2FA prompt users to provide username and password plus at least one other form of authentication.

An omnipresent consideration in authentication, meanwhile, is payment processing, specifically how to authenticate payment card data and cardholder data. Payment processing is governed by a set of security standards known as Payment Card Industry Data Security Standards (PCI DSS). PCI DSS is almost always the payment data standard cited by RFPs.

When RFPs Require Single Sign On

Besides the convenience of logging in only once, SSO provides added security. Credentials like username and password are a common target of hackers.

More and more, enterprise engagements are specifying Single Sign On (SSO) as a standard for authentication.

With SSO, an individual is provided access to the commerce platform by way of their own corporate credentials, issued by the purchaser, keeping the purchaser in control of access. SSO also allows users to sign into multiple systems by way of the ability to sign into only one.

In this case, the buyer’s RFP may require SSO so that its purchasers log onto both the buyer eprocurement system and the seller’s ecommerce storefront simultaneously by way of logging onto the eprocurement system. SSO may work between two systems or many systems.

Besides the convenience of logging in only once, SSO provides added security. Credentials like username and password are a common target of hackers. Since users log in using corporate-controlled credentials, the corporation retains control over credential strength to reduce attack opportunities or to lock out users such as an employee who has left.

Regulations such as the Sarbanes-Oxley Act require IT controls for protecting data, and SSO is one way to provide controls.

Permissions Requirements Found in RFPs

A company issuing an RFP for digital commerce is likely to require control over who accesses which part of the system and also may require that different users are afforded different levels of spend.

Beyond verifying users with a username, password, and at least one other form of authentication, there is the question of who is allowed to access which parts of a digital system once they are verified. RFPs may require the vendor to enforce various levels of access control.

An RFP for a company store, for example, may require that the buyer’s varying purchasing agents have varying levels of access. A user in charge of purchasing uniforms might not have access to purchase office supplies, and vice versa.

Such access control may also be accompanied by a requirement to enforce budgets for individual purchasers. Lower level purchasers might not be awarded the same spend as senior level purchasers, for example, and so budgets would need to be enforced electronically at the user level.

A company issuing an RFP for digital commerce is likely to require control over who accesses which part of the system and also may require that different users are afforded different levels of spend.

RFPs Seek Access Control and Authentication Beyond Usernames and Passwords

RFPs are likely to seek access control and authentication requirements far beyond the basics of username and password.

A natural consideration arising from a Request for Proposal that seeks a digital commerce arrangement is who will have access, and how much access, to the arrangement.

Beyond basic usernames and passwords, the RFP is likely to seek additional authentication standards such as Strong Customer Authentication, including Multi Factor Authentication (MFA) or Two Factor Authentication (2FA), as well as PCI DSS compliance.

The RFP may also seek Single Sign On (SSO), where users log into two or more systems by way of one set of corporate-controlled credentials, which reduces the opportunity for cyber crime and helps the vendor meet compliance requirements.

Once users are logged in, there’s the matter of which users will have which access. Lower level purchasers may have access to some items, while purchasing managers may have access to more. The RFP may seek systems that support and enforce granular permissions levels.

RFPs are likely to seek access control and authentication requirements far beyond the basics of username and password. Companies who understand the requirements and work with a technology solutions provider who can implement the RFPs requests stand better positioned to win the business.

Subscribe to Connect

Find news, webinars, technology, trends, and more in the Essent Connect email newsletter.

Fully-integrated business management solutions for Promotional Product Industry Distributors, Suppliers and Decorators.

Essent is the leading provider of fully-integrated business management software solutions and services for process-intensive industries and the largest trading network for the promotional products industry. The Essent family of fully-integrated products and services combines best practices, business processes, software automation, and network communications to deliver unparalleled, unified business management solutions. Since 1980, Essent has offered the systems, service, software, and support critical to success in today's highly-competitive marketplace.

 
Essent 1-610-559-9999 1-800-559-9959 info@essent.com

© 2021 Essent Corporation