Software

5 ideas for secure invoicing

If you're an IT consultant, security shouldn't stop at your clients' servers. Don't forget to secure your financial communications with your clients, too.

For consultants, invoices and other financial communications with clients can be among the most sensitive messages they send. They can almost be among the most overlooked aspects of business when it comes to considering how to secure their operations. One should always be sure to take as much care to protect financial communications as reasonably possible. The following is a list of five ways you can secure your invoicing process, and related communications, each with its own benefits and detriments.

  • attachment on encrypted, and signed, email

    Sending an invoice as a file attached to an email, or even as inline text in your email, can be a secure way to send invoices to your clients -- as long as it's sent securely. Depending on the client, and the type of work you're doing for your clients, the actual importance of encrypting the message (and attachment) can vary greatly. The default should always be to encrypt digital communications about financial matters, however, because financial information can be abused easily if it is intercepted by the wrong person.

    Cryptographically signed emails and attachments have the benefit of being effectively unforgeable, assuming you're using a strong algorithm that hasn't been cracked, so when you communicate with each other both parties will know that any messages are the genuine article.
  • authenticated, encrypted download Another option, if you can't get a client to use encryption software with email, is a secure download. To secure it, you need to make sure it's protected by a decent authentication process as well as encrypted access for the download, though -- at least a username and password unique to the client. Encrypted downloads won't protect your invoices from being intercepted by unauthorized people if just anyone can stumble across the page and download it, regardless of how strong the session's encryption may be.
  • authenticated, encrypted payment page Sometimes, it may be more convenient for all parties if you just have an online payment form, where clients may pay by credit card. This approach requires a certain amount of dedication to the process of accepting credit cards online, of course, and part of the process in the United States requires PCI compliant security measures, but don't let PCI standards limit you. Make sure it's secure, in addition to being compliant, because legal liability is not the only potential problem you may encounter if you aren't careful. If you can't do it right, don't try taking this approach at all.
  • certified mail When snail mail is the necessary option for financial communications with a client, make it certified mail so you can track its progress in case it doesn't arrive as expected, and so you have greater assurances with regard to it arriving unmolested. It's far from certain, and not nearly as good an assurance of privacy as encrypted emails, but it's better than sticking a stamp on a plain white envelope and hoping for the best.
  • third party secure invoicing Sometimes, the easy way to ensure the privacy of your invoicing process is to get a third party dedicated to the kind of invoicing process you employ to handle the hard work for you. This is an option used by a lot of independent consultants who provides an online payment form for credit cards, such as by way of a PayPal business account. Contracting services may handle payment details for you, in part to ensure that they get their cut of the payment, but then the contracting service becomes your client for purposes of securing financial communications.

Sometimes it may be difficult to adhere to secure invoicing policies, particularly when dealing with a larger corporation whose bureaucratic structure may interfere with implementing new security procedures for receiving and paying invoices. Make your decisions about how secure you can and should make your financial communications, when to compromise, and when to skip working for a particular client altogether because there simply isn't any reasonable way to use a secure enough invoicing policy to suit your needs.

Do your best to secure financial communications against unauthorized access, in any case. Remember that both your client's security and your own may be at stake, and act accordingly.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

4 comments
Deadly Ernest
Deadly Ernest

Send an email as a statement with a note they can email me to request the full invoice at my usual email address and not the reply to address of this email. Then send the full invoice attached to their email requesting it as a reply to their request. That way they know it's coming from me. Naturally this requires me to use two email boxes, but that's not issue for business emails addresses.

apotheon
apotheon

I must admit, my own adherence to secure practices when invoicing hasn't been perfect over the years. Do as I say -- not as I do.

apotheon
apotheon

The enemy knows the system. I guess it's better than nothing, though.

Deadly Ernest
Deadly Ernest

very few invoices not handed out while on site, it works well since we both use known email addresses to communicate and check them out.