Protecting Our Data, Buildings, and Employees
One of our most fundamental responsibilities is to keep Paychex employees, assets, information, and client data safe. It’s how we deliver on our promise of doing business the right way.
Through the Paychex Information Protection Program, we apply best practices in information security, proven technology, and effective policies and procedures, and maintain a comprehensive program to monitor and safeguard information from unauthorized access or destruction. The Paychex Enterprise Security Program is aligned with the National Institute of Standards and Technology (NIST) Version 1.1 Cybersecurity Framework. The NIST Cybersecurity Framework leverages NIST 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.
Our security policy and standards, which have been ratified and enforced by executive management, are built upon the five NIST Framework Functions.
Click here to review our Paychex Security Whitepaper.
Paychex is committed to protecting the security and integrity of client information through procedures and technologies designed for this purpose. Specifically, we:
- Maintain policies and procedures covering the physical security of our workplaces, systems, and records.
- Apply physical, electronic, and procedural safeguards built on industry-recognized best practices.
- Use technology such as backup files, virus detection and prevention, firewalls, and other computer hardware and software to protect against unauthorized access to or alteration of client data.
- Encrypt sensitive information transmitted over the internet.
- Use access controls and internal auditing to limit employee access to client information to those who have a business reason to know.
- Require employees to take information security awareness training at hire and annually, and apply this training to their jobs every day.
- Use advanced technologies for the backup and recovery of client information.
- Monitor compliance with established policies through ongoing security risk assessments and internal audits.
Client Services Security
Security policies and procedures for Paychex client-facing services and applications are specifically designed to protect the confidentiality of the sensitive information in clients’ electronic communications and transactions. Paychex stands behind its commitment to keep client data protected through the following best practices and technologies:
- Multilayered firewall technologies
- Real-time monitoring for suspicious or unusual activity
- Secured transmission of communications using transport layer security (TLS) encryption
- Comprehensive access controls
- Logical patch management procedures and processes
- Regular vulnerability assessments
- Multifactor authentication options for select client-facing services
Secure Email Communications
An important component of safeguarding the privacy and security of client, company, and employee information is the Paychex Secure Email Message Center. A protected email environment designed to keep sensitive and confidential information safe, the Secure Email Message Center provides a vehicle for Paychex to send notifications to regular email accounts with links to our secure email server, where recipients can register and access confidential emails.
Paychex utilizes multiple approaches to test the security of our networks including:
Ongoing network vulnerability and configuration baseline scans as well as source code scans are performed. The results are shared with the appropriate IT teams inside Paychex to identify the best mitigation strategy.
Ongoing internal and external penetration testing is performed against our infrastructure and our applications. After management reviews these reports, remediation is performed if necessary.
Certain Paychex applications are part of a private, invitation-only bug bounty program that rewards security researchers for the identification of complex and critical vulnerabilities within our web applications.
Employee Security Awareness Training
In addition to annual security awareness training provided across the enterprise via our Right Way Training, our employees participate in routine phishing simulations designed to test and educate our employees on how to recognize and report phishing emails. In addition we provide ongoing training to our Software Development teams where they are instructed in secure code development and provided up to date intelligence on different attack techniques. Last but not least, we provide security alerts and education to our employees through our internal employee communication networks to keep them up to date on the best security hygiene practices and advisories that may impact them. This includes weekly communications during October as we leverage National Cyber Security Awareness Month to reinforce security concepts and practices.
Retention and Destruction of Hard Copy and Electronic Information
The Paychex Records Management Program (RMP) provides effective management of the company’s business records. The RMP provides effective life-cycle management of all Paychex records from their generation or receipt to their final disposition. Adherence to the RMP ensures that Paychex:
- Complies with government regulations and legal requirements by using multifactor authentication options for select client-facing services.
- Protects records necessary to Paychex operations.
- Reduces the cost of maintaining and storing records.
- Supports good business practices.
Paychex has processes in place to comply with local, state, and federal requirements regarding the security of client data. These processes include comprehensive security procedures that are regularly reviewed and revised as appropriate to reflect regulatory changes.
Paychex is committed to compliance with all local, state, and federal privacy regulations related to customer data.
The regulatory environment related to privacy is in constant flux with new regulations being implemented on a regular basis at the local, state, and federal levels. Our goals are to remain up to date and in compliance with all associated changes.
It is our responsibility to understand and comply with applicable laws and regulations related to customer privacy. Paychex has established policies and procedures to comply in a timely fashion with applicable federal and state legal requirements related to privacy, data security, and incident notification.
We provide contact information to report any instance in which a customer believes an unauthorized party has accessed their account or information.
Paychex encourages researchers to share with our team the details of any suspected vulnerability information via an online form which is administered by a third party.
Business Continuity and Disaster Recovery
Paychex has adopted a business continuity strategy designed to help ensure the continuation of business-critical functions in the event of a significant business disruption at any of our branches or corporate offices, including technical failures affecting our applications, data centers, networks, and the buildings we occupy. Paychex’ business continuity plan also includes measures designed to deal with severe weather, localized and regional disasters, and workforce-impacting events such as pandemics. The documented and tested recovery strategies are designed to mitigate the impact to our clients from any business disruption.
Individual events including extreme weather may affect the availability of Paychex client facing services and could lead to financial impact to clients, missed deadlines which carry penalties and eventual financial impacts to Paychex, and the overall Paychex brand reputation. Acute physical risk factors are assessed by business units, real estate, and IT and prioritized for business continuity, disaster recovery, and business resumption planning. The threat from individual events to data center operations is minimal as Paychex has 200% redundancy to protect customer-facing applications across Paychex processing centers. The threat to the Paychex service locations could be more substantial; however, redundancy across the services locations should lead to minimal impact to clients. Examples include, but are not limited to, severe winter weather, hurricanes, tornadoes, wildfires, floods, and power outages.
Sustained events associated with climate change could cause long-term outages leading to financial impact to clients, Paychex revenue, and overall brand reputation as some of our data centers and service locations may be susceptible to increased energy consumption, accessibility to staff, and critical suppliers for our fulfillment centers. Redundant locations that protect against individual events (acute) may also be impacted equally by sustained events and require alternate solutions. Examples include, but are not limited to, rising temperatures, electrical blackouts, and rising sea levels.
Managing Risks of Service Disruptions
Paychex supports approximately 740,000 clients using multiple Paychex services and products. While rare, there have been occasions when we have experienced limited, unplanned outages or downtime. We work quickly to restore service and minimize client impact when these events occur. Further, we back up client data in data centers spread out across the U.S., and if there are regional disruptions or outages, client data can be accessed from unaffected locations.
In 2019, Paychex launched Active Threat Preparedness Training to help our employees understand what they can do to prepare for and – if necessary – minimize the impact should the unthinkable happen.
We partnered with the Monroe County Sheriff’s Office in Rochester, New York to underwrite a comprehensive training video that includes information, statistics, and a re-enactment of an active shooter situation. It was filmed at Paychex locations in Rochester and features our own employees and local law enforcement, who volunteered to be actors and extras in the powerful re-enactment.
All new employees take this important training, and we deliver it to existing employees with updated collateral materials every two years, with a shorter refresher in the alternate years. The training is also available on the Monroe County Sheriff’s Office website free of charge to other businesses and individuals to help as many people as possible be prepared to take appropriate action to minimize loss of life.
Additional Security Measures
Employee Photo Identification
Employee Photo Identifications is required to be visible at all times when on Paychex property.
Physical Security General Site/Building Information – Physical access to all buildings is restricted. Physical access to the corporate data processing centers is limited to employees with a business need to access the centers and is subject to additional levels of security. Physical access to other restricted areas and buildings is controlled by security guards, video surveillance monitoring, key fobs, keys, and other means.
Visitor Access - All persons visiting any Paychex location must have a business justification to do so. Visitors in any Paychex location are required to sign in and are issued a numbered visitor’s badge. Visitors are not allowed in any area of the building without being accompanied by an authorized employee.
Security and Internal Controls Training
The annual training on Security and Internal Controls is a scenario-based eLearning that puts the learner in the driver’s seat to identify and troubleshoot realistic scenarios that are customized based on sales or non-sales, and manager or individual contributor job roles. The training is completed by all employees including full-time, part-time and contract employees. Throughout the training program, the learner is provided with information on company policies: both within the training content itself, as well as in a downloadable PDF, with links to the site where all policies are located. The learner is recommended to reference the links to obtain the most current policy information. The training also calls out the relevant Paychex values.
Learners dive deep into data security issues, including identifying and reporting security incidents, as well as the dangers of phishing emails and business email compromise (BEC). There are also specialized security modules assigned to employees with specific functions, such as privileged user access, the handling of PHI, and even executive-level security training that are assigned in addition to the general security topics that address areas of security risk to the company. In addition, employees recognize the importance of identifying protected information including:
HIPAA (Health Insurance Portability and Accountability Act)
- HITECH (Health Information Technology for Economic and Clinical Health Act)
- PHI (Protected Health Information)
- NACHA (National Automated Clearing House Association)
- PII (Personally Identifiable Information)
- PCI (Payment Card Information)
The training requires employees to acknowledge that they have received, reviewed, and understand the Paychex Code of Business Ethics and Conduct which includes requirements on handling of confidential information and company assets.
Content from the following policies is referenced in the training:
- Public Security Statement
- Personal Named User Accounts
- Personal Named User Accounts—Passwords