AUTHORS
with the contribution of

Securely Send Checks with Skyflow APIs

Skyflow’s new prebuilt connection with PostGrid lets you send checks to customers, companies, and organizations without having sensitive customer PII and automated clearinghouse (ACH) data touch your backend systems.

Mailing physical checks is still an important way to make payments, and is required in certain industries and jurisdictions. With Skyflow and PostGrid, you can send checks to financial institutions or individuals using just an API call. This makes it easy to use customer PII to issue checks for workflows like the following:

  • Refunds and Rebates: In this case, you use Skyflow to protect your ACH data and your customer’s PII (name and mailing address) when issuing a refund check
  • 401k Rollovers: In this case, you use Skyflow to protect a customer’s ACH data and PII when issuing a check that they can use to contribute to a rollover IRA

In each of these scenarios, Skyflow’s integration with PostGrid protects the privacy of sensitive data and reduces the scope and complexity of regulatory compliance because sensitive data is isolated in Skyflow’s Data Privacy Vault. In this post, we’ll take a closer look at how you can use Skyflow Vault to support these common money movement scenarios.

How Does PostGrid Work?

PostGrid provides APIs that make it easy to issue physical checks or other types of physical mail – on demand, and at scale. Their Print and Mail REST APIs are fully documented and ready to handle anything from one-off refunds to recurring payments. To send a check, PostGrid requires the following information:

  • ACH data: This data details the account number and routing number for a bank or brokerage account that you’re authorized to make withdrawals from. Regardless of whose account this is, you should also protect ACH data, because although it’s lightly regulated, it’s very sensitive and can be used to make irreversible withdrawals.
  • PII: This data includes a mailing address and the name of the person who is receiving the funds (or whose account is receiving the funds). PII is regulated by a growing number of data privacy laws in the US and internationally, and customers value having their PII protected, so you should handle it with care.

PostGrid lets you send checks by contacting their APIs directly, but how can you do that without bearing the risk that comes with storing, managing, and protecting PII and ACH data? That’s where Skyflow’s API integration with PostGrid comes in. With Skyflow and PostGrid, you can send checks to financial institutions or individuals using just an API call to Skyflow, which isolates and protects PII and ACH data, and also manages API calls to PostGrid using this data.

How Does Skyflow Integrate with PostGrid?

Skyflow Vault is designed to allow the secure use of sensitive data across systems and downstream applications. It helps companies to build better apps and systems more quickly, enables the highest levels of data privacy and security, and helps to ensure compliance with applicable data protection regulations. Skyflow Vault also allows for granular governance controls along with in-depth data auditing and logging. Skyflow Connections, including Skyflow’s prebuilt PostGrid connection, helps to protect sensitive data while letting you share it with approved third parties for business-critical workflows.

To issue checks when using Skyflow and PostGrid, you first have to enter the following types of data into Skyflow Vault: 

  • PII for any person or business that you want to send a check to. This includes things like the name of the recipient and the various parts of a mailing address – including the address lines, city, zip or postal code, etc. 
  • ACH data for any financial accounts that you want to issue checks from. Depending on the scenario, this could be your company’s ACH data, it could be a customers’, or it could belong to a third-party financial institution. This flexibility lets you support any money movement operation that uses checks.

When entering PII and ACH data into the vault, you receive tokens that correspond to each field entered. Skyflow can help you collect this data without it touching your backend systems, so your backend only handles tokens with no exploitable value.

Now that you have tokens that correspond to the PII and ACH data you need, you can use Skyflow’s prebuilt PostGrid connection to create bank accounts in PostGrid, and then issue checks.

First, you’ll use the Create Bank Account route and the ACH data tokens you received from Skyflow to create an account in PostGrid. You can see how this looks in Skyflow Studio, below:

Skyflow’s prebuilt Connection for PostGrid, in Skyflow Studio. You can create a bank account, or create a check (or cheque) while protecting data privacy.
Skyflow’s Prebuilt Connection for PostGrid

Using the ACH data tokens for one or more bank accounts, you can call the Create Bank Account API included in Skyflow Connections’ prebuilt PostGrid connection. Then, you can issue checks by calling the other API included in this connection – Create Cheque. Neither customer PII nor the ACH data used to issue the check needs to touch your infrastructure. Your backend sends your Skyflow Vault an API call with tokens from your backend, and then the vault calls PostGrid’s APIs using detokenized data.

You can see the steps in this workflow in the following diagram:

PostGrid API Flow to Issue a Check

API Example

Let’s take a closer look at how this works with a few example API calls using tokenized data. Let’s say that you’re working for a fictional company, Instabread, that’s issuing a check to one of their most loyal customers as part of a loyalty rewards program. 

For this workflow, you need to use ACH data to create a bank account in PostGrid, and then you need to use customer PII to send the check. Normally you would need to handle this sensitive data in Instabread’s backend systems and send that directly to PostGrid, but that would put this data at risk if your backend systems are compromised. 

Because you’ve already entered this information into Instabread’s Skyflow Vault, instead you can use tokens stored in your backend to integrate with PostGrid while preserving privacy. Those tokens are included in API calls that you make to Skyflow Connections. Skyflow Connections detokenizes the sensitive PII and ACH data and then sends the resulting call to PostGrid APIs.

Because real tokens aren’t human-readable, these examples use placeholders like <SkyflowToken_routingNumber> and <SkyflowToken_accountNumber> for purposes of illustration. 

Create a Bank Account Using ACH Data

To create a bank account with the prebuilt PostGrid connection, make an API call like the following:

curl --location --request POST 'https://<Skyflow_connection_url>/v1/bank_accounts'
--form 'bankName="Imaginary Bank"'
--form 'bankPrimaryLine="100 Front Street"'
--form 'bankSecondaryLine="San Francisco, CA"'
--form 'bankCountryCode="US"'
--form 'transitNumber="12345"'
--form 'routeNumber="<SkyflowToken_routingNumber>"'
--form 'accountNumber="<SkyflowToken_accountNumber>"'
--form 'signatureImage=@"/home/user/Pictures/Example Signature.png"'

Here you’re swapping <Skyflow_connection_url> for the root URL provided by Skyflow, and using real Skyflow-issued tokens in place of <SkyflowToken_routingNumber> and <SkyflowToken_accountNumber> to protect Instabread’s ACH data. Note the similarity of this API call to using PostGrid’s Create Bank Account API endpoint. The response code will include a PostGrid bank account ID (in this case, bank_mycTFJcd2d5SHifVHidiwc), which we’ll use in the next step.

Now that we’ve created an account, let’s issue a check.

Send a Check Using ACH Data and Customer PII

To send a check (or ‘cheque’) with the prebuilt PostGrid connection, make an API call like the following. Note that the customer's name and mailing address are tokenized, but Instabread's mailing address isn't:

curl --location --request POST 'https://<Skyflow_connection_url>/v1/cheques'
--data-urlencode 'from[companyName]=Instabread'
--data-urlencode 'from[addressLine1]=123 Fake Street'
--data-urlencode 'from[addressLine2]=Floor 13'
--data-urlencode 'from[city]=San Francisco'
--data-urlencode 'from[provinceOrState]=CA'
--data-urlencode 'from[postalOrZip]=94122'
--data-urlencode 'to[firstName]=<SkyflowToken_firstName>'
--data-urlencode 'to[lastName]=<SkyflowToken_lastName>'
--data-urlencode 'to[addressLine1]=<SkyflowToken_addressLine1>'
--data-urlencode 'to[addressLine2]=<SkyflowToken_addressLine2>'
--data-urlencode 'to[city]=<SkyflowToken_city>'
--data-urlencode 'to[provinceOrState]=<SkyflowToken_provinceOrState>'
--data-urlencode 'to[postalOrZip]=<SkyflowToken_postalOrZip>'
--data-urlencode 'bankAccount=bank_mycTFJcd2d5SHifVHidiwc'
--data-urlencode 'amount=100'
--data-urlencode 'memo=Thank you for being a loyal customer of Instabread!'
--data-urlencode 'number=5049'

The result is that a customer receives a check from you, without you ever needing to store their PII in your backend.

Note the similarity of this API call to using PostGrid’s Create Cheque API endpoint.

Because Skyflow’s PostGrid integration leverages PostGrid’s APIs, it’s easy to integrate Skyflow with your infrastructure without overhauling the code that you’re already using to issue checks with PostGrid. It’s a good example of how adding data privacy to your existing workflows doesn’t need to be onerous or disruptive.

Final Thoughts

Any company that needs to issue physical checks should be concerned with protecting the data used to issue those checks, including PII and ACH data. With Skyflow’s PostGrid integration, you can protect the privacy of this sensitive data while issuing checks to support the money flows your business requires. To learn more about how Skyflow makes it easy to protect sensitive data while still using it, contact us for a demo or give Skyflow a try.