SPS: Secure Payment System

System Requirements: PC Minimum Hardware and Software Requirements

SPS is a browser-based, thin-client application that will be accessible via the Internet or modem dialup. Dial-up access will also be available as a contingency in the event of Internet unavailability or for those agencies that may have firewall restrictions prohibiting use of signed JAVA applets from FMS for the SPS application.

SPS can be run from any PC meeting the minimum requirements listed below:

  • Desktop with Windows XP or Windows 7 (Note: All of the latest XP/Windows 7 updates/patches/service packs provided by Microsoft can be applied)

  • (For SPS-Web installations on XP only) Browser - Internet Explorer 7.0+ PLUS: Java Plug in 1.6.0_23+ Note: Agencies have reported that SPS works with FireFox and Safari (unsupported). SPS does not work with Java 1.7

  • Adobe Acrobat Reader, plug-in for Internet Explorer, version 9.0 or higher

  • Datakey CIP software Maintenance Update 20.2 - 4.7.20.2010 or Safenet Authentication Client 8.0 Service Pack 2 (preferred)

  • Rainbow iKey 2032 USB Token

  • One free USB port

  • Available Printer

  • 56K external or internal modem for dial connectivity. Analog telephone line for any PC used for dial-up (FMS suggests each SPS site have at least one analog line available for contingency purposes, in the event of Internet unavailability)

  • Internet connectivity via user agency's connection

While being able to run SPS from any user's PC is convenient, there are concerns and vulnerability inherent to an Internet environment that you should consider, prior to determining how your agency will implement and operate SPS. For example, your agency may have firewall policies that prohibit downloading JAVA Applet Code, in which case your agency would have to use SPS in a dial-up mode. Each agency must designate at least one Data Entry Operator (DEO) and one Certifying Officer (CO) to operate SPS. SPS Offline includes the "third party" function which FPAs can create the payment data for certification in their systems, and export it to SPS. Due to the sensitivity of the data being passed through SPS, we have built SPS to be very secure. The General Accountability Office and a number of security agencies have participated in reviews at various stages throughout the development of SPS.

  • Every SPS user at your agency must have a Public Key Infrastructure (PKI) Credential in order to access the system. PKI will also be used to sign certifications electronically. FMS will provide all PKI Credentials for your SPS users at no cost to your agency. FMS will also provide instructions and policies for PKI enrollment. Contact your servicing RFC.
  • Every SPS user at your agency must have a token, which will contain the PKI Credential for user authentication and document signing.
  • Every PC used at your agency that will be used to access SPS will need to be configured to read the SPS token.
  • The use of PKI in SPS has business and potential staffing implications for FPAs. In order for a user to obtain a PKI Credential, the user must appear in person at a PKI Registration Authority (RA) or a Fiscal Trusted Registration Agent (FTRA). The user must also appear in person at a RA or FTRA in order to have a suspended PKI Credential re-activated. FMS will have a RA at its Hyattsville, Maryland facility. FMS will have FTRAs at its Liberty Center location (Washington DC) and the two Regional Financial Centers (Kansas City MO and Philadelphia PA). FPA personnel may appear at any of these FMS locations for certificate processing. A Fiscal Trusted Registration Agent (FTRA) consists of individuals designated by the business customer (Federal Program Agency). The business customer is responsible for:
  • Identifying in writing to the RA the names and contact information for a minimum of two individuals to serve as FTRAs.
  • Updating the RA with FTRAs information due to changes to FTRAs.
  • Notifying the RA if the certificate holder ("subscriber")
    • is no longer employed or affiliated with the FPA
    • no longer requires the private key associated with his/her PKI certificate
    • has reason to believe his/her private key has been compromised
    • no longer has access to his/her private key (e.g., cannot remember the password that unlocks the private key)

To achieve an adequate degree of security and integrity, FMS is setting the PKI Level of Assurance fairly high. This will require an active FTRA in-person proof another individual to be a FTRA. The individual will be required to provide one valid government issued picture identification. SPS users (DEO or CO) must be in-person proofed by one FTRA prior to being issued a PKI Credential. SPS users must also provide one form of valid government issued picture identification. Any individual seeking credential services, such as password or token re-issuance, must re-appear to the FTRA for in-person proofing prior to being serviced.

There is no requirement within SPS or PKI that every site establish a FTRA. The decision whether or not to establish a FTRA is a business decision. If your agency has a sufficient number of Certifying Officers and Data Entry Operators trained and activated, and you are located close enough to a FTRA, the agency may decide that its payments business can be satisfied through using a FTRA at another FMS site. If your agency is not located close to a FMS site, you will need to consider the travel costs and travel times for each of your SPS employees get to a FTRA in person.

The primary determinants whether or not to establish a FTRA are probably timeliness to acquire PKI services, number of users who would need to use a FTRA, and availability of two individuals (plus backups) to serve as FTRAs, and provide sufficient coverage for your business needs. A couple other considerations which could factor into your decision as to whether to designate a FTRA(s) are: 1) FMS will be moving away from SecurID card technology to PKI for other applications, and a FTRA can provide PKI services for any FMS application; 2) while you may be located near a FTRA for another agency, that agency would not necessarily have ready access to proof of employment records for your employees, and may be reluctant to vouch for them.

You will perform the initial load of SPS at your site via a CD:ROM provided by FMS. Subsequent application changes and enhancements will almost always be automatically downloaded to your users.

Also see:


   Last Updated:  April 18, 2014