Concept demo for OESC ESOW4 (SW1050) — built by Concourse Tech. All employers, TPAs, balances, payments, and logs shown are fabricated mock data. No live payment processor is connected.
A concept demo for the Oklahoma Employment Security CommissionConcept by Concourse Tech · ESOW4 / SW1050 response (concept only — no real PII or payments)
OK
Oklahoma Employment Security Commission
Tax Payment Modernization · Concept

Architecture & integrations

How the OESC tax payment system fits with the four integration targets called out in the ESOW4 supporting document. Production hosting on AWS GovCloud (FedRAMP Moderate) with fail-over to AWS commercial only for read-only public assets.

EmployerSelf-serviceTPAConsolidatedOESC staffInternal toolsOESC Tax Payment AppNext.js · React · Concourse/employer · /tpa · /staffSSO — Entra ID / B2CRBAC + scope checkAudit log writerPayment APIStateless · API GatewayApproved processorOK.gov / commercialCOBOL mainframeBalances + ledgerAudit storeImmutable · 3+ yrsHosted on AWS GovCloud · TLS 1.3 · WAF · MFA enforced for staff · SOC 2 Type II
COBOL mainframe
  • Read tax / surtax / interest / penalty / fee balances per quarter at request time.
  • Write end-of-day balance updates after capture confirmation (PAY.015) via overnight settlement file or near-real-time MQ depending on OESC preference.
  • Reuse existing copybooks; new fields added to a side-car ledger for payment provenance.
  • Idempotent retry semantics: every write carries a Concourse transaction UUID.
Employer Portal (external)
  • Embedded as a React module behind OESC's existing identity provider (Entra ID and B2C).
  • Single login / logout; no extra credentials for employers.
  • Looks like the Employer Portal, not a third-party site — including OESC branding tokens.
  • Fully accessible (WCAG 2.1 AA / Section 508).
Agency service tools (internal)
  • Role-based access: read-only auditor, payment processor, supervisor, treasurer.
  • Manual entry, void / refund, replay rejected ACH, drill into mainframe records.
  • Side-by-side new ledger vs mainframe view to support the cutover period.
  • Granular scope check on every API endpoint — denies become QTR.111 audit rows.
State-approved payment processor
  • Real-time card capture and ACH origination via the State of Oklahoma's approved processor (e.g., OK.gov PayOnline / Treasurer-approved provider).
  • Tokenized card storage on the processor side — OESC never holds PAN data.
  • NACHA-compliant ACH origination, including R-code handling for returns.
  • Card processing fee added at the line item (PAY.016) so OESC's net is unchanged.
Blocked payment methods
At the API layer we explicitly reject foreign electronic payments, wire transfers, cryptocurrency, and any non-standard method (PAY.005). Each rejection is logged with the source IP, account, and reason.
Payment data security
SOC 2 Type II controls; encryption at rest (AES-256) and in transit (TLS 1.3); MFA enforced for staff users; audit logs immutable.
Idempotency & duplicate prevention
Each payment is keyed on (employer, amount, day, method) within a 60-second window (PAY.017). The processor also enforces idempotency keys.
Retention & data lifecycle
Audit log
≥ 3 years (QTR.112). Cold storage tier after 90 days for cost. Searchable from the staff console for the full retention period.
Payment transaction store
7 years per OK retention schedule for financial transactions. Read-only after capture; void / refund creates new linked rows.
Receipts
Generated on demand from the transaction store; persisted as PDF for 3 years. Linked from employer hub.
Compliance posture
SOC 2 Type II (Concourse), NIST CSF aligned, IRS Pub 1075 controls, CJIS-aware. WCAG 2.1 AA audited at every release.
Operations
99.9% monthly availability target; RPO ≤ 24h, RTO ≤ 4h. Pager rotation Mon-Fri 7×7 with weekend on-call. Standard SLA aligned to OESC business hours.
See requirement coverage matrix Download diagram (SVG)
Note on processor selection.The State's approved payment processor and gateway (e.g., OK.gov PayOnline or its successor) is the agency's decision. The architecture above is processor-agnostic — we've done OK Treasurer ACH/wire and commercial gateway integrations on prior Concourse engagements.