For organizations that handle payments and process credit card transactions, adhering with PCI DSS (Payment Card Industry Data Security Standard) is a common practice and one that should be annually reviewed to ensure data security compliance. What might not be common knowledge is the role of Nacha, and how there's new compliance that's just as vital.
Nacha, or the National Automated Clearing House Association, is a nonprofit organization that manages the administration, development and governance of hundreds of organizations to better enable electronic payments and financial data exchange.
Funded by the financial institutions it governs, Nacha’s purpose is to develop rules, standards, governance, education, advocacy and innovation for those that use the ACH network; this is the electronic infrastructure that facilitates the transaction of money in the United States and across other geographies. The
The ACH Network transfers money and all related payment information from one financial institution account to another in an efficient and secure process. This is essentially any kind of electronic bank-to-bank transfer made via the ACH network through direct deposit and direct payment. You may not realize it, but almost every American will be impacted by the ACH Network.
To be clear, the ACH Network is the technology that facilitates the transfer of money. This technology is overseen by Nacha, which will enforce the rules in which the ACH Network must abide by through the Nacha Operating Rules for ACH payments. These define ACH Network participants' roles and responsibilities through a set of commands that guide risk management. The U.S. Federal Reserve and the Electronic Payments Network are responsible for operating and running the network.
The Nacha Operating Rules are the legal framework and basic obligations that every ACH network member must abide by to ensure the security of every payment made. These are standardized so that there is an equal playing field for all members. Within the operating rules there are dedicated security practices called the ACH Security Framework that were first implemented in 2013.
However, the existing framework will also include data protection requirements that demand members and their third-party suppliers to protect deposit account information by rendering it unreadable when it is stored within digital environments. These changes, known as the supplemental data requirements, will be rolled out over two phases between 2021 and 2022.
Phase 1 of the Rule will be effective from June 30, 2021, and will apply to ACH Originators and third parties that conduct more than 6 million ACH payments annually. Phase 2 will begin on the same date but in 2022 and will again apply to ACH Originators and third-parties. Although, this will include those that conduct more than 2 million ACH payments per year.
It is strongly advised that all participating Nacha members become compliant with these new rules. Yet, because the Nacha rules are annually reviewed and updated, sometimes changes can be overlooked by organizations. If found noncompliant, Nacha will issue warnings and fines, but if these are ignored, then penalties of up to $500,000 will be issued every month until the matter is resolved.
As previously mentioned, a critical aspect for compliance is the requirement of ACH participants to render deposit account information unreadable when stored electronically. This, along with other rules, align with what is expected to be compliant with PCI DSS. For instance, PCI Requirement 3.4 states all primary account numbers (PANs) must be rendered unreadable. Nacha has even informed members that if they are using effective data security methods to adhere to PCI DSS, then this would also mean compliance with elements of the ACH Security Framework. With that said, the framework stipulates that data security must extend beyond protecting just data at rest. If organizations are wondering whether they need to apply all PCI standards to ACH-related account numbers to be compliant with the supplemental data requirements, then the answer is no. ACH participants can look to PCI DSS as a reference in which to build from, but the Supplement Data Security Rule only pertains to securing data at rest, which is in accordance with certain rules of PCI DSS – v3.2.1 3 (all) and 8.2.1.
Many organizations are focused on implementing perimeter defenses to secure deposit account data instead of protecting the data itself, which is more effective in reducing the chance of the data being exposed. By adopting a data-centric approach like tokenization, with the sole purpose of masking sensitive and regulated data, ACH members will know the information will be made unreadable and useless for a hacker throughout the data life cycle. This is a major advantage for those seeking a data security method that guarantees continuous compliance with the new supplementing data security requirements.
The financial payments industry is rapidly evolving with many of the world's major retailers and financial institutions already taking advantage of data-centric security to secure PANs in accordance with PCI DSS. It’s time these same organizations use a similar data security approach to meet Nacha compliance.
