What is ACH?
ACH or Automated Clearing House is a network for electronically processing large volumes of debit and credit transactions in the United States. The key participants in the ACH network are the customer, the clearinghouse, Third-Party service provider, the bank, and the merchant.
ACH payment systems were introduced to reduce the use of a paper check for mortgage and insurance payments. Today, billions of dollars go through the ACH Network for bill payments, credit card payments, and others.
Most merchants are aware of the PCI DSS (Payment Card Industry Data Security Standard) regulations. But knowledge of the ACH rules and regulations by NACHA (National Automated Clearing House Association) is equally important.
Listed below are the ACH security requirements to be adhered by merchants:
1. NACHA Security Framework
For the protection of ACH data, NACHA has put forward a security framework for creating a strong security policy. Key points in the framework include-
- Non-consumer originators, Third-Party Service Providers, Third-Party Senders and Participating DFIs should ensure establishment, implementation, and updating of security procedures, policies and systems used for initiating, processing and storing entries. This also includes the continued protection of the gathered information.
- During the annual compliance audit, Third-Party Senders, Third-Party Service Providers, and Participating DFI should be able to verify that they have taken the measures to establish, implement and update the procedures, policies, and systems for data security as per the prescribed rules.
- While entering into an Origination Agreement, an ODFI should use reasonable measures for establishing the identification of each Third-Party sender or non-consumer originator.
- Setting up a policy that: protects sensitive data; conducts verification of Third-Party Senders and Originators; and involves a self-assessment wherein the NACHA Operating rules are taken into consideration while setting up the ACH Payments security framework.
2. Secure Data Transmission
Any vital banking information that is transmitted for ACH payments should be encrypted using advanced encryption technology. Also, the information should be passed using a secure internet network.
For any communication with customers or other contact points, encrypted emails should be used to safeguard the data.
3. Validation of routing number
Merchants should take necessary measures to validate the routing number before they enter it into the ACT Payment Network. Algorithms can be used to match the incoming routing numbers with the routing numbers in the system.
4. Verifying the Identity
The ACH regulations require the merchants to take reasonable steps to verify the identity of customers who go for a telephonic or internet transaction. For telephonic transactions, identity can be verified by using social security numbers, driving license numbers or other suitable methods.
For web transactions, User ID and password authentication can be used. Also, tracking the frequently used IP address for security verification can be a method of ID checking.
KYC (Know Your Customer) policy can be used to create a strong ID Verification system. With the KYC information, it becomes easier to identify the customers and verify their identity.
5. Detection of Fraudulent activities
Today, a large number of customers use an online transaction for ease of use. To prevent fraudulent transactions by hackers trying to steal information or run illegal transactions, a robust fraud monitoring system should be in place. This system should be able to monitor the payment system, identify any suspicious activities, and initiate prompt actions to prevent any hacker attack.
