Nacha Updates Operating Rules & Guidelines: Supplementing Data Security Requirements for ACH Payments

Quick Hits

• Requires electronically stored ACH account numbers to be protected by rendering them unreadable.
• Phase 2 goes into effect June 30, 2022.
• Phase 2 applies to ACH originators and third parties (including merchants, billers, businesses, and governments) that process more than 2 million ACH payments per year.
• Must use commercially reasonable methods for data protection such as tokenization, encryption, truncation, masking, or hosted storage.

In late 2019, Nacha supplemented its existing Security Framework for the ACH Network with a new rule applying to all merchants, billers, businesses, governments, and third parties that send 2 million or more ACH payments per year. The rule was expected to roll out in two phases, with the first affecting parties sending 6 million or more ACH payments per year and the second affecting parties sending 2 million or more.

Phase one was supposed to begin in 2020 with phase two following in 2021, but the original effective date for the rule was extended by one year for both phases, meaning phase one began June 30, 2021, and phase two on June 30, 2022. This extension comes in response to requests for additional time to comply with the requirements included in the new rule.

What is the new Nacha rule for ACH data security?

The rule, as explained on Nacha’s website, expands the current ACH Security Framework rules to explicitly require large senders of ACH payments—2 million or more annual transactions—to protect account numbers by rendering them unreadable when stored electronically. Another way to think about this update is that Nacha is updating its ACH Security Framework rules to more closely align with the existing language in the Payment Card Industry Data Security Standard (PCI DSS).

What does the rule NOT cover?

The new rule exclusively applies to ACH account numbers. This means neither data beyond the account number nor payment methods other than ACH is covered by this rule. Also, it does not require a specific method of protection for account numbers, only that the data be rendered unreadable if stored. It does, however, suggest several protection methods it deems acceptable: tokenization, encryption, truncation, masking, and hosted storage.

Although this new rule does not require it, we recommend protecting all other types of sensitive data in your possession as well to avoid potential compliance issues with PCI DSS, CCPA, GDPR, and any future regulations that may come to pass. Organizations can leverage tokenization with TokenEx to enable the protection of multiple data elements for the sake of Nacha compliance, PCI DSS compliance, and more while maintaining the business utility of their sensitive data.

How are these new ACH security requirements different from the current Operating Rules & Guidelines? 

The new rules differ from the existing Operating Rules & Guidelines by specifically requiring large non-financial institution originators, third-party service providers, and third-party senders to protect deposit account information by ensuring the data cannot be read if stored electronically.

Although the current rule requires some parties involved in an ACH transaction to obscure electronically stored DPI, it does not explicitly require non-financial institution originators, third-party service providers, and third-party senders to do so.

Why are these new ACH payment requirements important? 

The Nacha updates are important because they are another step in a long-term plan to better secure and accommodate consumer data in light of evolving technologies and payment types. The fact that these updates are aligning with the requirements of the PCI DSS helps create an industry standard for protecting all types of payment information. Further, introducing a consistent set of rules should help organizations more easily comply with both regulatory frameworks.

What can my organization do to prepare for these ACH security framework changes?

For those looking to prepare, there are steps organizations can take to make sure they are ready for the upcoming rule.

• Identify your total ACH payment volume to see which phase of the rule applies to you so you can be sure to comply by the appropriate date.
• All systems that store account numbers used for ACH payments should be identified as soon as possible.
• Determine how current account numbers are being protected and what your current data security capabilities are.
• Begin a discussion with internal or partner IT staff to determine necessary upgrades and/or forms of implementation.
• Find payments and technology vendors to compare different protection methods and see what works best for your specific use cases.

How can TokenEx Help My Organization?

Protecting your data with tokenization helps your organization in more ways than one. Not only can it help to more easily meet your requirements for Nacha compliance and PCI DSS compliance, but it can also help ensure you’re properly complying with international privacy regulations such as GDPR and CCPA. This is because tokenization can protect any structured data set by removing sensitive values from your environment and replacing them with nonsensitive placeholders. As a result, tokenization removes the systems that were previously storing sensitive data from the scope of compliance while still maintaining the business utility of that data.

Now that you are aware of Nacha’s Supplementing Data Security Requirements and the new deadlines for compliance, you’ll want to find a provider capable of meeting your organization’s unique business and accommodating that can meet your organization’s unique business needs and accommodating its technical processes. TokenEx can help you address these security and compliance concerns while providing the flexibility and simplicity required to promote positive business outcomes.

To learn more about the positive business outcomes TokenEx can enable for your organization, contact us for a demo today!