- Resource Center
Formed in 1974, the National Automated Clearing House (NACHA) regulates how automated clearing house (ACH) transactions should be performed and how ACH data should be safeguarded. These ACH rules are detailed in NACHA’s Operating Rules and Guidelines, which outline the specific processes and requirements for parties transmitting or receiving ACH data via the ACH network. Any entity that works with direct deposits, e-checks, electronic funds transfers (EFT), bank transfers, bank payments, or other similar types of electronic payments uses ACH data to initiate and complete these transactions. Therefore, these entities are subject to NACHA regulations and must comply with its operating rules and guidelines.
ACH refers to the automation of the clearance process for transferring payments from one party to another. This process is carried out by financial institutions called clearing houses, which are essentially middlemen that manage transactions to ensure funds are exchanged appropriately and agreements are followed. To accomplish this, NACHA’s Operating Rules and Guidelines define and establish the roles and responsibilities of each party involved in an ACH transaction.
The ACH rules for information security requirements explain that financial institutions, originators, third-party senders, and third-party service providers are required to establish, implement, and update, as appropriate, security policies, procedures, and systems related to the initiation, processing and storage of ACH transactions. The policies must protect the confidentiality, privacy, and integrity of “protected information,” which is equivalent to personally identifiable information (PII) within the context of ACH entries. The policies must also protect against unauthorized use of, and anticipated threats to, protected information that may cause harm to individuals.
Over the years, NACHA’s Operating Rules and Guidelines have evolved to better secure and accommodate changing technology and payment types. Recently, NACHA amended these guidelines with a set of supplementing data security requirements that mandate the secure storage of account numbers used in ACH transactions, "rendering them unreadable when stored electronically." This language is based on the Payment Card Industry Data Security Standard’s (PCI DSS) requirements for the protection of the Primary Account Number (PAN). As NACHA standards continue to be amended to keep pace with evolving consumer behaviors and payment technologies, it’s important for organizations to remain flexible and ready to update their compliance practices and policies when necessary.
Because ACH payments are sent via batch processing and contain payment data similar to what is found in credit card payments, they can be secured and desensitized by tokenization in much the same way. In a typical payment card transaction, the primary account number (PAN) and other applicable cardholder data are tokenized, whereas in an ACH payment, the bank account number and consumer-level data (such as names and Social Security numbers) are tokenized. For information about this use case, check out our solution page for PCI DSS compliance.
So, although the data is different, the overall process of protecting ACH transactions is the same as the one for protecting credit card transactions. Tokenized data is obfuscated and easy to store until the original sensitive data is needed, at which point the placeholder token will be exchanged and the ACH data returned. Tokenization can help simplify NACHA compliance, as well as significantly reduce the risk of ACH data theft. TokenEx specifically can work with any processor, payment gateway, or third-party provider. This capability for multiple integrations can increase the freedom and flexibility of your internal operations, fueling greater redundancy and infrastructure growth by enabling you to focus on reaching new markets—without the need to devote additional time and internal resources to satisfying the NACHA compliance rules.
With tokenization from TokenEx, you can secure and desensitize nearly any data element through a variety of acceptance channels. Our easy integration and ability to work with any endpoint allow you to add ACH data to your collection of tokenized payment types—with minimal disruption to your internal systems and business processes.
TokenEx's cloud-based tokenization can help protect your ACH data in preparation for any annual NACHA rules compliance audit you may be subjected to, while preserving the business utility of that data and the agility of your internal operations, not to mention virtually eliminating the risk of data theft.