What are the NACHA Operating Rules and ACH Information Security Requirements?
ACH refers to the automation of the clearance process for transferring payments from one party to another. This process is carried out by financial institutions called clearing houses, which are essentially middlemen that manage transactions to ensure funds are exchanged appropriately and agreements are followed. To accomplish this, NACHA’s Operating Rules and Guidelines define and establish the roles and responsibilities of each party involved in an ACH transaction.
The ACH rules for information security requirements explain that financial institutions, originators, third-party senders, and third-party service providers are required to establish, implement, and update, as appropriate, security policies, procedures, and systems related to the initiation, processing and storage of ACH transactions. The policies must protect the confidentiality, privacy, and integrity of “protected information,” which is equivalent to personally identifiable information (PII) within the context of ACH entries. The policies must also protect against unauthorized use of, and anticipated threats to, protected information that may cause harm to individuals.
Over the years, NACHA’s Operating Rules and Guidelines have evolved to better secure and accommodate changing technology and payment types. Recently, NACHA amended these guidelines with a set of supplementing data security requirements that mandate the secure storage of account numbers used in ACH transactions, "rendering them unreadable when stored electronically." This language is based on the Payment Card Industry Data Security Standard’s (PCI DSS) requirements for the protection of the Primary Account Number (PAN). As NACHA standards continue to be amended to keep pace with evolving consumer behaviors and payment technologies, it’s important for organizations to remain flexible and ready to update their compliance practices and policies when necessary.
How to Abide By NACHA Compliance Rules
Because ACH payments are sent via batch processing and contain payment data similar to what is found in credit card payments, they can be secured and desensitized by tokenization in much the same way. In a typical payment card transaction, the primary account number (PAN) and other applicable cardholder data are tokenized, whereas in an ACH payment, the bank account number and consumer-level data (such as names and Social Security numbers) are tokenized. For information about this use case, check out our solution page for PCI DSS compliance.
So, although the data is different, the overall process of protecting ACH transactions is the same as the one for protecting credit card transactions. Tokenized data is obfuscated and easy to store until the original sensitive data is needed, at which point the placeholder token will be exchanged and the ACH data returned. Tokenization can help simplify NACHA compliance, as well as significantly reduce the risk of ACH data theft. TokenEx specifically can work with any processor, payment gateway, or third-party provider. This capability for multiple integrations can increase the freedom and flexibility of your internal operations, fueling greater redundancy and infrastructure growth by enabling you to focus on reaching new markets—without the need to devote additional time and internal resources to satisfying the NACHA compliance rules.