NACHA Updates | Supplementing Data Security Requirements
Written by TokenEx
In late 2019, NACHA supplemented its existing Security Framework for the ACH Network with a new rule applying to all merchants, billers, businesses, governments, and third parties that send 2 million or more ACH payments per year. The rule was expected to roll out in two phases, with the first affecting parties sending 6 million or more ACH payments per year and the second affecting parties sending 2 million or more. Phase one was supposed to begin in 2020 with phase two following in 2021, but the original effective date for this new rule has recently been extended by one year for both phases, meaning phase one is to begin on June 30, 2021, and phase two on June 30, 2022. This extension comes in response to requests for additional time to comply with the requirements included in the new rule.
What is the new NACHA rule?
The rule, as explained on NACHA’s website, expands the current ACH Security Framework rules to explicitly require large senders of ACH payments—2 million or more annual transactions—to protect account numbers by rendering them unreadable when stored electronically. Another way to think about this update is that NACHA is updating its ACH Security Framework rules to more closely align with the existing language in the Payment Card Industry Data Security Standard (PCI DSS).
What does the rule NOT cover?
The new rule exclusively applies to ACH account numbers. This means data beyond the account number is not covered by this rule, nor are payment methods other than ACH. Also, it does not require a specific method of protection for account numbers, only that the data be rendered unreadable if stored. It does, however, suggest several protection methods it deems acceptable.
Although this new rule does not require it, we recommend protecting all other types of sensitive data in your possession as well to avoid potential compliance issues with PCI DSS, CCPA, GDPR, and any future regulations that may come to pass. Organizations can leverage tokenization with TokenEx to enable the protection of multiple data elements for the sake of NACHA compliance, PCI DSS compliance, and more while maintaining the business utility of their sensitive data.
How are these new requirements different from the current Operating Rules & Guidelines?
The new rules differ from the existing Operating Rules & Guidelines by specifically requiring large non-financial institution originators, third-party service providers, and third-party senders to protect deposit account information by ensuring the data cannot be read if stored electronically.
Although the current rule requires some parties involved in an ACH transaction to obscure electronically stored DPI, it does not explicitly require non-financial institution originators, third-party service providers, and third-party senders to do so.
Why are these new requirements important?
The NACHA updates are important because they are another step in a long-term plan to better secure and accommodate consumer data in light of evolving technologies and payment types. The fact that these updates are aligning with the requirements of the PCI DSS helps create an industry standard for protecting all types of payment information. Further, introducing a consistent set of rules should help organizations more easily comply with both regulatory frameworks.
What can my organization do to prepare for these changes?
For those looking to prepare, there are steps organizations can take to make sure they are ready for the upcoming rule.
- Identify your total ACH payment volume to see which phase of the rule applies to you so you can be sure to comply by the appropriate date.
- All systems that store account numbers used for ACH payments should be identified as soon as possible.
- Determine how current account numbers are being protected and what your current data security capabilities are.
- Begin a discussion with internal or partner IT staff to determine necessary upgrades and/or forms of implementation.
- Find payments and technology vendors to compare different protection methods and see what works best for your specific use cases.