New Nacha Data Security Requirements Coming up

The National Clearing House Association (Nacha) is a non-profit organization that convenes hundreds of diverse organizations to enhance and enable electronic payments and financial data exchange within the U.S. and across geographies. Through the development of rules, standards, governance, education, advocacy, and in support of innovation, Nacha’s efforts benefit the providers and users of those systems. Nacha leads groups focused on API standardization, authors the Quest Operating Rules for EBT, and is the steward of the ACH Network, a payment system that universally connects all U.S. bank accounts and facilitates the movement of money and information. In 2020, nearly 27 billion payments and close to $62 trillion in value moved across the ACH Network.

Nacha is funded by the financial institutions it governs. The ACH Network serves as a network for direct consumer, business, and government payments and annually facilitates billions of payments such as direct deposit and direct payment. The ACH Network is governed by the Nacha Operating Rules, a set of rules that guide risk management.

The ACH Network

The ACH Network electronically moves money and related payment information quickly and securely from any financial institution account to another. Nacha develops and administers the private sector Nacha Operating Rules for ACH payments, which define ACH Network participants’ roles and responsibilities. Nacha continues to safely grow and enhance the use of ACH payments through collaboration and innovation.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Nacha provides many services that support the use of the ACH Network.

Nacha operating rules

The Nacha Operating Rules are the foundation for every ACH payment. By defining financial institutions’ roles and responsibilities and establishing clear guidelines for each Network participant, the Rules ensure that millions of payments occur smoothly and easily each day.

Supplemental data security requirements

The existing ACH Security Framework, including its data protection requirements, will be supplemented to explicitly require large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.

The new deadlines for the supplementing data security requirements are:

• Phase 1 of the Rule – applies to ACH Originators and Third-Parties with more than 6 million ACH payments annually, is effective on June 30, 2021.
• Phase 2 of the Rule – applies to ACH Originators and Third-Parties with more than 2 million ACH payments annually, is effective on June 30, 2022.

Nacha strongly encourages all such covered entities to work towards compliance as soon as possible.

Nacha compliance by deploying PCI DSS standards?

Nacha requires ACH participants to render deposit account information unreadable when stored electronically. This requirement is very much in line with the PCI Requirement 3.4, which requires primary account numbers (PANs) to be rendered unreadable. In fact, Nacha states that utilizing one of these prescribed methods of data protection for ACH-related account numbers in such a manner as to be compliant with the standard would meet the commercially reasonable requirement for this rule.

It should be noted that not all PCI Requirements need to be met. The ACH Security Framework, first implemented in 2013, includes data security rules beyond data at rest that also utilize the commercially reasonable standard. Utilizing PCI DSS as a frame of reference may be a best practice when adhering to those rules. However, the Supplementing Data Security Rule only pertains to securing data at rest, which is currently covered by PCI DSS v3.2.1 3 (all) and 8.2.1.

Data-centric security for Nacha payments

Rather than trying to protect the deposit account data with perimeter security, i.e. prevent access to the data source, it is much more elegant and effective to protect the sensitive data element itself. Data-centric security protects the data by tokenizing the data element, rendering it unreadable and useless for any attacker and while complying with the new supplementing data security requirements. Major retailers and financial organizations across the globe are already utilizing data-centric security to secure PANs in accordance with PCI DSS.