The National Clearing House Association (Nacha)
Nacha is a non-profit organization that convenes hundreds of diverse organizations to enhance and enable electronic payments and financial data exchange within the U.S. and across geographies. Through the development of rules, standards, governance, education, advocacy, and in support of innovation, Nacha’s efforts benefit the providers and users of those systems. Nacha leads groups focused on API standardization, authors the Quest Operating Rules for EBT, and is the steward of the ACH Network, a payment system that universally connects all U.S. bank accounts and facilitates the movement of money and information. In 2020, nearly 27 billion payments and close to $62 trillion in value moved across the ACH Network.
Nacha is funded by the financial institutions it governs. The ACH Network serves as a network for direct consumer, business, and government payments and annually facilitates billions of payments such as direct deposit and direct payment. The ACH Network is governed by the Nacha Operating Rules, a set of rules that guide risk management.
The ACH Network
The ACH Network electronically moves money and related payment information quickly and securely from any financial institution account to another. Nacha develops and administers the private sector Nacha Operating Rules for ACH payments, which define ACH Network participants’ roles and responsibilities. Nacha continues to safely grow and enhance the use of ACH payments through collaboration and innovation.
Nacha provides many services that support the use of the ACH Network.
Nacha operating rules
The Nacha Operating Rules are the foundation for every ACH payment. By defining financial institutions’ roles and responsibilities and establishing clear guidelines for each Network participant, the Rules ensure that millions of payments occur smoothly and easily each day.
Supplementing data security requirements
The existing ACH Security Framework, including its data protection requirements, will be supplemented to explicitly require large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.
The new deadlines for the supplementing data security requirements are:
- Phase 1 of the Rule – applies to ACH Originators and Third-Parties with more than 6 million ACH payments annually, is effective on June 30, 2021.
- Phase 2 of the Rule – applies to ACH Originators and Third-Parties with more than 2 million ACH payments annually, is effective on June 30, 2022.
Nacha strongly encourages all such covered entities to work towards compliance as soon as possible.
Nacha Compliance by deploying PCI DSS standards?
Nacha requires ACH participants to render deposit account information unreadable when stored electronically. This requirement is very much in line with the PCI DSS requirement 3.4, which requires the primary account number (PAN) to be rendered unreadable. In fact, Nacha states that utilizing one of these prescribed methods of data protection for ACH-related account numbers in such a manner as to be compliant with the standard would meet the commercially reasonable requirement for this Rule.
It should be noted that not all PCI DSS requirements need to be met. The ACH Security Framework, first implemented in 2013, includes data security rules beyond data at rest that also utilize the commercially reasonable standard. Utilizing PCI DSS standards may be a best practice when adhering to those Rules. However, the Supplementing Data Security Rule only pertains to securing data at rest, which is currently covered by PCI DSS v3.2.1 3 (all) and 8.2.1.
Data-centric security for Nacha payments
Rather than trying to protect the deposit account data with perimeter security, i.e. prevent access to the data source, it is much more elegant and effective to protect the sensitive data element itself. Data-centric security protects the data by tokenizing the data element, rendering it unreadable and useless for any attacker and while complying with the new supplementing data security requirements.
Find out more about data-centric protection in the ebook ‘Data-centric protection explained’.