ACH Security Requirements for Merchants

Many merchants have never even heard of the complex set of security guidelines and requirements set forth by the National Automated Clearinghouse Association, also called NACHA. Every business owner who accepts checks, debit cards, or credit cards in the store, over the phone, or via the internet has certainly heard of ACH, the Automated Clearinghouse Association because it is the main organization that oversees such transactions.

But knowing about the existence of the organization and being aware of its stringent rules are two different matters.

If your company processes any ACH transactions via an automated system that sends data through the worldwide ACH electronic network, you are susceptible to the rules. For example, if you accept checks online, over the telephone, or at your store and then convert the check data into electronic pieces of data, you’re obliged to follow the NACHA rules.

Or, if you ever find yourself entering client bank data in order to complete a direct deposit or a simple payment, then your business is required to follow NACHA rules. As you’ll see in the detailed list of rules that follows, the data you enter must be encrypted in order to meet one of the several NACHA regulations.

The fact of the matter is that most merchants come under the sweep of the rules, except for those businesses that only use hard-copy checks to pay or accept payment. You’re also off the hook if you simply use apps that let you take photos of checks and deposit them that way. Those are not ACH transactions, so don’t come under the regulations.

In all likelihood, you already have some kind of software program in place to process ACH transactions, have a merchant account with the ACH, and use a third-party service provider to obtain the software and maybe even training on it. If that’s the case, be sure to check out the following rules. They apply to you and there’s a chance you might be penalized if you don’t follow them.

Know the Security Requirements

In no particular order, the following rules for all NACHA transactions apply to any merchants who have NACHA accounts and regularly process transactions that fall under the authority of the organization. It’s smart to take time to read through and understand each one.

  • Construct and Outline a Security Program: There are actually two parts to this requirement. First, merchants must write a detailed outline of the security policy they intend to implement and keep it on file. That’s not considered too much of a challenge because most business owners are able to find example policies online and piece one of their own together from various sources.

    The second part is the biggest burden for merchants. This is called the “implementation” phase of the process, and it can be quite elaborate. For example, you must maintain secure transmission of sensitive data, secure storage of the data, and full protection of all confidential information pertaining to customers and their transactions.

    Further, it’s essential to have a standard identity verification routine in place to make sure that customers are who they claim to be. Owners who abide by every NACHA guideline are often pleasantly surprised to find that they have better relationships with customers when those customers feel as if their information is safe and secure at all times. The bottom line is to follow industry “best practices” in order to safeguard vital client data from the moment. it comes into your purview.

    While merchants need not be technical experts, it’s important to be familiar with all the major pieces of transaction-related data. It helps, for example, to know the key differences between routing numbers and account numbers, the primary ways that banks identify customers who open new accounts.
  • Deal Correctly With Hard-Copy Documents: Some merchants collect various paper documents, aka “hard copies.” Many of these documents contain sensitive data like names, addresses, phone numbers, account numbers, social security numbers, and more. If your business collects any hard-copy docs that contain that type of data, regulations state that it’s up to you to be certain it gets stored securely.

    A common solution to this situation is to obtain a high-quality safe that is large enough to hold at least three-months’ worth of documents. Once you have a safe, there’s another requirement: it’s your job to see that no one has access to the safe except for employees who have a need to work with the documents it contains. Maintain a log-in procedure so that anyone who gain entry, or attempts to gain entry, to the safe has their name recorded in the log.
  • Secure All Sources of Protected Information: Merchants must secure all sensitive customer data even before the data leaves the merchant’s location.
  • Create Secure Transmission Methods: All sensitive customer data that is transmitted must be sent via “commercially reasonable” means that includes encryption of some kind.
  • Validate Routing Numbers: Merchants must use accepted and effective systems to make sure routing numbers are accurate.
  • Verify Identity: Whether transactions are over the phone, in person, or via web pages, merchants must employ ‘commercially reasonable” techniques to verify the identity of purchasers.
  • Detect Fraud: The short version of this rule is that all merchants must use software that includes strong anti-fraud capability, both for prevention and detection.

The Enforcement Process

Financial institutions can contact NACHA when they think there’s been a rules violation by a merchant. After that, NACHA looks at the alleged incident of wrongdoing, evaluates its accuracy or inaccuracy, and processes a report about it. The merchant is then contacted via encrypted email about the matter.

Finally, the merchant has the chance to respond, after which NACHA contacts the institution that originally filed the notice of violation and explains how the matter was resolved. Only two things can happen to a merchant who is found to be in violation: they can be fined or barred from using the ACH system to process transactions.

Benefits of Compliance

Of course, it can be a major pain to follow all the NACHA rules, but there are some rather significant benefits for doing so, including:

  • More Customers: If you accept more forms of payment and more credit and debit card types, you stand to ramp up your sales because anyone who walks through your door or visits your website will be able to make a purchase.
  • Protection From Fraud: NACHA compliance guides you to implement very strong anti-fraud procedures.
  • Respect of the Business Community: Your fellow merchants will admire you for going to the trouble of maintaining all the NACHA guidelines.
  • Better Relationships With Customers: Your regular customers will respect the fact that you work hard to maintain their data security and prevent their accounts from being compromised.

Doing What It Takes To Stay Compliant

It takes a lot to remain in compliance with NACHA’s strict rules. At Metro Payment Technologies, we have all the tools you need, including software, POS devices, customer support, and more. If you want your company to get in compliance or stay in compliance with merchant guidelines, give us a call at our toll-free number, 1-800-771-3719, or check out our website for more information about how we can help you deal with any kind of payment situation.