ACH (Automated Clearing House) is a nationwide computer-based network that electronically processes transactions between financial institutions, such as banks, that participate in it.

As with any type of financial transaction, such as checks, credit cards and debit cards, various security measures must be used with ACH to ensure against fraud. These are required by NACHA (the National Automated Clearinghouse Association), the organization that administers ACH payments.

Here is an overview of the security requirements for using ACH.

  1. NACHA requires that all participants in the ACH process implement processes and controls to protect sensitive ACH data and to put access controls into place to safeguard this data. This includes merchants’ financial information as well as other sensitive information such as social security numbers.
  2. NACHA requires that any transmission of banking information, such as a customer’s bank account and routing number, be encrypted using “commercially reasonable” encryption technology if transmitted via an unsecured network, like the Internet.
    1. This means that an ACH participant is not allowed to send bank account information via non-encrypted email or to place it on an insecure web form. Accordingly, any third-party software solutions for ACH must use reliable encryption.
  3. NACHA requires that anyone originating a transaction must use “commercially reasonable” steps to ensure the validity of the routing numbers that they are entered into the ACH network.
    1. Typically, a small business will not need to implement this type of solution itself, as many reputable third-party solutions will include this type of validation.
  4. NACHA requires that the originator, for any transactions initiated over the phone or from the Web use “commercially reasonable” means to verify the identity of the customer. This is because, for ACH transactions, there is no additional layer of security. For example, the three-digit number found on the back of a credit card. There are several ways in which a merchant can verify the identity of a customer, including the use of a Social Security number, a driver’s license, or a combination of a user ID, password and known IP address.
  5. NACHA requires that the originator of a transaction use “commercially reasonable” methods to identify fraudulent transactions in advance, to prevent them from being submitted for ACH processing.