Security and the ACH Process

ACH (Automated Clearing House) is a nationwide, computer-based network. It electronically processes transactions between participating financial institutions. It is one of the fastest, most reliable ways for people and companies to transfer funds between bank accounts. Consequently, ACH transfers are one of the safest money transfer methods because they have the backing of federal law.

As with any type of financial transaction, such as checks, credit cards, and debit cards, security measures ensure against fraud. NACHA (the National Automated Clearinghouse Association), the organization that administers ACH payments, requires these security measures.

ACH Security Requirements

Here is an overview of the security requirements that we employ while processing ACH payments. 

• NACHA requires that all participants in the ACH process implement protocols and controls to protect sensitive data. This includes merchants’ financial information as well as other sensitive information such as Social Security numbers. 

• NACHA requires that any transmission of banking information, such as a customer’s bank account and routing number, is encrypted using “commercially reasonable” encryption technology if transmitted via an unsecured network, like the Internet.

“Commercially reasonable” merely means that these means are up to par with security best practices to thoroughly protect information. Essentially, this means that an ACH participant cannot send bank account information via non-encrypted email or place it on an insecure web form. Accordingly, any third-party software solutions for ACH must use reliable encryption.

• NACHA requires that anyone originating a transaction must use “commercially reasonable” steps to ensure the validity of the routing numbers that are entered into the ACH network. Typically, a small business will not need to implement this type of solution itself. Many reputable third-party solutions like VeriCheck will include this type of validation.

• NACHA requires that the originator must use “commercially reasonable” means to verify the identity of the customer for any transactions initiated over the phone or from the Web. Fortunately, there are several ways in which a merchant can verify the identity of a customer. These include the use of a Social Security number, a driver’s license, or a combination of a user ID, password, and known IP address.

• NACHA requires that the originator of a transaction use “commercially reasonable” methods of identification in advance in order to prevent the submission of fraudulent transactions for ACH processing. 

While there are many methods that secure the ACH process, NACHA has created a number of best practices. Such practices and protocols allow organizations such as VeriCheck to ensure security and confidence in any and all transactions made.

Contact us directly for more information.