New data security rules enacted for US payment processing systems

New data security rules Controlling how money changes in the United States comes into force today, forcing major digital money processors to make deposit account information unreadable in electronic storage.

National Association of Automatic Clearinghouses (NACHA), The agency that passed the rules manages the ACH network. This is a payment system that facilitates direct deposits and direct payments in almost all US banking and credit union accounts. Automatic payment institutions across the country process large numbers of credit and debit transactions in the United States and handle consumer, corporate, and federal, state, and local financial transactions.

According to NACHA, after June 30th, if your account number is used for ACH payments (consumers or businesses), it must be unreadable while it is stored electronically. Within the scope of the rule.

“This includes systems where approvals are obtained or stored electronically, and databases or system platforms that support ACH entries. For example, if the client is a financial institution, a third-party service provider, these include. Includes the platforms that serve ACH. Transaction warehousing and posting, and client information reporting systems, “NACHA explained.

“For originators and their third-party service providers, the accounts payable and accounts receivable systems are affected, as are other systems (such as insurance company billing management systems).”

This rule also applies to paper approvals or other documents containing ACH account numbers that are scanned for the purpose of retaining and storing electronic records.

In 2020, approximately 27 billion ACH network payments were made at a value of nearly $ 62 trillion.Processed body $ 17.3 trillion in the first quarter of 2021 alone He managed the payment of 110 million economic impacts brought about through direct deposits from the federal government.

The ACH network has grown significantly over the years Set record in February When an average of 118 million or more payments are made per day. When the amount of ACH reached 2.7 billion payments, it set another record in March. This is the largest monthly amount ever.

To keep the data flowing through the system safe, Nacha requires ACH originators and third parties to process over 6 million ACH payments annually to prevent their deposit account information from being read by electronic storage.

Organizations are proposing to use encryption, truncation, tokenization, destruction, or have financial institutions store, host, or tokenize account numbers.

The first phase of the new rule came into effect on June 30, 2022, while the second phase, which covers rules with an ACH volume of 2 million transactions or more per year, will come into effect on June 30, 2022.

Those forced to change first requested and were granted an extension in 2020. NACHA also said it would not enforce the rule “for eligible entities that are committed to compliance but require additional time to implement the solution, for an additional year from the effective date.”

“The new requirements are non-consumer originators who are not participating depository institutions (as defined in the Nacha Operating Regulations), and third-party senders and third-party service providers who perform the functions of ACH processing. Applies to the originator, third-party sender, ODFI, RDFI, or ACH operator, “NACHA said in a statement.

“Financial institutions are subject to strict data security requirements imposed by regulators and are therefore included in the new requirement to make ACH account numbers unreadable when stored electronically. not.”

NACHA pointed out that access controls such as passwords do not meet the new standards. The organization added that disk encryption is an acceptable protection method only if additional prescribed physical security procedures are performed.

Alex Pezold, CEO of TokenEx, said his company was recently named a NACHA Preferred Partner for ACH Data Security and is currently working with organizations to comply with the new rules.

“For ACH data, tokenization obscures deposit account information (usually bank accounts and bank codes), which is an example of the technology NACHA refers to to meet this new requirement,” Pezold said. Told to.

“This replaces the deposit account information with an irreversible token that can be safely stored in place of the original number, preventing data theft in the event of exposure. The motivation for this change is increased security and efficiency. To build on existing requirements to allow ACH by introducing certain criteria for the protection of deposit account information stored by originators, third-party service providers, and third-party senders. Of the network

Mr. Pesold is still uncertain about the specific fines and penalties, but in the event of a terrible breach (including at least 500 entries, or intentional or reckless, including multiple entries totaling at least $ 500,000). As a result, a $ 500,000 fine will be imposed for each outbreak and the use of the ACH network will be suspended.

Some cybersecurity experts, such as Comforte AG’s product manager Trevor Morgan, say that the best way to follow this rule is encryption or tokenization.

The new rules require organizations to know exactly what data is being processed, such as ACH account information, where data is stored, how it is moved, and who has access to it.

“A complete solution to this problem requires protection methods such as tokenization, as well as broader capabilities for finding and classifying this type of information. Where are all sensitive ACH data? Don’t assume you know! “Morgan said.

Oliver Tavakoli, CTO of Vectra, said similar rules have long been applied to banks and other financial institutions, but are now being applied to large users of banking services.

Tavakoli suggested that organizations choose not to retain data at all, or have financial institutions already set up to protect the data store it. Enterprises can also encrypt data before storing it, keep only the last four digits of the account number and truncate the data, or otherwise hide the information.

According to Dirk Schrader, vice president of New Net Technologies, the new rules pushed by NACHA are more important than ever, as data trabes are very often stored in clear text.

“Implementing this requirement is likely to be a problem for some financial institutions, depending on the data model,” Schrader said. “One solution can be based on HSM, offloading much of the cryptographic work to specialized hardware.”

Other experts said it would take too long for NACHA to implement such a rule. John Bambenek, Netenrich’s threat intelligence advisor, said ACH trading is possible simply by knowing your personal account information.

“The fact that it is 2021 and the processor of this information is only required to have basic security now is just an indication of how insecure our financial trading system is.” Said Mr. Banbenek.

“No doubt, this has already been required by law and regulation for years, but I have to reiterate that many companies that handle large amounts of financial transactions will force consumers until they are forced. It shows that we promise to do nothing at all to protect. “ New data security rules enacted for US payment processing systems

Back to top button