ArticlesC2 Spring 2021DataSecurity‘New Nacha supplementing data security requirements coming up’ by Thomas Gloerfeld March 23, 2021 written by Thomas Gloerfeld March 23, 2021 The National Clearing House Association (Nacha)Nacha is a non-profit organization that convenes hundreds of diverse organizations to enhance and enable electronic payments and financial data exchange within the U.S. and across geographies. Through the development of rules, standards, governance, education, advocacy, and in support of innovation, Nacha’s efforts benefit the providers and users of those systems. Nacha leads groups focused on API standardization, authors the Quest Operating Rules for EBT, and is the steward of the ACH Network, a payment system that universally connects all U.S. bank accounts and facilitates the movement of money and information. In 2020, nearly 27 billion payments and close to $62 trillion in value moved across the ACH Network.Nacha is funded by the financial institutions it governs. The ACH Network serves as a network for direct consumer, business, and government payments and annually facilitates billions of payments such as direct deposit and direct payment. The ACH Network is governed by the Nacha Operating Rules, a set of rules that guide risk management. The ACH NetworkThe ACH Network electronically moves money and related payment information quickly and securely from any financial institution account to another. Nacha develops and administers the private sector Nacha Operating Rules for ACH payments, which define ACH Network participants’ roles and responsibilities. Nacha continues to safely grow and enhance the use of ACH payments through collaboration and innovation.Nacha provides many services that support the use of the ACH Network. Nacha operating rulesThe Nacha Operating Rules are the foundation for every ACH payment. By defining financial institutions’ roles and responsibilities and establishing clear guidelines for each Network participant, the Rules ensure that millions of payments occur smoothly and easily each day. Supplementing data security requirementsThe existing ACH Security Framework, including its data protection requirements, will be supplemented to explicitly require large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.The new deadlines for the supplementing data security requirements are:Phase 1 of the Rule – applies to ACH Originators and Third-Parties with more than 6 million ACH payments annually, is effective on June 30, 2021.Phase 2 of the Rule – applies to ACH Originators and Third-Parties with more than 2 million ACH payments annually, is effective on June 30, 2022.Nacha strongly encourages all such covered entities to work towards compliance as soon as possible. Nacha Compliance by deploying PCI DSS standards?Nacha requires ACH participants to render deposit account information unreadable when stored electronically. This requirement is very much in line with the PCI DSS requirement 3.4, which requires the primary account number (PAN) to be rendered unreadable. In fact, Nacha states that utilizing one of these prescribed methods of data protection for ACH-related account numbers in such a manner as to be compliant with the standard would meet the commercially reasonable requirement for this Rule.It should be noted that not all PCI DSS requirements need to be met. The ACH Security Framework, first implemented in 2013, includes data security rules beyond data at rest that also utilize the commercially reasonable standard. Utilizing PCI DSS standards may be a best practice when adhering to those Rules. However, the Supplementing Data Security Rule only pertains to securing data at rest, which is currently covered by PCI DSS v3.2.1 3 (all) and 8.2.1. Data-centric security for Nacha paymentsRather than trying to protect the deposit account data with perimeter security, i.e. prevent access to the data source, it is much more elegant and effective to protect the sensitive data element itself. Data-centric security protects the data by tokenizing the data element, rendering it unreadable and useless for any attacker and while complying with the new supplementing data security requirements.Find out more about data-centric protection in the ebook ‘Data-centric protection explained’. ACH paymentscomforteConnect ConvergeConnect WorldwideConnectConvergeData Securitydata-centric securitydirect depositdirect paymentHPE user communityNachapayment processingpaymentsPCI DSSThomas GloerfeldTokenization 0 comment 0 FacebookTwitterPinterestEmail Thomas GloerfeldThomas Gloerfeld is Director Partner Development & Marketing NonStop Solutions at comforte and has been associated with the NonStop community for over 25 years. Before joining comforte, he held various management positions at ACI Worldwide in Germany and the UK. In his role at comforte he manages all aspects of marketing for HPE NonStop solutions and comforte's NonStop partners. As part of his role, he closely monitors topics such as data security, risk and compliance, as well as digital transformation and connectivity. previous post The journey to modern data management is paved with an inclusive edge-to-cloud Data Fabric next post Digital Transformation For Public Sector Agencies Starts With Better Data Management And Strategies You may also like Developers: Get free resources and training through the... October 16, 2022 Historic collaboration: Next-gen virtual infrastructure accelerates apps, boosts... October 16, 2022 Modernize the hospital data center with personalized healthcare... October 16, 2022 Are we on the path to a National... October 16, 2022 The Struggle with Threat Intelligence October 16, 2022 Modernize your data management with HPE GreenLake and... October 16, 2022 Introducing Qualcomm Cloud AI 100 Accelerators for HPE... October 16, 2022 Recap HPE Discover 2022 October 16, 2022 Making App Modernization Easier with HPE and vFunction October 16, 2022 The Insider Threat Problem: Your biggest threat may... October 16, 2022