The extension to the deadline to meet Nacha’s Rule related to protecting Account Numbers in an ACH transaction is upon us - June 30, 2021. This rule already applied to most financial institutions, but now non-financial institutions including Originators, Third-Party Service Providers, and Third-Party Senders have to meet the rule if they had 6-million ACH transactions in 2019. For smaller entities who processed 2 million transactions during 2020, they still have another year until June 30, 2022.
What is at stake here is the security of the banking account numbers involved with moving money in or out of a bank account. This means that there are organizations right now who may not be protecting this data. The deadlines have been put in place by Nacha to ensure these transactions have the proper protections. The rule discusses using PCI DSS (Payment Card Industry Data Security Standard) as a guide to how to protect Account Numbers in the same way that Cardholder Data is.
The most common approach is to encrypt or tokenize the data so that even if a hacker gains access to the data, they will be unable to read or use the data. Anyone who has a bank account should be happy to know that these security guidelines will be in place for those organizations who have not yet met these security standards. With Nacha reporting that in the first quarter of 2021 ACH transaction volume that hit 7.1 billion payments amounting to 17.3 trillion USD, it is clear there is plenty of account data to be protected.
Data-centric security for Nacha payments
Rather than trying to protect the deposit account data with perimeter security, i.e. prevent access to the data source, it is much more elegant and effective to protect the sensitive data element itself. Data-centric security protects the data by tokenizing the data element, rendering it unreadable and useless for any attacker and while complying with the new supplementing data security requirements. Major retailers and financial organizations across the globe are already utilizing data-centric security to secure PANs in accordance with PCI DSS.