NACHA Security Rules: A Race Against the Clock to Meet Data Security Requirements
In 2021 The Automated Clearing House Network (ACH) experienced significant growth, processing an unprecedented 5.3 billion B2B payments reflecting a 20.4% increase in volume compared to the prior year. This uptick in electronic payments comes on the heels of new data security rules put forth by the National Clearing House Association (NACHA), the body responsible for governing electronic payment systems between virtually every bank and credit union account in the United States. The supplementing data security requirements call for greater security measures, specifically around the encryption of sensitive data. These new requirements are part of Nacha’s long term objective to not only grow the ACH network, but also ensure the massive amounts of data moving through the system remain safe from exfiltration. With the final and second phase of the supplementing data security requirements quickly approaching, here is what you need to know ahead of the June 30, 2022, deadline.
Nacha and the ACH Network
In the United States, the ACH is used by consumers, businesses, and government entities to facilitate and process the electronic transfer of funds. This network is overseen and governed by the Nacha Operating Rules, a set of standards and guidelines developed to ensure the smooth operation for all electronic payments. In recent years, the evolution of Nacha’s security framework has called for greater security measures as it moves to accommodate modern technologies and become closer aligned with PCI DSS (Payment Card Industry Data Security Standard), another authority governing the electronic and digital payments space. Both PCI DSS and Nacha rules share common guidelines to help organizations secure sensitive payment information.
Supplementing Data Security Requirements
Expanding upon the original ACH Security Framework established in 2013, Nacha put forth additional data protection requirements around the storage of sensitive financial data. Specifically, this rule calls for ACH account numbers to be made unreadable when stored electronically by large non-financial institution originators, third-party service providers, and third-party senders with a high volume of ACH transactions.
While immediate conformity is recommended, the deadline for compliance was rolled out in two phases:
Article One, Section 1.6 (Security Requirements) to require each non-consumer originator that is not a participating Development Financial Institution (DFI), each third-party service provider, and each third-party sender, whose ACH origination or transmission volume exceeds 6 million entries annually to protect DFI account numbers used in the initiation of entries by rendering them unreadable when stored electronically.
- Phase 1: as of 6/30/21, rule applies to merchants, billers, businesses, governments, third parties that in 2020 or beyond sent 6 million or more ACH payments per year
- Phase 2: as of 6/30/22, rule applies to parties that in 2020 or beyond sent 2 million or more ACH payments per year
Nacha has also defined the scope of this rule to include any location where ACH accounts numbers are stored. Notably, this applies to physical documents such as paper authorizations or other documents containing ACH account numbers that are scanned and stored digitally for electronic record retention purposes. Institutions subject to Nacha operating rules must ensure they know what data they have, where it is stored, and who has access to it; a significant undertaking, given the massive volumes of digital documents and their many storage locations.
How Encryption Enhances Security and Compliance
Nacha’s latest mandate requires account numbers to be unreadable and suggest the following commercially available methods to achieve compliance - encryption, truncation, masking, tokenization, destruction, hosted storage solutions.
Nacha suggests that these new mandates are in line with other security regulations in the payments space such as the PCI DSS, which includes specific requirements for protecting data at rest.
Even more importantly, the ruling specifies that access controls, including passwords used to secure ACH related data-at-rest do not meet the new standard. Even with the use of various security controls and restricted access, the electronic data-at-rest still must be rendered unreadable.
In effect, the new rule aims to decrease threats of data theft and exfiltration when an unauthorized individual gains access to it or if a breach were to leave it exposed. For this reason, any security authentication method that is linked to user credentials or is granted access via a password would not comply.
Multifactor Encryption for Nacha Compliance
Mulifactor encryption is inspired by the concept of multifactor authentication (MFA), in which authorized users are required to provide at least two distinct pieces of evidence that authenticate who they are before being granted access to a system. In multifactor encryption, the encryption key is broken into multiple shards, requiring at least two devices to open an encrypted file - for example, a laptop and mobile device, or a laptop and a Key Shard Server. The similarities end here, as multifactor encryption always keeps data protected while the role of MFA is to protect against credential compromise rather than securing the sensitive data that adversaries aim to exfiltrate.
Implementing multifactor encryption guarantees a superior level of file protection, eliminating:
- Dependency on IAM, removing the threat of file exfiltration in the event of compromised passwords.
- Central key servers as a single point of failure through a decentralized key management architecture.
Files protected with multifactor encryption leverage threshold cryptography to split encryption keys and distribute the (encrypted) key shards among two or more devices. Encrypted files can be decrypted only when the key is reconstituted from the respective devices in the possession of the authorized user. What this means is that in order to access the file that has been protected with multifactor encryption, threat actors need both physical and digital access to multiple devices belonging to the same user.
Atakama for Encrypting Data at Rest and Nacha Compliance
Atakama is a multifactor encryption solution that operates completely independently of IAM. The flexible, easy to deploy solution enables companies to mature their defense in depth security strategy and achieve industry compliance standards such as Nacha. Once deployed, organizations will immediately benefit from Atakama’s multifactor granular level of security without interference in day-to-day operations.
Using Atakama’s multifactor encryption solution means your sensitive and regulated data always stays protected even if threat actors manage to breach your perimeter security by compromising user credentials.
Contact us for a demo for more information about how Atakama can help your organization protect sensitive ACH information and meet Nacha compliance requirements today.