Credit card users today can transact online with peace of mind because card-accepting merchants are subject to Payment Card Industry Data Security Standard (PCI DSS). PCI DSS was established in 2006 by a consortium of credit card companies to combat online fraud.  It sets exacting requirements on how merchants store, process, and transmit credit card data.  Merchants that don’t comply risk getting fined or even outright banned from the card networks.
Security is also a concern for bank payments. If anything, bank account numbers are even more sensitive than credit card numbers because they don’t change. In this post, we’ll examine the impact of ACH payment fraud, describe upcoming compliance requirements, and share what we consider to be security best practices.
Sizing Bank Payments Fraud
Before diving into a solution, it's worth assessing the fraud problem. After all, bank transfers have historically been perceived as the most secure payment method. A Federal Reserve study found that ACH payments in 2015 had the lowest fraud rate of all US payment methods at 0.0008%.  That works out to just 8 fraudulent cents for every $10,000 moved.
However, a deeper look reveals how that perception is challenged as bank payments volume moves online. The most recent figures show ACH volume on the internet grew to $2.9 trillion in 2018 up 14.2% from the prior year.  That same year, ACH was the only payment method to see an increase in fraud rates, according to research from the Association of Financial Professionals.  The percentage of surveyed organizations that encountered ACH credit fraud spiked to 20%, up from 7% a year prior. 33% of the surveyed organizations had encountered ACH debit fraud, up from 28% a year prior.
So ACH fraud has risen sharply in recent years. What security rules are in place to combat this?
The NACHA Response
The closest analogue to PCI DSS is the ACH Security Framework Rule introduced in 2013 by NACHA, the ACH network’s governing body. In a nutshell, the rule requires ACH network participants to “protect the confidentiality and integrity of [non-public personal information] until its destruction.”  Compliance is verified through an annual audit conducted by your Depository Financial Institution (DFI).
Large-scale ACH originators should know about an upcoming amendment to these rules that will require every non-DFI ACH originator, third-party sender, and third-party service provider to render bank account numbers unreadable when stored electronically. Its enforcement dates are staggered by transaction count:
- Entities with more than 6 million ACH payments annually must comply by June 30, 2021.
- Entities with more than 2 million ACH payments annually must comply by June 30, 2022.
A couple things to note here. Firstly, with the history of PCI DSS as a guide, we predict that eventually all ACH participants will be required to obfuscate bank account information. Secondly, NACHA intentionally doesn’t mandate any particular data security methods or techniques. We have a few recommendations.
Security Best Practices
Securing bank account information should be a foremost priority even if NACHA doesn’t prescribe how. We at Modern Treasury consider the following practices to be table stakes for businesses that accept bank payments:
- Use AES 256 encryption for data at rest and TLS to protect the contents of data in transit. Create a process with your team to rotate keys every 90 days.
- Run internal and external vulnerability scans at least quarterly. Work with certified vendors to detect whether your systems are subject to known vulnerabilities.
- Implement role-based access controls to limit which of your internal users can see sensitive information. Keeping permissions on a need-to-know basis minimizes the attack surface of your system.
- Keep an audit trail of your internal users’ read and write actions. Here’s an example of the one we shipped.
- Choose SOC 2 compliant vendors. Any data breach that your external vendor suffers is a data breach that your business suffers. You can minimize that risk by requiring your vendors to pass the technical audit of their security practices.
One More Thing
Here we’ve shared some thoughts on keeping bank account numbers out of the hands of attackers. Another thing to consider is whether you are paying and charging the right bank accounts in the first place. This is why bank account validation is so important. You should know who is taking custody of the funds you’re sending. NACHA is implementing an account validation rule that requires merchants to validate first-use consumer accounts, effective March 23, 2021.  Accepted account validation methods include:
- ACH prenotification
- ACH micro-transaction verification
- Third party validation services, e.g. Plaid
Sending bank payments securely can be daunting. One option to accept bank payments while reducing your data security burden is to work with a provider like Modern Treasury. We can help you integrate with your bank securely and scale your business’ payment operations. If you’re interested, request a demo today.
For more information about our security practices, see https://www.moderntreasury.com/security
Update: an earlier version of this post included a footnote that incorrectly cited certain bank schemes being credit-only. We've removed that language.
In addition, credit cards provide higher protection against fraudulent transactions. https://www.nerdwallet.com/article/credit-cards/credit-card-vs-debit-card-safer-online-purchases
The security risk to bank account details is regionally specific. In Europe, IBAN and BIC numbers can be openly used for credit transfers.