Adjusting to NACHA rule changes

When it comes to dealing with sensitive customer data, security is a highly important component. As a result, many regulatory organizations, such as the National Automated Clearinghouse Association, have precise guidelines for how to properly encrypt, access and send customer data, according to Paysimple.

The NACHA itself, which handles ACH payments, recently updated its rules to help battle both bad actors and cybercriminals. These rules directly affect merchants, who will in turn need to adjust their systems to meet the standards.

In order to get a clearer understanding of what these new rules entail and how merchants can follow them, ATM Marketplace interviewed Gary Barnett, CEO at PCI DSS compliance solutions provider Semafone Ltd.

Q. Why were the NACHA rules changed?

A. Over time we've seen increasing efforts from bad actors and cybercriminals to commit fraud and steal financial information, especially in the past two years as digital payments grew 40% due to their convenience in an increasingly online world. As more transactions are processed through digital channels, further guardrails must be put in place to preserve the integrity of these transactions.

This update to the guidelines is a major step in the right direction to better protect sensitive consumer data and minimize the chance for fraudulent activity.

Q. How will these rules affect customers/merchants during a transaction?

A. The rules will hold merchants more accountable for the accuracy and security of their customers' data and personally identifiable information during a transaction. Additionally, merchants may have to re-tool their fraud detection systems or implement technology to secure the input of banking information in order to be fully compliant with the new ruling. As for customers, they may have extra verification steps in their purchasing process before completing a transaction, but the majority of the impact will be felt from the merchant side.

Q. Why was it important to require consumer account information to be validated prior to an ACH debit transaction?

A. According to NACHA, 6.8 billion payments were made on the Automated Clearing House Network during the third quarter of 2020, up 9% over the same period in 2019. It's critical that we secure these payments due to their rising popularity with consumers. Additionally, Automated Clearing House (ACH) debit transactions (also known as e-checks) are unique because once permission from the customer is given to the merchant, they're able to take direct payment from the customer when due. Because of this direct access into a checking account, it's critical for these types of transactions to have more rigorous security controls like account validation to minimize the chance of malicious activity. Banking details falling into the wrong hands have devastating and often irreversible consequences. These new rules will enhance consumer data privacy and help to reduce fraud.

Q. How does this affect the payments industry?

A. Given the accelerated use in digital communication, this ruling will provide another stepping stone in making sure transactions are both secure and convenient. Safeguarding customer data should be a top priority for all organizations that collect and store payment information, however not all organizations are equipped with the technology to meet these increasingly prevalent security mandates. Partnering with a payment solutions provider that supports these types of regulatory changes is key to success. With these solutions, merchants can integrate technology like data masking that will not only help them achieve compliance by limiting exposure to sensitive data, but also protect the consumer in the process.

Q. How will this ruling impact the customer experience?

A. When setting up an ACH transfer with a merchant, customers will likely face an additional step to validate their information, but will have no additional actions past that. Overall, the customer will have an improved experience and reassurance that the merchants they are working with are putting extra care and measures in place to ensure ACH debit transactions are more secure. A recent survey by Semafone conducted of 1,000 U.S. consumers found that nearly half of consumers (47%) rank security and privacy as more important than ease of payment interface and experience when completing a purchase. Only 14% of respondents felt ease of payment interface and experience were more important. Security and privacy go hand in hand with customer experience, and the ruling will benefit all parties involved.

Q. How can this ruling fight against digital payment fraud?

A. The ruling is an added safeguard against payment fraud and as more transactions occur online, the demand for more protection will continue rising. It's likely we'll see more updates from NACHA targeting large financial institutions and merchants in the coming years with more focus towards personal privacy and security. However, merchants shouldn't rely on NACHA or other regulatory changes to make improvements to their payment security. Plenty of technology already exists to protect customer information for all types of digital payments. Merchants should proactively be adopting these solutions to protect their businesses and improve the customer experience.

Q.How does this new ruling hold merchants accountable?

A. Merchants will be responsible for ensuring extra protection for their consumers. With requirements to validate information prior to a transfer, merchants will have to adapt their current data collection practices to account for the added step. Many will also be forced to rethink their overall fraud detection systems to make up for the added security measures. Merchants that don't have the technology in place to comply with the ruling will risk losing customers due to an inferior experience compared to transacting with compliant retailers.

Q. You mention that further guiderails need to be added. What do you envision these to look like?

A. Requiring a customer's account information to be validated prior to an ACH transfer is a strong addition, but more needs to be done in this area to protect sensitive payment data and PII. Especially in call and contact centers, where many payments occur over the phone, agents need the ability to accurately validate a customer's bank account information while remaining compliant with security protocols. This has proven to be a challenge with remote working models and new gaps in security impacting the compliance and security landscape over the past year. These gaps need to be filled by technology that diminishes any chance of sensitive information being captured other than how the customer intends. For example, utilizing dual-tone multi-frequency masking technology, customers are able to enter their banking information using their telephone keypad. Aside from ensuring an agent is shielded from hearing or seeing a customer's sensitive information, the solution can automatically perform a verification process to confirm that the bank data provided is valid. The investment in these solutions for merchants and their contact centers far outweighs the risks of comprising sensitive information.

Q.With this ruling, how do you think the future looks for the payments industry and what more do you think needs to be done?

A.The future of payments is heading in the direction of digital and there's no sign of this stopping. As part of this shift, there are many different channels, like phone calls, text/SMS, chat or social media, that allow customers to make payments. Jumping between channels can create a disjointed journey for customers, which is why it's critical for merchants and payment centers to pursue a cohesive omnichannel strategy. This will allow them to service customers in their channel of choice and for the customer to determine how they'd like to pay for products. This approach, connected with continued efforts to heighten security measures, will create a more positive customer experience and allow seamless digital interactions.