Nacha is yet another set of Enterprise security rules and regulations

new nacha account security requirements come into effect

Nacha’s new data security Rule is another in a long list of examples of how the regulations and standards continue to evolve and apply to every organization. Understanding the specifics of Nacha, or any data protection requirement, is just the first step to ensuring an organization is prepared to protect the sensitive data they handle properly. Failing to do this well and on time can lead to many negative consequences, including fines, loss of business, brand damage and more. The ability to leverage the best data protection methods quickly and effectively can avoid the negative aspects as well as turn into business efficiencies and functionalities that can accelerate profits and expand opportunities.

The Nacha data security Rule may not apply today, but today is the time to address the concern. Comforte’s SecurDPS is at the top of the list of data security options to consider to address Nacha’s data security Rule, as well as address the multitude of other data security challenges an organization faces today. Used well, SecurDPS can move an organization from a reactive approach to security and compliance concerns into a proactive business mode that will enable long-term success.

Nacha’s Account Data Security Rule Came into Effect in July

The extension to the deadline to meet Nacha’s Rule related to protecting Account Numbers in an ACH transaction is upon us – June 30, 2021. This rule already applied to most financial institutions, but now non-financial institutions, including Originators, Third-Party Service Providers, and Third-Party Senders, have to meet the rule if they had 6-million ACH transactions in 2019. For smaller entities who processed 2 million transactions during 2020, they still have another year until June 30, 2022.

What is at stake here is the security of the banking account numbers involved with moving money in or out of a bank account. This means that there are organizations right now that may not be protecting this data. The deadlines have been put in place by Nacha to ensure these transactions have the proper protections. The rule discusses using PCI DSS (Payment Card Industry Data Security Standard) as a guide to how to protect Account Numbers in the same way that Cardholder Data is.

The most common approach is to encrypt or tokenize the data so that even if a hacker gains access to the data, they will be unable to read or use the data. Anyone who has a bank account should be happy to know that these security guidelines will be in place for those organizations that have not yet met these security standards. With Nacha reporting that in the first quarter of 2021, ACH transaction volume hit 7.1 billion payments amounting to 17.3 trillion USD, it is clear there is plenty of account data to be protected.

Data-centric security for Nacha payments

Rather than trying to protect the deposit account data with perimeter security, i.e. preventing access to the data source, it is much more elegant and effective to protect the sensitive data element itself. Data-centric security protects the data by tokenizing the data element, rendering it unreadable and useless for any attacker while complying with the new supplementing data security requirements. Major retailers and financial organizations across the globe are already utilizing data-centric security to secure PANs in accordance with PCI DSS.

These are Nacha dad’s data protection standards

New data protection standards and regulations are emerging all the time. Organizations that want to keep up with new standards and rules need agile data protection tools that can easily be extended to new standards as required. To learn more, check out our white paper “Nacha and Tokenization – accurate, efficient data protection” by clicking on the button below:

CTA WP Nacha and Tokenization

Download Whitepaper


  • Thomas Gloerfeld

    Thomas Gloerfeld is Director of Partner Development & Marketing NonStop Solutions at comforte and has been associated with the NonStop community for 25 years. Before joining comforte, he held various management positions at ACI Worldwide in Germany and the UK. In his role at comforte he closely monitors topics such as data security, risk and compliance.