Do ACH/EFT transactions require PCI compliance?

No, but they should!

While methods of transmitting and storing bank account data via the ACH network do not fall under the PCI Security Standards Council standards that credit card transactions do, a company transmitting and storing bank data is not free of fraud risks. Companies who do not take similar measures that the PCI SSC requires for credit card transactions, are open to having their customer’s bank data compromised, and leaving their credibility at risk in the eyes of their clientele. And if their customer base is comprised of businesses, the protection for business checking accounts is not the same as consumer accounts.

ACH Payments provides solutions for all methods of ACH transfer that replaces bank account data, eliminating all stored bank account information from client servers and databases. Search capabilities are not reduced by employing token solutions. In fact, they are enhanced. Eliminating stored bank account data not only protects the client from cyber intrusion and also from the risk of bank account information theft from internal personnel should the client be using proprietary software that is integrated via the ACH Payments gateway API to transmit their transactions.

While the banks and NACHA (the governing body of the ACH network) have been slow to move towards similar measures that the credit card industry has adopted, there’s no question that that every business that transmits ACH transactions should employ a secure method of data transmission that replaces card data with tokens. If you want to position your company out front and assure your clients that you are safely handling their bank account data, contact us today.