ACH Website Payments – Is PCI Compliance Required?

ACH website payments - PCIThe short answer is no, but that needs some explaining. If your organization or business has a website and seeks to accept ACH website payments from users on your website, it would definitely be best practice to see to it that the method you employ would be a PCI compliant one.

While NACHA doesn’t mandate PCI compliance for ACH transactions, they do have their own set of rules on how data is managed and protected. Moreover, the majority of websites that accept, or wish to add, ACH payment functionality also accept credit cards. So implementing a PCI compliant method for accepting both credit card and ACH transactions is advantageous from a development perspective. That is assuming the integration method you would be using allows for both credit card and ACH transactions.

Bank account data is sensitive just like credit card data. Protecting the data of your hard earned customer base should be paramount. Can you imagine the firestorm should your website be breached and you had hundreds or thousands of customer checking account numbers stolen and fraudulently used?

Sensitive banking account data should not be stored on any of your operating systems. There’s simply no need to do so. In today’s environment with sophisticated ACH processing systems out there that operate on PCI level one compliant platforms, sensitive data can be transmitted to the ACH processor and have a reference toek returned for storage. These reference tokens are of no value to would-be data thieves. The tokens are used to call and post future transactional data, where the reference token is used by the PCI compliant system to convert-back the token for submission to the ACH operator.

In some cases the original ACH transaction submission takes place in a fashion where the initial post is made directly to the ACH gateway, eliminating an initial touch by the merchant’s webserver.

If you and your organization have questions about how to best handle ACH payment data in regards to implementing ACH website payments, let us know your questions and we’ll be happy to assist you.

About Gene

Gene is a 24 year veteran of the electronic payments industry and has consulted with countless companies of all sizes. He has overseen large underwriting portfolios, directed IT staff, and currently serves as the Director of Business Development. Gene has appeared before the U.S. Congress to provide expert opinions regarding developing technology and transaction risks towards solutions for the payroll industry. You can find him on LinkedIn>.