The short answer is no, but that needs some explaining. If your organization or business has a website and seeks to accept ACH website payments from users on your website, it would definitely be best practice to see to it that the method you employ would be a PCI compliant one.
While NACHA doesn’t mandate PCI compliance for ACH transactions, they do have their own set of rules on how data is managed and protected. Moreover, the majority of websites that accept, or wish to add, ACH payment functionality also accept credit cards. So implementing a PCI compliant method for accepting both credit card and ACH transactions is advantageous from a development perspective. That is assuming the integration method you would be using allows for both credit card and ACH transactions.
Bank account data is sensitive just like credit card data. Protecting the data of your hard earned customer base should be paramount. Can you imagine the firestorm should your website be breached and you had hundreds or thousands of customer checking account numbers stolen and fraudulently used?
Sensitive banking account data should not be stored on any of your operating systems. There’s simply no need to do so. In today’s environment with sophisticated ACH processing systems out there that operate on PCI level one compliant platforms, sensitive data can be transmitted to the ACH processor and have a reference toek returned for storage. These reference tokens are of no value to would-be data thieves. The tokens are used to call and post future transactional data, where the reference token is used by the PCI compliant system to convert-back the token for submission to the ACH operator.
In some cases the original ACH transaction submission takes place in a fashion where the initial post is made directly to the ACH gateway, eliminating an initial touch by the merchant’s webserver.
If you and your organization have questions about how to best handle ACH payment data in regards to implementing ACH website payments, let us know your questions and we’ll be happy to assist you.
