Is PCI Compliance Required for an ACH Payment Gateway?

It’s an interesting question for any organizations that originate or process ACH payment transactions. As you probably know, NACHA is the governing body for everything that is ACH is the United States.

The short answer is no, PCI compliance is not a requirement. However, NACHA does have it’s own set of rules! Before you get allACH payment gateway PCI worked up, know that any ACH processing provider that resides on a PCI level one platform and makes those PCI compliant capabilities for you in your ACH payments processing more than likely has you covered. Onward to the fine print.

The ACH governing body, NACHA, maintains that any merchant or organization who originates ACH transactions must put in place procedures, processes and controls to protect sensitive data. In the credit card world that would amount to the data that could be obtained by a card breach. In the ACH world, only a routing number and account number are needed to fraudulently debit a bank account.

If your organization utilizes a virtual terminal for its ACH processing needs and the provider’s VT is a PCI level one compliant platform, you need look no further. Your covered.

However, if your organization is integrated via your ACH provider’s API, there’s some I’s to be dotted and some T’s to be crossed.

If that ACH processing provider’s ACH payment gateway and API has the ability to tokenize sensitive data, you must make sure that your development team employ that tech capability within your software application, assuming you’re integrated.

We know first-hand that there are still many organizations and businesses out there that transmit a flat file that contains sensitive data – and their customers have absolutely no clue of this, nor do they know (or have the time to learn) the rules surrounding the protection of sensitive data that pertains to ACH transactions.

If a merchant customer arrives at a website to purchase goods or services via a credit card, the vast majority of them are more or less trained (by now) to look for an SSL certificate before entering their credit card data. This is not a requirement for ACH transactions on a merchant website.

The bottom line is, if you require ACH processing capabilities, why take a chance? Seek out a PCI level one compliant ACH payment gateway to facilitate your ACH processing needs. You and your organization may not be subject to the same harsh penalties that credit card data breach suit might bring you to, but you’re certainly at risk of losing some hard won customers.

About Gene

Gene is a 24 year veteran of the electronic payments industry and has consulted with countless companies of all sizes. He has overseen large underwriting portfolios, directed IT staff, and currently serves as the Director of Business Development. Gene has appeared before the U.S. Congress to provide expert opinions regarding developing technology and transaction risks towards solutions for the payroll industry. You can find him on LinkedIn>.