Support Services

Nacha Operating Rules and Guidelines 2020 Debit WEB Security Audit

Nacha Operating Rules and Guidelines

 

2020 Debit WEB Security Audit Overview

Below provides an overview of the Debit Web Security Audit. The audit form that needs to be completed can be found here. Please complete this audit by July 31, 2020.

 

2020 Nacha Operating Rules and Guidelines, Article Two, Subsection 2.5.17.3, Annual Audit Requirements for Debit WEB Entries -

 

An Originator of a debit WEB Entry must conduct, or have conducted on its behalf, annual audits to ensure that the financial information it obtains from Receivers is protected by security practices and procedures that include, at a minimum, adequate levels of:

 

  1. physical security to protect against theft, tampering, or damage;
  2. personnel and access controls to protect against unauthorized access and use; and 
  3. network security to ensure secure capture, storage, and distribution.

 

2020 Nacha Operating Rules, Article Two, Subsection 2.5.17.4 Additional ODFI Warranties for Debit WEB Entries

 

In addition to the other warranties contained within these Rules, and ODFI originating a debit WEB Entry warrants to each RDFI and ACH Operator that:  

 

(a)     Fraud Detection System.  The Originator has established and implemented a commercially reasonable fraudulent transaction detection system to screen the debit WEB entry.  Such a fraudulent transaction detection system, must at a minimum, validate the account to be debited for the first use of such account number, and for any subsequent change(s) to the account number.

 

(b)     Verification of Receiver's Identity.     The Originator has established and implemented commercially reasonable methods of authentication to verify the identity of the Receiver of the debit WEB Entry.  

 

(c)     Verification of Routing Numbers.     The Originator has established and implemented commercially reasonable procedures to verify that the routing number used in the debit WEB Entry is valid.

 

 

Effective March 19, 2021: (a) The Originator has established and implemented a commercially reasonable fraudulent transaction detection system to screen the debit WEB entry. Such a fraudulent transaction detection system must, at a minimum, validate the 

account to be debited for the first use of such account number, and for any subsequent change(s) to the account number.

 

 

2020 NACHA Operating Rules and Guidelines, Guidelines, Section V, Chapter 48, page OG 241 - 242 

 

Data loss or compromise not only hurts the Receiver, but can also damage a business’s reputation. Receiver trust is a key factor in building loyalty. It is in the Originator’s best interest to develop and deploy practices that protect the integrity of Receiver information and the transaction, and to ensure that these practices are audited for their effectiveness. The Nacha Operating Rules for debit WEB transactions require Originators to conduct an annual data security audit to ensure that Receivers’ financial information is protected by security practices and procedures that ensure the financial information the Originator obtains from Receivers is protected by commercially reasonable security practices that include adequate levels of: 

 

  1. physical security to protect against theft, tampering, or damage, 
  2. administrative, technical, and physical access controls to protect against unauthorized access and use, and 
  3. network security to ensure secure capture, transmission, storage, distribution and destruction of financial information. 

 

While the Nacha Operating Rules only require Originators of debit WEB Entries to conduct an audit of their security practices and procedures once a year, many companies are now opting to audit these practices bi-annually or even quarterly due to the rapid change of technology and security risks. It is therefore highly recommended that Originators of debit WEB entries conduct more frequent audits. This audit requirement can be met in several ways. It can be a component of a comprehensive internal or external audit, or it can be an independent audit that uses a commercially reasonable generally accepted security compliance program. An Originator that is already conducting an audit of these practices and procedures for another area of its business is not required to have two separate audits. However, the audit should address adequate levels of data security for the Originator’s ACH operations. 

 

The following sections detail the minimum components that need to be audited in order to be in compliance with the audit requirement. (Note: In any case where these key components are not specifically required under the Nacha Operating Rules, all are recommended by Nacha as sound business practices.)

 

 

 

 

 

Purpose and use of this form:

 

The purpose of this form is to provide the merchant a method to document the required annual debit WEB Security Audit. Once completed this form can be provided to Forte as verification of compliance with the Nacha Operating Rules and Guidelines. If the Merchant is annually conducting other internal security and controls reviews, such as Information Security Audit, Information Technology Audit and/or Service Organization Controls Report (SOC) Type 1 or Type 2, this form can be used to document the areas covered by those reviews and required by the annual debit WEB Security Audit. The debit WEB Security Audit does not require these areas to have a separate independent review for the purpose of complying with the audit requirement.

 

 

Example:

Name the Source Document, Policy, Procedure, or Other Evidence (Testing) to Certify Compliance with the Debit WEB Security Requirements

Statement of Compliance with Debit WEB Security Requirement

 

1.

Critical network, server, and telecommunications equipment should be placed in physically secure locations that permit access only to authorized personnel.

Corporate Information Security Policy

 

2019 SOC Type 2 Report

 

All critical network, server and telecommunications equipment are located in a physically secure area with limited access to authorized personnel only.

2.

Firewalls must be fully deployed with secured processes for administering those firewalls.

Corporate Information Policy

 

2019 SOC Type 2 Report

 

Review of System Firewall

System firewalls are in place and deployed.

 

Finding: The 2019 SOC Type 2 review found that some elements of the firewall was not fully deployed.

 

Company Response to Finding: Action has been taken to implement changes to the system firewall to ensure that it is deployed to the fullest capabilities.

 

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.