Effective 2020 the National Automated Clearing House Association also referred to as NACHA are requiring an annual audit to ensure the security of financial information. This audit will focus on web debit transaction origination and customer bank information security - specifically for ACH (non-card transactions).
Debit WEB Security Audit- document linked below
Partners/Merchants who originate Web debits(non-card transactions) that have access to bank information
Annually, effective 2020
Nacha Requires Annual data security audit to ensure that customers information obtained is protected by security practices and procedures.
Conduct/or have an Annual audit conducted on your behalf, to ensure the financial information is protected by security practices and procedures. Security practices at a minimum, should include an adequate level of:
(a) physical security to protect against theft, tampering, or damage;
(b) personnel and access controls to protect against unauthorized access and use; and
(c) network security to ensure capture, storage, and distribution.
The document attached below outlines the minimum requirements to be Nacha compliant.
Once completed this form should be returned to Forte as verification of compliance with the Nacha Operating Rules and Guidelines. If your organization is annually conducting other internal security and controls reviews, this form can be used to document the areas covered by those reviews and required by the annual debit WEB Security Audit. The debit WEB Security Audit does not require these areas to have a separate independent review for the purpose of complying with the audit requirement.
Debit WEB Security Audit can be completed at this link to be directly sent to Forte.
What is a Fraud Detection System?
A Fraud Detection System is a system put into place by your organization to avoid fraudulent financial activity by those utilizing your software. Some examples would be measures in place for Address Verification Services(AVS) and Payer Authentication.
What is a Retention Period as mentioned in the survey?
Rules, Regulations, Guidelines, and Laws indicate the amount of time that is required for your organization to retain customer information. When asking about this retention period, we are asking if you are destroying information in compliance with the retention periods placed on your organization based on your business type and location.
Who in our organization would be best equipt to answer the survey and audit?
Someone within your IT Department, or your IT Vendor would be a great resource in answering the questions in the survey, as well as the audit, should you be qualified.