Effective 2020 the National Automated Clearing House Association also referred to as NACHA are requiring an annual audit to ensure the security of financial information. This audit will focus on web debit transaction origination and customer bank information security - specifically for ACH (non-card transactions).
What are the Requirements?
Conduct/or have an Annual audit conducted on your behalf, to ensure the financial information is protected by security practices and procedures. Security practices at a minimum, should include an adequate level of:
(a) physical security to protect against theft, tampering, or damage;
(b) personnel and access controls to protect against unauthorized access and use; and
(c) network security to ensure capture, storage, and distribution.
The document attached below outlines the minimum requirements to be Nacha compliant.
Once completed this form should be returned to Forte as verification of compliance with the Nacha Operating Rules and Guidelines. If your organization is annually conducting other internal security and controls reviews, this form can be used to document the areas covered by those reviews and required by the annual debit WEB Security Audit. The debit WEB Security Audit does not require these areas to have a separate independent review for the purpose of complying with the audit requirement.
2020 Debit WEB Security Audit can be completed at this link to be directly sent to Forte.
What action is required of me?
If you received the Audit form, your organization has been identified as a payment originator and will need to complete the full Audit as linked in the notice. The questions in the audit will guide you to additional questions as needed. To remain Nacha compliant, this Audit is required.
Who in our organization would be best equip to answer the questions in this audit?
Someone within your IT Department, or your IT Vendor would be a great resource in answering the questions in the 2020 Debit WEB Security Audit.
What if we do not have these policies or processes in place?
If you answer no to any questions in the audit, or are unable to supply the document name when needed, your organization will be considered non-compliant. In this instance Forte will need a remediation plan and timeline from your organization. Additionally, you can refer to the Federal Communication Commission (FCC) website for cybersecurity for small businesses. The Cybersecurity Hub was designed for businesses that lack the resources to hire a dedicated staff member to protect their business from cyber threats. FCC Cybersecurity for Small Businesses includes links to free and low-cost security tools (e.g. a Cybersecurity Tip Sheet, and Small Biz Cyber Planner) to assist small businesses create customized cybersecurity plans.
What if no one in my organization can answer the audit questions?
If you are unable to locate anyone to complete the audit questions, please contact Forte Customer Service at firstname.lastname@example.org via email or 866-290-5400, (Option 4). For additional support a vendor may be necessary to conduct the audit. Forte does not endorse any vendor or company; however Cyber Research Databank provides a resource page to find the latest trends of US Data Security companies and offers a unique an easy to navigate database with more than 5000 US Data Security vendors/companies.
Where can I find similar guidance on protection of customer data?
As many data security requirements of ACH Transactions are covered under PCI Data Requirements, you can refer to the PCI Security Standards Council for tools and resources about data security for small merchants.
o Understanding Encryption in the ACH Network (Nacha)
o Center for Internet Security (Cybersecurity Tools and Best Practices)