Effective 2021 the National Automated Clearing House Association also referred to as Nacha is requiring an annual audit to ensure the security of financial information. This audit will focus on web debit transaction origination and customer bank information security - specifically for ACH (non-card transactions).
What are the Requirements?
Complete an annual audit conducted on your behalf, to ensure the financial information is protected by security practices and procedures. Security practices at a minimum should include an adequate level of:
(a) physical security to protect against theft, tampering, or damage;
(b) personnel and access controls to protect against unauthorized access and use; and
(c) network security to ensure capture, storage, and distribution.
The document attached below outlines the minimum requirements to be Nacha compliant.
What action is required of me?
To complete this audit and provide the necessary information to CSG Forte we have created a form for you to complete here.
If you completed the Web Debit Security Audit previously, you must review your responses and visit this form to certify that no changes have been made to your organization's policies and procedures that would affect compliance with Nacha's Operating Rules and Guidelines.
Who in our organization would be best equipped to answer the questions in this audit?
Someone within your IT Department or your IT Vendor would be a great resource in answering the questions in the Web Debit Security Audit.
What if we do not have these policies or processes in place?
If you answer no to any questions in the audit or are unable to supply the document name when needed, your organization will be considered non-compliant. In this instance, CSG Forte will need a remediation plan and timeline from your organization. Additionally, you can refer to the Federal Communication Commission (FCC) website for cybersecurity for small businesses. The Cybersecurity Hub was designed for businesses that lack the resources to hire a dedicated staff member to protect their business from cyber threats. FCC Cybersecurity for Small Businesses includes links to free and low-cost security tools (e.g. a Cybersecurity Tip Sheet, and Small Biz Cyber Planner) to assist small businesses to create customized cybersecurity plans.
What if no one in my organization can answer the audit questions?
If you are unable to locate anyone to complete the audit questions, please contact CSG Forte Customer Service at firstname.lastname@example.org via email or 866-290-5400, (Option 1). For additional support, a vendor may be necessary to conduct the audit. CSG Forte does not endorse any vendor or company; however, Cyber Research Databank provides a resource page to find the latest trends of US Data Security companies and offers a unique an easy to navigate database with more than 5000 US Data Security vendors/companies.
Where can I find similar guidance on the protection of customer data?
As many data security requirements of ACH Transactions are covered under PCI Data Requirements, you can refer to the PCI Security Standards Council for tools and resources about data security for small merchants.
o Understanding Encryption in the ACH Network (NACHA)
o Center for Internet Security (Cybersecurity Tools and Best Practices)