Under Nacha’s Operating Rules, any Originator of WEB debit transactions—those authorized by consumers via the internet or wireless networks—is required to conduct an audit annually.
This applies to any merchant or partner who collects bank account information (e.g., routing and account numbers) from consumers to initiate ACH debits. The audit serves as a critical check to verify that this data is being managed with the highest security standards.
What Is Required?
The goal of the audit is to ensure that the financial information collected from consumers is protected through established, enforced, and monitored security practices and procedures.
Specifically, the audit must confirm that your organization has documented policies and effective controls in place to prevent unauthorized access, use, or compromise of protected information.
Key Security Practices to Confirm
Your organization must demonstrate that it maintains the following security measures to comply with Nacha's WEB audit requirements:
Physical Security Controls
All paper-based documents containing sensitive customer data (e.g., account or routing numbers) must be stored securely, in locked file cabinets or restricted-access rooms.
Network Security Controls
Any electronically stored financial data must be encrypted and protected by robust cybersecurity defenses (e.g., firewalls, anti-malware software, and intrusion detection systems).
Access Controls
Only personnel with a clear business need should have access to consumer financial information. User access should be monitored and reviewed regularly.
Benefits of Completing the Audit
Adhering to the Web Debit Security Audit requirements isn’t just a regulatory checkbox—it strengthens your business operations and builds trust with customers and partners.
✔ By completing your annual audit, you:
Reduce fraud across the ACH network.
Preserve trusted relationships with your customers and business partners.
Avoid Nacha Rule violations and potential penalties.
Protect your organization’s reputation by demonstrating a proactive approach to data security.
Do You Need to Complete Your Annual Audit?
If your organization has not yet completed the audit for this calendar year, now is the time to take action. Completing the audit is mandatory for all Originators of WEB debit entries and must be done every year to remain compliant.
Click here to access and complete the Web Debit Security Audit Form
https://hardwareorderform.formstack.com/forms/web_debit_security_audit_merchant_v2
Need Help Completing the Audit?
The audit should ideally be completed by someone with insight into your organization's IT infrastructure and data handling policies. We recommend involving:
A team member from your IT department, or
A trusted third-party IT vendor or security consultant.
If you have questions or need support during the process, please contact CSG Forte Customer Service at: ? customerservice@forte.net
? 866-290-5400 (Option 1)