It’s an interesting question for any organizations that originate or process ACH payment transactions. As you probably know, NACHA is the governing body for everything that is ACH is the United States.
The short answer is no, PCI compliance is not a requirement. However, NACHA does have it’s own set of rules! Before you get all worked up, know that any ACH processing provider that resides on a PCI level one platform and makes those PCI compliant capabilities for you in your ACH payments processing more than likely has you covered. Onward to the fine print.
The ACH governing body, NACHA, maintains that any merchant or organization who originates ACH transactions must put in place procedures, processes and controls to protect sensitive data. In the credit card world that would amount to the data that could be obtained by a card breach. In the ACH world, only a routing number and account number are needed to fraudulently debit a bank account.
If your organization utilizes a virtual terminal for its ACH processing needs and the provider’s VT is a PCI level one compliant platform, you need look no further. Your covered.
However, if your organization is integrated via your ACH provider’s API, there’s some I’s to be dotted and some T’s to be crossed.
If that ACH processing provider’s ACH payment gateway and API has the ability to tokenize sensitive data, you must make sure that your development team employ that tech capability within your software application, assuming you’re integrated.
We know first-hand that there are still many organizations and businesses out there that transmit a flat file that contains sensitive data – and their customers have absolutely no clue of this, nor do they know (or have the time to learn) the rules surrounding the protection of sensitive data that pertains to ACH transactions.
If a merchant customer arrives at a website to purchase goods or services via a credit card, the vast majority of them are more or less trained (by now) to look for an SSL certificate before entering their credit card data. This is not a requirement for ACH transactions on a merchant website.
The bottom line is, if you require ACH processing capabilities, why take a chance? Seek out a PCI level one compliant ACH payment gateway to facilitate your ACH processing needs. You and your organization may not be subject to the same harsh penalties that credit card data breach suit might bring you to, but you’re certainly at risk of losing some hard won customers.