Is Your Ecommerce Business eCheck Compliant?

If you run a business, expanding your payment options will help you reach and retain more customers. For instance, while many popular payment methods are available worldwide, some countries prefer lesser-known methods.

By making multiple payment options available you’ll reach more of your market. If you accept credit cards you should already be PCI DSS-compliant. However, when adding eChecks to your payment options you need to meet additional compliance regulations.

Compliance regulations are different for eChecks

The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations applicable to all businesses that process credit card transactions. To meet these regulations, businesses must go through annual compliance certification.

eChecks aren’t processed or regulated the same way as credit cards. All eChecks use ACH processing specifically designed to facilitate electronic transactions between financial institutions. Although ACH processing supports both credit and direct debit, it’s the only method available for processing electronic checks. If you’re going to process eChecks, you must be NACHA compliant.

While PCI DSS regulations cover credit card transactions, additional compliance is required for eCheck transactions. The additional rules are laid out by the National Automated Clearing House Association. “These rules apply to any business that processes ACH transactions using a system that creates “entries” into the ACH network,” PaySimple explains, “either by converting a paper check document into an ACH transaction or by entering a customer’s bank account information to process a direct payment or direct deposit transaction.”

NACHA rules don’t apply to businesses who process paper checks that remain paper checks, or businesses that use images to deposit paper checks.

Compliance with these regulations is mandatory; visit the PaySimple link above for a full explanation of NACHA requirements.

What businesses are responsible for under NACHA

NACHA requires strict security protocols for all businesses using the ACH network to process payments. Businesses are required to protect financial and personal information at all times. For instance, when a customer provides their bank account information, it must be encrypted and can’t be sent through regular email. This means you can’t just set up a basic web form that sends data to an email address.

Tips for getting NACHA compliant

To get compliant with NACHA regulations, the following is advised:

  • Encrypt all emails by default. To be safe, encrypt all emails by default for all employees, including remote employees and independent contractors. Emails should be encrypted for anyone who works for your company and processes financial data.
  • Restrict BYOD situations. Bring Your Own Device policies can work for some businesses, but they present several security issues. All employees will naturally want to use the device they feel most comfortable using while at work, but the risk is too great.For employees who don’t have access to customer financial data, a BYOD policy might be acceptable with a strong (and enforceable) security policy in place. However, it’s a bad idea when your employees do have access to customer financial data.

    For example, if an employee accesses the company’s network or database from an unsecured, public Wi-Fi connection, they’re putting that data at risk. Also, if their personal device is stolen, the thief will have access to company information.

  • Include security reminders in all customer service emails. Most people are cautious about giving out credit card or bank account information online. However, sometimes customers aren’t thinking clearly and they hand it out insecurely.For example, some customers don’t see a problem with sending financial information to a customer service representative over email because they figure the company already has their credit card number.

    A customer might send financial data in an email if they want to make an additional purchase and think they can bypass the official order form. There are two main problems with this. The customer service rep might not be cleared to handle financial data and if the email is unencrypted, it will bounce insecurely through many servers on the way to its destination.

    Encrypting all of your emails will mitigate this issue, but you should also place security reminders in the footer of all customer service emails. For instance, a simple reminder that says, “please do not transmit personal account or financial data through email.”

Don’t try to save money if it makes you non-compliant

Fees are an unavoidable part of doing business. Make sure you’re using a reliable and trustworthy payment processor for all of your transactions, including eChecks. Never allow financial data to be sent or received in a plain email or through a web form.

By skipping around the rules to save money now, you’ll pay more later if you’re caught in a state of non-compliance.