February 22, 2022
Are You Protecting Your Customers’ ACH Banking Data? Here’s Why You Should
If you process transactions using PCI data and ACH banking data, you might have noticed that the regulations around PCI data management are stringent but equivalent regulations for ACH data are nearly non-existent. In this post, we’ll explain why you should still take extensive measures to protect ACH data.
For the last 16 years, companies that collect or process payment card data have followed the PCI DSS standards. These rules were put in place to protect consumers from fraudulent charges in case of a payment card data breach. As such, the regulations were primarily focused on the details of the payment card itself. Because credit and debit cards were the most common way people paid for products and services both online and in person, this standard worked to protect both consumers and companies. For a while, at least.
With the proliferation of new fintech solutions that bypass payment card data in favor of automated clearinghouse (ACH) data – bank account and routing numbers – there’s a blindspot in payment regulations and security standards. Peer to peer (P2P) money transfer products, like Venmo and Cash App, as well as enterprise-grade money movement solutions, like Moov and Plaid, are well-liked because of their convenience. But, they use ACH data extensively, putting user data – and users – at risk.
Critical Data, Not Yet Well-regulated
ACH data does not currently have a regulatory standard that’s enforced like the PCI DSS. The National Automated Clearing House Association (NACHA) exists to provide best practices around how to manage ACH data, but those best practices are optional, not mandatory.
I’d argue that ACH data is more sensitive than PCI data, and deserves equivalent regulation. Unlike PCI data, where you need three pieces of data to authorize a transaction (card number, expiration, and CVV), ACH data only relies on a routing number and an account number. Because a bank’s routing number is public information, your customer’s account number is the only piece of data that a hacker needs to make fraudulent transactions!
Aside from the data needed to make a fraudulent transaction, PCI and ACH data have different levels of protection in place for consumers. If you or your card issuer detect fraudulent activity on your payment card, there are many protections and services that can be invoked to dispute the charges, lock the card down, and get any fraudulent charges reimbursed. There’s also widespread consumer awareness of these services — many people are accustomed to setting up spending limits, signing up for text alerts, and using other tools. However, these services barely exist for bank transfers and are not as widely utilized, making it much more difficult for both banks and account owners to detect and dispute fraudulent bank transfers.
ACH Transactions: Running Ahead of Regulations
So if ACH data is such a huge risk, why isn’t it being regulated in the same way that cardholder information is? The simple answer is that fintech services have developed much faster than regulations. In the space of a few years, instantaneous P2P transfers have become commonplace, while automatically paying bills from your bank account is as easy as paying with a card or third-party service like PayPal. However, convenience can be costly, and as more and more customers and companies adopt these ACH-based services, they face not only the risk of a data breach, but a breach that’s hard to detect and mitigate.
This security blind spot will eventually be addressed by regulation, but until that happens, here’s what you can do to protect your customers’ ACH data:
- Tokenization: Tokenizing ACH data lets you continue storing and processing it without undue risk. You can also encrypt it at rest and in transit to help reduce the chance of a leak, but tokenizing and storing ACH data in a vault like Skyflow’s Fintech Data Privacy Vault lets you get the most out of ACH data without the risk of a data breach. The Fintech Vault also lets you initiate money movement transfers using tokens, further reducing your need to ever directly handle ACH data.
- Data Governance: Using strong data governance to manage who has access to ACH data, and for what, severely limits the possibility of an internal or external system exposing this data. Skyflow uses the zero trust model to ensure that only the bare minimum of data needed by a team member, internal tool, or external service is provided.
- Observability and Audits: While banks may not have automated alerts to detect suspicious transfer activity or other problems linked to ACH data, you can set up internal audits and activity logging to have total oversight of everything that your customers' ACH data is being used for. If you store this data in a Skyflow vault, this kind of auditing and logging is a built-in feature, giving you valuable insights as soon as it is set up.
Rather than waiting for ACH data regulation to catch up with PCI data regulation, you can be proactive by protecting ACH data the same way you would protect PCI data. By protecting ACH data and the infrastructure it lives on, you avoid unnecessary risk and keep your customers safe.
Skyflow: Your Vault for ACH Data
Skyflow’s Fintech Vault is designed to provide these protections out of the box, empowering you to protect all PCI and ACH data and giving you granular governance controls along with in-depth data auditing and logging. To learn more about how Skyflow can help you protect all of your valuable data, contact us.