20-P-025 New NACHA Requirement for Data Security (January 16, 2020)
Posted on 10/21/2021 at 12:51 PM by Kansas Department of Administration
Informational Circular No.
June 30, 2020
|Approval:||Nancy Ruoff/Sunni Zentner
(Original Signatures on File)
In order to enhance quality and improve risk management, the National Automated Clearing House Association (NACHA) has increased the level of security measures required for large-volume processors when storing account information. NACHA has established 2 separate phases of implementation for the new requirement based on transaction volume. The State of Kansas must be compliant with the Phase 1 date of June 30, 2020.
The new requirement states that account information used for ACH purposes must be rendered unreadable when it is stored electronically. This includes ACH account information stored at rest in any system or in any electronic format. ACH account information in transit is not affected by this requirement. Forms collected electronically (including those which are scanned and stored) are subject to the requirement.
Examples of data subject to the new NACHA security requirement:
- ACH information for any current or former employee
- ACH information for any supplier
- INF02, Inbound Voucher Interface File, retained by the agency for historical purposes
- INF67/BL67, Inbound ACH Bank File, retained by the agency for historical purposes
- DA-130, Authorization for Electronic Deposit of Supplier Payment
- DA-184, Authorization for Direct Deposit of Employee Pay and/or Travel and Expense
- Regent Pay Detail Files, retained by the agency for historical purposes
- Correspondence in e-mail or help desk that includes ACH information
Examples of data not subject to the new NACHA security requirement:
- INF02, Inbound Voucher Interface File, in transit
- INF67/BL67, Inbound ACH Bank File, in transit
- Regent Pay Detail Files, in transit
Security of ACH account information and attachments stored in SMART and SHARP will be addressed by the Department of Administration. Each state agency retaining ACH account information and attachments in any agency system or database must adhere to the new requirement for data security on June 30, 2020.
NACHA web site, Supplementing Data Security Requirements:
PCI DSS Requirement 9