20-A-008 NACHA Requirement for Data Security Enforcement Delay (February 25, 2020)

Summary: Delay of enforcement for NACHA data security requirement 

This revises Informational Circular No. 20-A-007 issued on January 16, 2020.

Background:

The National Automated Clearing House Association (NACHA) has increased the level of security measures required for large-volume processors when storing account information. The new requirement states that account information used for ACH purposes must be rendered unreadable when it is stored electronically.  This includes ACH account information stored at rest in any system or in any electronic format.  ACH account information in transit is not affected by this requirement.  Forms collected electronically (including those which are scanned and stored) are subject to the requirement.

Revised deadline:

As published in the National Association of State Auditors, Controllers and Treasurers’ (NASACT) newsletter dated January 21, 2020, NACHA will be taking the position of “no enforcement” of the new data security rule through June 30, 2021 for governmental entities that are working in good faith toward implementation and compliance.  Agencies subject to the NACHA requirement should develop and document a plan of action by June 30, 2020 that will ensure compliance with the new security requirements is achieved on or before June 30, 2021.

Security of ACH account information and attachments stored in SMART and SHARP will be addressed by the Department of Administration.  Each state agency retaining ACH account information and attachments in any agency system or database must adhere to the new requirement for data security by June 30, 2021.

Additional Resources
NACHA web site, Supplementing Data Security Requirements:
https://www.nacha.org/rules/supplementing-data-security-requirements

PCI DSS Requirement 9
https://www.solarwindsmsp.com/content/pci-dss-requirement-9

Printable version 20-A-008