Kansas Department of Administration

20-P-025 New NACHA Requirement for Data Security (January 16, 2020)

Informational Circular No. 20-P-024

Effective Date:

June 30, 2020

Contact Name:
Nancy Ruoff

Sunni Zentner

Ph:
(785) 296-2853

(785) 296-7058

Email:
nancy.ruoff@ks.gov

sunni.zentner@ks.gov

Approval: Nancy Ruoff/Sunni Zentner
(Original Signatures on File)

 

Summary: NACHA data security requirement 

In order to enhance quality and improve risk management, the National Automated Clearing House Association (NACHA) has increased the level of security measures required for large-volume processors when storing account information.  NACHA has established 2 separate phases of implementation for the new requirement based on transaction volume.  The State of Kansas must be compliant with the Phase 1 date of June 30, 2020.

The new requirement states that account information used for ACH purposes must be rendered unreadable when it is stored electronically.  This includes ACH account information stored at rest in any system or in any electronic format.  ACH account information in transit is not affected by this requirement.  Forms collected electronically (including those which are scanned and stored) are subject to the requirement.

Examples of data subject to the new NACHA security requirement:

  • ACH information for any current or former employee
  • ACH information for any supplier
  • INF02, Inbound Voucher Interface File, retained by the agency for historical purposes
  • INF67/BL67, Inbound ACH Bank File, retained by the agency for historical purposes
  • DA-130, Authorization for Electronic Deposit of Supplier Payment
  • DA-184, Authorization for Direct Deposit of Employee Pay and/or Travel and Expense
  • Regent Pay Detail Files, retained by the agency for historical purposes
  • Correspondence in e-mail or help desk that includes ACH information

Examples of data not subject to the new NACHA security requirement:

  • INF02, Inbound Voucher Interface File, in transit
  • INF67/BL67, Inbound ACH Bank File, in transit
  • Regent Pay Detail Files, in transit

Security of ACH account information and attachments stored in SMART and SHARP will be addressed by the Department of Administration.  Each state agency retaining ACH account information and attachments in any agency system or database must adhere to the new requirement for data security on June 30, 2020.

Additional Resources
NACHA web site, Supplementing Data Security Requirements:
https://www.nacha.org/rules/supplementing-data-security-requirements
PCI DSS Requirement 9
https://www.solarwindsmsp.com/content/pci-dss-requirement-9
Attachment
Letter from Jake LaTurner dated November 26, 2019


Printable Version of 20-P-025

« Back

© 2024 Kansas Department of Administration. All rights reserved.