The Green Sheet Online Edition
August 09, 2010 • Issue 10:08:01
Layered protection for ACH
While the Payment Card Industry Data Security Standard has grown increasingly visible and well-known in recent years, some say the security of electronic funds transfer (EFT) payments has received comparatively little notice.
To be sure, automated clearing house (ACH)-based EFT transactions are on the rise, and rising with them are instances of security breaches. According to the FBI, fraud related to EFT - meaning the transfer of money from one bank account to another, without the use of a paper check or payment card - rose over $120 million in 2009.
"Part of the challenge of protecting ACH transactions is there has been so much focus on PCI, that companies go, 'Oh, I didn't realize I had sensitive data in my ACH files,'" said Chris Mark, Executive Vice President, Data Security and Compliance for the processor and ISO ProPay Inc.
For merchants that conduct ACH transactions, ProPay recently expanded its ProtectPay data security suite to include ACH transactions, an offering it calls ProtectPay ACH.
PANs in a blanket
According to Mark, ProtectPay ACH operates essentially the same way that the existing ProtectPay services operate for payment card transactions, wrapping ACH transactions in a layered security blanket that combines multifactor authentication with tokenization and encryption.
Merchants using ProtectPay ACH can send ACH transactions to ProPay for processing through either the com-pany's application programming interface (API) or its secure web portal. Clients access either conduit by entering a username and password along with some other identifier, usually either an X509 certificate (for large companies) or a "challenge question" about some bit of information that only the merchant theoretically knows.
"Historically, merchants would send account and routing numbers, which is a big risk," Mark said. "Now they don't have to send it to us to be tokenized. We can go in and do a mass import and mass tokenization if they have this database. We tokenize and replace the data in a matter of minutes or hours, and now all they have is a token for when they want to initiate the next ACH transaction."
Clients who log in to ProPay's API or web portal using those credentials may then send a batch of ACH transactions, which are protected by Secure Sockets Layer (SSL) encryption as they travel from the originating business to Propay's storage vault.
"We make sure data sent from the merchant is encrypted using encryption technology where only we possess the decryption key, so even if someone intercepted it they couldn't decrypt the data," Mark said.
Protection with tokens
Merchants who use ACH to conduct recurring billing transactions are provided with tokens, allowing them to conduct chargebacks or call up disputed transactions while rendering all data in their environment useless to potential hackers. Meanwhile, the full card numbers are stored in ProPay's data vault.
"People use the terms 'tokenization' and 'encryption' suggesting they're mutually exclusive, but in reality they're complementary," Mark said.
Mark added that ProtectPay ACH has a wallet component that provides the flexibility to tokenize either individual card numbers or customer accounts that contain multiple card numbers.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.