Consumers and organizations have a variety of options for making and receiving payments. While these payment types share the ultimate goal of transferring funds from payer to payee, the path those funds travel and the approaches employed for safely and securely completing transactions vary. The Secure Payments Task Force developed the Payment Lifecycles and Security Profiles as an educational resource and to provide perspectives related to:
- The lifecycles of the most common payment types, covering enrollment, transaction flow and reconciliation
- Security methods, identity management controls and sensitive data occurring at each step in the payment lifecycles
- Relevant laws and regulations, and other references, as well as challenges and improvement opportunities related to each payment type
The profiles employ a consistent format for describing the lifecycle of each payment type. The lifecycle template is not designed to represent the nuances of specific payment transaction flows, but as a broad taxonomy that can be applied across different payment types for understanding and comparing controls and risks. The profiles are not all-encompassing in describing the layered security strategies that may be employed by specific networks, providers or businesses and shouldn’t be considered an assessment of overall security of different payment types. The improvement opportunities noted in the profiles highlight areas for further industry exploration and are not intended as guidance or specific solutions to be implemented.
These valuable resources were developed through the collaborative efforts of more than 200 task force participants with diverse payments and security expertise and perspectives. It is the hope of the task force that by helping industry stakeholders better understand these payments processes, the security and risks associated with these processes, and potential improvement opportunities, they will be well positioned to take action to strengthen their payment security practices.
Note: These materials were created by the Secure Payments Task Force and are intended to be used as educational resources. The information provided in the Payment Lifecycles and Security Profiles does not necessarily reflect the views of any particular individual or organization participating in the Secure Payments Task Force. The document is not intended to provide business or legal advice and is not regulatory guidance. Readers should consult with their own business and legal advisors.
Feedback and/or questions related to the Payment Lifecycles and Security Profiles can be submitted by using the “provide feedback” form.
Automated Clearing House Definition: An ACH payment (credit or debit) may include direct deposit payroll, Social Security payments, tax refunds, person-to-person (P2P) payments and the direct payment of business-to-business and consumer bills. Within the ACH system, the originator is the entity that originates transactions, and the receiver is the entity that receives the credit or debit payment (i.e. the payment is credited to or debited from their transaction account). The transactions pass through sending and receiving financial institutions that are authorized to use the ACH system.Enrollment
Payer ID / Enrollment
Enrollment of a payer includes identity (ID) proofing, management of users (enrollment, de-enrollment, and changes) and determination of authority based on role
Payment Type Operation
Credit
Originating depository financial institution (ODFI) onboards originator utilizing Know Your Customer (KYC), underwriting, and assigning exposure limits.
Originator required to execute origination agreement with the ODFI.
Debit
RDFI onboards receiver (payer) utilizing Know Your Customer (KYC), credit underwriting, and assigning exposure limits.
Overview of Security Methods and Associated Risks
Security Methods
ODFI verifies the individual during enrollment before opening an account.
Know Your Customer (KYC), Customer Identification Program (CIP) background checks, etc.; ID verification of a ‘carbon-based lifeform’.
ODFI employee training
Comply with the requirements of regulator(s) in developing a risk based compliance program.
Risks
Financial institution legacy accounts may lack Know Your Knowledge (KYC).
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Synthetic Identity: Use of stolen identity information combined with fraudulent information to create a new ‘synthetic’ identity which is used to open fraudulent accounts and make fraudulent purchases. Strong enrollment processes may help mitigate synthetic identity risk throughout the transaction process.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Sensitive Data used to enroll or open an account:
Name
Date of Birth Address
Social Security Number
Demand Deposit Account Number (DDA)
Savings Account Number (SAV)
Loan Account Number
Risks Associated with the Sensitive Payment Data
If compromised, this data can be used to fraudulently set up an account at a financial institution and be used for other identity theft crimes.
Payee ID / Enrollment
Enrollment of a payee includes identity (ID) proofing management of users (enrollment, de-enrollment and changes) and determination of authority based on role
Payment Type Operation
Credit
Receiving depository financial institution (RDFI) validates receiver’s identity as part of onboarding the receiver’s account.
Debit
ODFI validates originator (payee) identity as part of onboarding the originator’s account.
Overview of Security Methods and Associated Risks
Security Methods
Per the National ACH Association (NACHA) Operating Rules, establish commercially reasonable methods of authentication to verify the receiver.
Risks
Fraudulent use of account.
Synthetic Identity: Use of stolen identity information combined with fraudulent information to create a new ‘synthetic’ identity which is used to open fraudulent accounts and make fraudulent purchases. Strong enrollment processes may help mitigate synthetic identity risk throughout the transaction process.
Transaction*
Payer Authentication
Verification of payer when originating payments
Payment Type Operation
Credit
ODFI authenticates customer (originator) utilizing a variety of methods within regulatory guidelines.
Debit
RDFI authenticates customer (receiver) utilizing a variety of methods within regulatory guidelines.
Overview of Security Methods and Associated Risks
Security Methods
ODFI authenticating the originator – Federal Financial Institutions Examination Council (FFIEC) Guidance “Authentication in an Internet Banking Environment” applies. Authentication techniques include: shared secrets, tokens, Smart Card, password-generating tokens, biometrics out-of-band authentication, and one-time passwords.
Section 1.6 Security Requirements applies; for internet-initiated debits (WEB), Subsection 2.5.17.4 applies. Additional ODFI Warranties for Debit WEB Entries, including use of fraudulent transaction detection system and commercially reasonable methods to authenticate the identity of the receiver
Section 1.7 Secure Transmission of ACH Information via Unsecured Electronic Network applies
Participants in the payment transaction may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Employee training
Consumer and corporate customer education
Device log-on (if used)
Encryption
Debit Block and ACH Positive Pay for Corporate Customers
ODFIs have Know Your Customer (KYC) responsibilities for third-party payments they originate.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Account takeover
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (payee, financial institutions, network/operator, payer)
Destination account compromise (e.g. payment redirect due to third-party compromise)
Billers typically work through their financial institutions for origination; independent origination is suspect in account takeover era.
Unauthorized authentication; no end-to-end encryption to protect the access keys in all the pieces of the ACH network.
Third-party sender risks when the ODFI does not have a direct business relationship with clients of a third-party sender.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company ID (often times a Tax ID originator)
Company Name (originator)
Beneficiary Account Number
Beneficiary RFI ABA
Beneficiary Name
Specific to ACH File:
Consider anything that could be used to pass an authentication method
XML Extended Data
Initiator
Total Dollar Amount
Sensitive Addenda Data (must be stored):
Data that may accompany or describe a financial transaction that is not required to process the transaction (e.g. airline or train ticket numbers, hotel confirmations, invoice numbers, insurance policy numbers)
Account numbers
Invoice numbers
Address information
Government tax information
Risks Associated with the Sensitive Payment Data
Compromised ACH data can be used by a criminal to create a fraudulent credit/debit ACH file. This requires a customer to be onboarded as an ACH origination customer.
Criminals can print fraudulent or counterfeit checks using the ABA and account number obtained through compromised ACH data.
Additional compromised data, including Health Insurance Portability and Accountability Act (HIPAA), account, invoice and address data could be used for fraudulent account setup and account takeover.
Initiation: Access Mode / Network
Environment in which the payment origination is requested
Payment Type Operation
Credit
Originator provides instructions through various means to the ODFI.
ODFI may utilize ACH operator or transmit directly to the RDFI.
Debit
Originator provides instructions through various means to the ODFI.
ODFI may utilize ACH operator or transmit directly to the RDFI.
Overview of Security Methods and Associated Risks
Security Methods
ODFI authenticating the originator – Federal Financial Institutions Examination Council (FFIEC) Guidance “Authentication in an Internet Banking Environment” applies. Authentication techniques include: shared secrets, tokens, Smart Card, password-generating tokens, biometrics out-of-band authentication, and one-time passwords.
Section 1.6 Security Requirements applies; for internet-initiated debits (WEB), Subsection 2.5.17.4 applies. Additional ODFI Warranties for Debit WEB Entries, including use of fraudulent transaction detection system and commercially reasonable methods to authenticate the identity of the receiver
Section 1.7 Secure Transmission of ACH Information via Unsecured Electronic Network applies
Participants in the payment transaction may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Employee training
Consumer and corporate customer education
Device log-on (if used)
Encryption
Debit Block and ACH Positive Pay for Corporate Customers
ODFIs have Know Your Customer (KYC) responsibilities for third-party payments they originate.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Account takeover
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (payee, financial institutions, network/operator, payer)
Destination account compromise (e.g. payment redirect due to third-party compromise)
Billers typically work through their financial institutions for origination; independent origination is suspect in account takeover era.
Unauthorized authentication; no end-to-end encryption to protect the access keys in all the pieces of the ACH network.
Third-party sender risks when the ODFI does not have a direct business relationship with clients of a third-party sender.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company ID (often times a Tax ID originator)
Company Name (originator)
Beneficiary Account Number
Beneficiary RFI ABA
Beneficiary Name
Specific to ACH File:
Consider anything that could be used to pass an authentication method
XML Extended Data
Initiator
Total Dollar Amount
Sensitive Addenda Data (must be stored):
Data that may accompany or describe a financial transaction that is not required to process the transaction (e.g. airline or train ticket numbers, hotel confirmations, invoice numbers, insurance policy numbers)
Account numbers
Invoice numbers
Address information
Government tax information
Risks Associated with the Sensitive Payment Data
Compromised ACH data can be used by a criminal to create a fraudulent credit/debit ACH file. This requires a customer to be onboarded as an ACH origination customer.
Criminals can print fraudulent or counterfeit checks using the ABA and account number obtained through compromised ACH data.
Additional compromised data, including Health Insurance Portability and Accountability Act (HIPAA), account, invoice and address data could be used for fraudulent account setup and account takeover.
Initiation: Device / Method Used to Initiate Payment
Type of interaction or device used to enter payment account information
Payment Type Operation
Credit
Originator provides instructions through various means to the ODFI.
ODFI utilizes communications methods as agreed upon with ACH operator or RDFI.
Debit
Originator provides instructions through various means to the ODFI.
ODFI utilizes communication methods as agreed upon with ACH operator or RDFI.
Overview of Security Methods and Associated Risks
Security Methods
ODFI authenticating the originator – Federal Financial Institutions Examination Council (FFIEC) Guidance “Authentication in an Internet Banking Environment” applies. Authentication techniques include: shared secrets, tokens, Smart Card, password-generating tokens, biometrics out-of-band authentication, and one-time passwords.
Section 1.6 Security Requirements applies; for internet-initiated debits (WEB), Subsection 2.5.17.4 applies. Additional ODFI Warranties for Debit WEB Entries, including use of fraudulent transaction detection system and commercially reasonable methods to authenticate the identity of the receiver
Section 1.7 Secure Transmission of ACH Information via Unsecured Electronic Network applies
Participants in the payment transaction may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Employee training
Consumer and corporate customer education
Device log-on (if used)
Encryption
Debit Block and ACH Positive Pay for Corporate Customers
ODFIs have Know Your Customer (KYC) responsibilities for third-party payments they originate.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Account takeover
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (payee, financial institutions, network/operator, payer)
Destination account compromise (e.g. payment redirect due to third-party compromise)
Billers typically work through their financial institutions for origination; independent origination is suspect in account takeover era.
Unauthorized authentication; no end-to-end encryption to protect the access keys in all the pieces of the ACH network.
Third-party sender risks when the ODFI does not have a direct business relationship with clients of a third-party sender.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company ID (often times a Tax ID originator)
Company Name (originator)
Beneficiary Account Number
Beneficiary RFI ABA
Beneficiary Name
Specific to ACH File:
Consider anything that could be used to pass an authentication method
XML Extended Data
Initiator
Total Dollar Amount
Sensitive Addenda Data (must be stored):
Data that may accompany or describe a financial transaction that is not required to process the transaction (e.g. airline or train ticket numbers, hotel confirmations, invoice numbers, insurance policy numbers)
Account numbers
Invoice numbers
Address information
Government tax information
Risks Associated with the Sensitive Payment Data
Compromised ACH data can be used by a criminal to create a fraudulent credit/debit ACH file. This requires a customer to be onboarded as an ACH origination customer.
Criminals can print fraudulent or counterfeit checks using the ABA and account number obtained through compromised ACH data.
Additional compromised data, including Health Insurance Portability and Accountability Act (HIPAA), account, invoice and address data could be used for fraudulent account setup and account takeover.
Initiation: Funding Account for Payment
Entry and/or identification of the funding account (with format checks)
Payment Type Operation
Credit
Verification of account information can occur between ODFI and RDFI prior to initiation (e.g. traditional ACH where a pre-note is sent prior to the actual transaction) based on underwriting and established exposure limits.
(See Payee ID/Enrollment)
Debit
Verification of account information can occur between ODFI and RDFI prior to initiation (e.g. traditional ACH where a pre-note is sent prior to the actual transaction) based on underwriting and established exposure limits.
(See Payee ID/Enrollment)
Overview of Security Methods and Associated Risks
Security Methods
ODFI authenticating the originator – Federal Financial Institutions Examination Council (FFIEC) Guidance “Authentication in an Internet Banking Environment” applies. Authentication techniques include: shared secrets, tokens, Smart Card, password-generating tokens, biometrics out-of-band authentication, and one-time passwords.
Section 1.6 Security Requirements applies; for internet-initiated debits (WEB), Subsection 2.5.17.4 applies. Additional ODFI Warranties for Debit WEB Entries, including use of fraudulent transaction detection system and commercially reasonable methods to authenticate the identity of the receiver
Section 1.7 Secure Transmission of ACH Information via Unsecured Electronic Network applies
Participants in the payment transaction may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Employee training
Consumer and corporate customer education
Device log-on (if used)
Encryption
Debit Block and ACH Positive Pay for Corporate Customers
ODFIs have Know Your Customer (KYC) responsibilities for third-party payments they originate.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Account takeover
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (payee, financial institutions, network/operator, payer)
Destination account compromise (e.g. payment redirect due to third-party compromise)
Billers typically work through their financial institutions for origination; independent origination is suspect in account takeover era.
Unauthorized authentication; no end-to-end encryption to protect the access keys in all the pieces of the ACH network.
Third-party sender risks when the ODFI does not have a direct business relationship with clients of a third-party sender.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company ID (often times a Tax ID originator)
Company Name (originator)
Beneficiary Account Number
Beneficiary RFI ABA
Beneficiary Name
Specific to ACH File:
Consider anything that could be used to pass an authentication method
XML Extended Data
Initiator
Total Dollar Amount
Sensitive Addenda Data (must be stored):
Data that may accompany or describe a financial transaction that is not required to process the transaction (e.g. airline or train ticket numbers, hotel confirmations, invoice numbers, insurance policy numbers)
Account numbers
Invoice numbers
Address information
Government tax information
Risks Associated with the Sensitive Payment Data
Compromised ACH data can be used by a criminal to create a fraudulent credit/debit ACH file. This requires a customer to be onboarded as an ACH origination customer.
Criminals can print fraudulent or counterfeit checks using the ABA and account number obtained through compromised ACH data.
Additional compromised data, including Health Insurance Portability and Accountability Act (HIPAA), account, invoice and address data could be used for fraudulent account setup and account takeover.
Initiation: Payment Initiation Mechanism
Payment network, system and/or third-party accessed
Payment Type Operation
Credit
ACH network via ACH operators (Federal Reserve or Electronic Payments Network (EPN))
Debit
ACH network via ACH operators (Federal Reserve or Electronic Payments Network (EPN))
Overview of Security Methods and Associated Risks
Security Methods
ODFI authenticating the originator – Federal Financial Institutions Examination Council (FFIEC) Guidance “Authentication in an Internet Banking Environment” applies. Authentication techniques include: shared secrets, tokens, Smart Card, password-generating tokens, biometrics out-of-band authentication, and one-time passwords.
Section 1.6 Security Requirements applies; for internet-initiated debits (WEB), Subsection 2.5.17.4 applies. Additional ODFI Warranties for Debit WEB Entries, including use of fraudulent transaction detection system and commercially reasonable methods to authenticate the identity of the receiver
Section 1.7 Secure Transmission of ACH Information via Unsecured Electronic Network applies
Participants in the payment transaction may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Employee training
Consumer and corporate customer education
Device log-on (if used)
Encryption
Debit Block and ACH Positive Pay for Corporate Customers
ODFIs have Know Your Customer (KYC) responsibilities for third-party payments they originate.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Account takeover
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (payee, financial institutions, network/operator, payer)
Destination account compromise (e.g. payment redirect due to third-party compromise)
Billers typically work through their financial institutions for origination; independent origination is suspect in account takeover era.
Unauthorized authentication; no end-to-end encryption to protect the access keys in all the pieces of the ACH network.
Third-party sender risks when the ODFI does not have a direct business relationship with clients of a third-party sender.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company ID (often times a Tax ID originator)
Company Name (originator)
Beneficiary Account Number
Beneficiary RFI ABA
Beneficiary Name
Specific to ACH File:
Consider anything that could be used to pass an authentication method
XML Extended Data
Initiator
Total Dollar Amount
Sensitive Addenda Data (must be stored):
Data that may accompany or describe a financial transaction that is not required to process the transaction (e.g. airline or train ticket numbers, hotel confirmations, invoice numbers, insurance policy numbers)
Account numbers
Invoice numbers
Address information
Government tax information
Risks Associated with the Sensitive Payment Data
Compromised ACH data can be used by a criminal to create a fraudulent credit/debit ACH file. This requires a customer to be onboarded as an ACH origination customer.
Criminals can print fraudulent or counterfeit checks using the ABA and account number obtained through compromised ACH data.
Additional compromised data, including Health Insurance Portability and Accountability Act (HIPAA), account, invoice and address data could be used for fraudulent account setup and account takeover.
Payer Authorization: Payment Network Traversed
“Rails” used to route authorization requests to the holder of the funding account
Payment Type Operation
Credit
N/A
Debit
N/A
Overview of Security Methods and Associated Risks
Security Methods
ODFI authenticating the originator – Federal Financial Institutions Examination Council (FFIEC) Guidance “Authentication in an Internet Banking Environment” applies. Authentication techniques include: shared secrets, tokens, Smart Card, password-generating tokens, biometrics out-of-band authentication, and one-time passwords.
Section 1.6 Security Requirements applies; for internet-initiated debits (WEB), Subsection 2.5.17.4 applies. Additional ODFI Warranties for Debit WEB Entries, including use of fraudulent transaction detection system and commercially reasonable methods to authenticate the identity of the receiver
Section 1.7 Secure Transmission of ACH Information via Unsecured Electronic Network applies
Participants in the payment transaction may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Employee training
Consumer and corporate customer education
Device log-on (if used)
Encryption
Debit Block and ACH Positive Pay for Corporate Customers
ODFIs have Know Your Customer (KYC) responsibilities for third-party payments they originate.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Account takeover
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (payee, financial institutions, network/operator, payer)
Destination account compromise (e.g. payment redirect due to third-party compromise)
Billers typically work through their financial institutions for origination; independent origination is suspect in account takeover era.
Unauthorized authentication; no end-to-end encryption to protect the access keys in all the pieces of the ACH network.
Third-party sender risks when the ODFI does not have a direct business relationship with clients of a third-party sender.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company ID (often times a Tax ID originator)
Company Name (originator)
Beneficiary Account Number
Beneficiary RFI ABA
Beneficiary Name
Specific to ACH File:
Consider anything that could be used to pass an authentication method
XML Extended Data
Initiator
Total Dollar Amount
Sensitive Addenda Data (must be stored):
Data that may accompany or describe a financial transaction that is not required to process the transaction (e.g. airline or train ticket numbers, hotel confirmations, invoice numbers, insurance policy numbers)
Account numbers
Invoice numbers
Address information
Government tax information
Risks Associated with the Sensitive Payment Data
Compromised ACH data can be used by a criminal to create a fraudulent credit/debit ACH file. This requires a customer to be onboarded as an ACH origination customer.
Criminals can print fraudulent or counterfeit checks using the ABA and account number obtained through compromised ACH data.
Additional compromised data, including Health Insurance Portability and Accountability Act (HIPAA), account, invoice and address data could be used for fraudulent account setup and account takeover.
Payer Authorization: Transaction Authorization
Determination of whether to approve or decline a transaction including authorization time-frame, obligations. and any recourse decisions
Payment Type Operation
Credit
Originator must obtain authorization per NACHA operating rules.
Verification of receiver’s account information can occur between ODFI and RDFI prior to initiation.
RDFI can return for a variety of reasons to include account closed or other operational reasons as outlined in the NACHA rules.
Debit
Originator must obtain authorization per NACHA operating rules (i.e. in writing and signed or similarly authenticated).
Authorization occurs between the originator and receiver prior to initiation.
RDFI can return for a variety of reasons to include account closed or other operational reasons as outlined in the NACHA rules.
Overview of Security Methods and Associated Risks
Security Methods
ODFI authenticating the originator – Federal Financial Institutions Examination Council (FFIEC) Guidance “Authentication in an Internet Banking Environment” applies. Authentication techniques include: shared secrets, tokens, Smart Card, password-generating tokens, biometrics out-of-band authentication, and one-time passwords.
Section 1.6 Security Requirements applies; for internet-initiated debits (WEB), Subsection 2.5.17.4 applies. Additional ODFI Warranties for Debit WEB Entries, including use of fraudulent transaction detection system and commercially reasonable methods to authenticate the identity of the receiver
Section 1.7 Secure Transmission of ACH Information via Unsecured Electronic Network applies
Participants in the payment transaction may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Employee training
Consumer and corporate customer education
Device log-on (if used)
Encryption
Debit Block and ACH Positive Pay for Corporate Customers
ODFIs have Know Your Customer (KYC) responsibilities for third-party payments they originate.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Account takeover
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (payee, financial institutions, network/operator, payer)
Destination account compromise (e.g. payment redirect due to third-party compromise)
Billers typically work through their financial institutions for origination; independent origination is suspect in account takeover era.
Unauthorized authentication; no end-to-end encryption to protect the access keys in all the pieces of the ACH network.
Third-party sender risks when the ODFI does not have a direct business relationship with clients of a third-party sender.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company ID (often times a Tax ID originator)
Company Name (originator)
Beneficiary Account Number
Beneficiary RFI ABA
Beneficiary Name
Specific to ACH File:
Consider anything that could be used to pass an authentication method
XML Extended Data
Initiator
Total Dollar Amount
Sensitive Addenda Data (must be stored):
Data that may accompany or describe a financial transaction that is not required to process the transaction (e.g. airline or train ticket numbers, hotel confirmations, invoice numbers, insurance policy numbers)
Account numbers
Invoice numbers
Address information
Government tax information
Risks Associated with the Sensitive Payment Data
Compromised ACH data can be used by a criminal to create a fraudulent credit/debit ACH file. This requires a customer to be onboarded as an ACH origination customer.
Criminals can print fraudulent or counterfeit checks using the ABA and account number obtained through compromised ACH data.
Additional compromised data, including Health Insurance Portability and Accountability Act (HIPAA), account, invoice and address data could be used for fraudulent account setup and account takeover.
Format Exchange
Payment instructions, rules and formatting
Payment Type Operation
Credit
NACHA rules and formats apply
Debit
NACHA rules and formats apply
Overview of Security Methods and Associated Risks
Security Methods
ODFI authenticating the originator – Federal Financial Institutions Examination Council (FFIEC) Guidance “Authentication in an Internet Banking Environment” applies. Authentication techniques include: shared secrets, tokens, Smart Card, password-generating tokens, biometrics out-of-band authentication, and one-time passwords.
Section 1.6 Security Requirements applies; for internet-initiated debits (WEB), Subsection 2.5.17.4 applies. Additional ODFI Warranties for Debit WEB Entries, including use of fraudulent transaction detection system and commercially reasonable methods to authenticate the identity of the receiver
Section 1.7 Secure Transmission of ACH Information via Unsecured Electronic Network applies
Participants in the payment transaction may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Employee training
Consumer and corporate customer education
Device log-on (if used)
Encryption
Debit Block and ACH Positive Pay for Corporate Customers
ODFIs have Know Your Customer (KYC) responsibilities for third-party payments they originate.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Account takeover
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (payee, financial institutions, network/operator, payer)
Destination account compromise (e.g. payment redirect due to third-party compromise)
Billers typically work through their financial institutions for origination; independent origination is suspect in account takeover era.
Unauthorized authentication; no end-to-end encryption to protect the access keys in all the pieces of the ACH network.
Third-party sender risks when the ODFI does not have a direct business relationship with clients of a third-party sender.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company ID (often times a Tax ID originator)
Company Name (originator)
Beneficiary Account Number
Beneficiary RFI ABA
Beneficiary Name
Specific to ACH File:
Consider anything that could be used to pass an authentication method
XML Extended Data
Initiator
Total Dollar Amount
Sensitive Addenda Data (must be stored):
Data that may accompany or describe a financial transaction that is not required to process the transaction (e.g. airline or train ticket numbers, hotel confirmations, invoice numbers, insurance policy numbers)
Account numbers
Invoice numbers
Address information
Government tax information
Risks Associated with the Sensitive Payment Data
Compromised ACH data can be used by a criminal to create a fraudulent credit/debit ACH file. This requires a customer to be onboarded as an ACH origination customer.
Criminals can print fraudulent or counterfeit checks using the ABA and account number obtained through compromised ACH data.
Additional compromised data, including Health Insurance Portability and Accountability Act (HIPAA), account, invoice and address data could be used for fraudulent account setup and account takeover.
Receipt: Acknowledgement / Guarantee
Notification and confirmation of payment completion including terms for use
Payment Type Operation
Credit
N/A
Debit
N/A
Overview of Security Methods and Associated Risks
Security Methods
ODFI authenticating the originator – Federal Financial Institutions Examination Council (FFIEC) Guidance “Authentication in an Internet Banking Environment” applies. Authentication techniques include: shared secrets, tokens, Smart Card, password-generating tokens, biometrics out-of-band authentication, and one-time passwords.
Section 1.6 Security Requirements applies; for internet-initiated debits (WEB), Subsection 2.5.17.4 applies. Additional ODFI Warranties for Debit WEB Entries, including use of fraudulent transaction detection system and commercially reasonable methods to authenticate the identity of the receiver
Section 1.7 Secure Transmission of ACH Information via Unsecured Electronic Network applies
Participants in the payment transaction may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Employee training
Consumer and corporate customer education
Device log-on (if used)
Encryption
Debit Block and ACH Positive Pay for Corporate Customers
ODFIs have Know Your Customer (KYC) responsibilities for third-party payments they originate.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Account takeover
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (payee, financial institutions, network/operator, payer)
Destination account compromise (e.g. payment redirect due to third-party compromise)
Billers typically work through their financial institutions for origination; independent origination is suspect in account takeover era.
Unauthorized authentication; no end-to-end encryption to protect the access keys in all the pieces of the ACH network.
Third-party sender risks when the ODFI does not have a direct business relationship with clients of a third-party sender.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company ID (often times a Tax ID originator)
Company Name (originator)
Beneficiary Account Number
Beneficiary RFI ABA
Beneficiary Name
Specific to ACH File:
Consider anything that could be used to pass an authentication method
XML Extended Data
Initiator
Total Dollar Amount
Sensitive Addenda Data (must be stored):
Data that may accompany or describe a financial transaction that is not required to process the transaction (e.g. airline or train ticket numbers, hotel confirmations, invoice numbers, insurance policy numbers)
Account numbers
Invoice numbers
Address information
Government tax information
Risks Associated with the Sensitive Payment Data
Compromised ACH data can be used by a criminal to create a fraudulent credit/debit ACH file. This requires a customer to be onboarded as an ACH origination customer.
Criminals can print fraudulent or counterfeit checks using the ABA and account number obtained through compromised ACH data.
Additional compromised data, including Health Insurance Portability and Accountability Act (HIPAA), account, invoice and address data could be used for fraudulent account setup and account takeover.
Payee Authentication
Mode of access to funds (or accounts)
Payment Type Operation
Credit
See Enrollment
Debit
See Enrollment
Overview of Security Methods and Associated Risks
Security Methods
ODFI authenticating the originator – Federal Financial Institutions Examination Council (FFIEC) Guidance “Authentication in an Internet Banking Environment” applies. Authentication techniques include: shared secrets, tokens, Smart Card, password-generating tokens, biometrics out-of-band authentication, and one-time passwords.
Section 1.6 Security Requirements applies; for internet-initiated debits (WEB), Subsection 2.5.17.4 applies. Additional ODFI Warranties for Debit WEB Entries, including use of fraudulent transaction detection system and commercially reasonable methods to authenticate the identity of the receiver
Section 1.7 Secure Transmission of ACH Information via Unsecured Electronic Network applies
Participants in the payment transaction may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Employee training
Consumer and corporate customer education
Device log-on (if used)
Encryption
Debit Block and ACH Positive Pay for Corporate Customers
ODFIs have Know Your Customer (KYC) responsibilities for third-party payments they originate.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Account takeover
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (payee, financial institutions, network/operator, payer)
Destination account compromise (e.g. payment redirect due to third-party compromise)
Billers typically work through their financial institutions for origination; independent origination is suspect in account takeover era.
Unauthorized authentication; no end-to-end encryption to protect the access keys in all the pieces of the ACH network.
Third-party sender risks when the ODFI does not have a direct business relationship with clients of a third-party sender.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company ID (often times a Tax ID originator)
Company Name (originator)
Beneficiary Account Number
Beneficiary RFI ABA
Beneficiary Name
Specific to ACH File:
Consider anything that could be used to pass an authentication method
XML Extended Data
Initiator
Total Dollar Amount
Sensitive Addenda Data (must be stored):
Data that may accompany or describe a financial transaction that is not required to process the transaction (e.g. airline or train ticket numbers, hotel confirmations, invoice numbers, insurance policy numbers)
Account numbers
Invoice numbers
Address information
Government tax information
Risks Associated with the Sensitive Payment Data
Compromised ACH data can be used by a criminal to create a fraudulent credit/debit ACH file. This requires a customer to be onboarded as an ACH origination customer.
Criminals can print fraudulent or counterfeit checks using the ABA and account number obtained through compromised ACH data.
Additional compromised data, including Health Insurance Portability and Accountability Act (HIPAA), account, invoice and address data could be used for fraudulent account setup and account takeover.
Clearing and Settlement: Settlement / Exchange of Funds
Actual movement of funds to settle funding arrangements and applicable fees
Payment Type Operation
Credit
ACH clearing effects interbank settlement on Federal Reserve accounts or directly between financial institutions in accordance with established agreements.
Debit
ACH clearing effects interbank settlement on Federal Reserve accounts or directly between financial institutions in accordance with established agreements.
Overview of Security Methods and Associated Risks
Security Methods
ODFI authenticating the originator – Federal Financial Institutions Examination Council (FFIEC) Guidance “Authentication in an Internet Banking Environment” applies. Authentication techniques include: shared secrets, tokens, Smart Card, password-generating tokens, biometrics out-of-band authentication, and one-time passwords.
Section 1.6 Security Requirements applies; for internet-initiated debits (WEB), Subsection 2.5.17.4 applies. Additional ODFI Warranties for Debit WEB Entries, including use of fraudulent transaction detection system and commercially reasonable methods to authenticate the identity of the receiver
Section 1.7 Secure Transmission of ACH Information via Unsecured Electronic Network applies
Participants in the payment transaction may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Employee training
Consumer and corporate customer education
Device log-on (if used)
Encryption
Debit Block and ACH Positive Pay for Corporate Customers
ODFIs have Know Your Customer (KYC) responsibilities for third-party payments they originate.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Account takeover
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (payee, financial institutions, network/operator, payer)
Destination account compromise (e.g. payment redirect due to third-party compromise)
Billers typically work through their financial institutions for origination; independent origination is suspect in account takeover era.
Unauthorized authentication; no end-to-end encryption to protect the access keys in all the pieces of the ACH network.
Third-party sender risks when the ODFI does not have a direct business relationship with clients of a third-party sender.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company ID (often times a Tax ID originator)
Company Name (originator)
Beneficiary Account Number
Beneficiary RFI ABA
Beneficiary Name
Specific to ACH File:
Consider anything that could be used to pass an authentication method
XML Extended Data
Initiator
Total Dollar Amount
Sensitive Addenda Data (must be stored):
Data that may accompany or describe a financial transaction that is not required to process the transaction (e.g. airline or train ticket numbers, hotel confirmations, invoice numbers, insurance policy numbers)
Account numbers
Invoice numbers
Address information
Government tax information
Risks Associated with the Sensitive Payment Data
Compromised ACH data can be used by a criminal to create a fraudulent credit/debit ACH file. This requires a customer to be onboarded as an ACH origination customer.
Criminals can print fraudulent or counterfeit checks using the ABA and account number obtained through compromised ACH data.
Additional compromised data, including Health Insurance Portability and Accountability Act (HIPAA), account, invoice and address data could be used for fraudulent account setup and account takeover.
Reconciliation
Reconciliation / Exception Handling
Process and responsibilities associated with reconciliation and handling any exceptions or problems with a payment
Payment Type Operation
Credit
RDFI may return ACH entry for a variety of reasons including account closed, account frozen, or invalid account.
Debit
RDFI may return ACH entry for a variety of reasons including account closed, account frozen, or invalid account. Additionally, for consumer payments, the RDFI has an extended right of return for unauthorized payments.
Overview of Security Methods and Associated Risks
Risks
Auto-debits, where billers control financial institution account access, present additional data to be protected (at rest and in transit).
User Protection / Recourse
Applicable rules, regulations, and legal means of recourse
Payment Type Operation
Credit
UCC 4A applies to corporate credit transfers.
Regulation E consumer protections apply to consumer credit.
Debit
Regulation E consumer protections apply to consumer debit.
Last Updated: 02/21/2018
Footnotes
*Note: Payments/Transfers Flow in Both Directions