Consumers and organizations have a variety of options for making and receiving payments. While these payment types share the ultimate goal of transferring funds from payer to payee, the path those funds travel and the approaches employed for safely and securely completing transactions vary. The Secure Payments Task Force developed the Payment Lifecycles and Security Profiles as an educational resource and to provide perspectives related to:
- The lifecycles of the most common payment types, covering enrollment, transaction flow and reconciliation
- Security methods, identity management controls and sensitive data occurring at each step in the payment lifecycles
- Relevant laws and regulations, and other references, as well as challenges and improvement opportunities related to each payment type
The profiles employ a consistent format for describing the lifecycle of each payment type. The lifecycle template is not designed to represent the nuances of specific payment transaction flows, but as a broad taxonomy that can be applied across different payment types for understanding and comparing controls and risks. The profiles are not all-encompassing in describing the layered security strategies that may be employed by specific networks, providers or businesses and shouldn’t be considered an assessment of overall security of different payment types. The improvement opportunities noted in the profiles highlight areas for further industry exploration and are not intended as guidance or specific solutions to be implemented.
These valuable resources were developed through the collaborative efforts of more than 200 task force participants with diverse payments and security expertise and perspectives. It is the hope of the task force that by helping industry stakeholders better understand these payments processes, the security and risks associated with these processes, and potential improvement opportunities, they will be well positioned to take action to strengthen their payment security practices.
Note: These materials were created by the Secure Payments Task Force and are intended to be used as educational resources. The information provided in the Payment Lifecycles and Security Profiles does not necessarily reflect the views of any particular individual or organization participating in the Secure Payments Task Force. The document is not intended to provide business or legal advice and is not regulatory guidance. Readers should consult with their own business and legal advisors.
Feedback and/or questions related to the Payment Lifecycles and Security Profiles can be submitted by using the “provide feedback” form.
Check Definition: A check payment is a negotiable instrument drawn against deposited funds and used to pay a specific entity a specific amount of funds on demand. A check is routed from the payer to the payee and deposited at the payee’s financial institution. Some or all funds are made available to the payee on deposit and the item is routed to the payer’s financial institution for settlement. The payer’s financial institution shifts funds from the payer’s account upon receipt of the item. Historically, paper checks were physically routed, but today, much of check routing is done electronically.Enrollment
Payer ID / Enrollment
Enrollment of a payer includes identity (ID) proofing, management of users (enrollment, de-enrollment, and changes) and determination of authority based on role
Payment Type Operation
Paper Check
Note: there is potential movement between paper and Check 21/electronic check
Financial Institution onboards account holder utilizing Know Your Customer (KYC) and underwriting
Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)
Financial Institution onboards account holder utilizing Know Your Customer (KYC) and underwriting
Electronic Funds Transfer (EFT) Conversion
Financial Institution onboards account holder utilizing Know Your Customer (KYC) and underwriting
Overview of Security Methods and Associated Risks
Security Methods
Issuer verifies the individual during enrollment before issuing an account.
Know Your Customer (KYC), Customer Identification Program (CIP) background checks, etc.; ID verification of a ‘carbon-based lifeform’
Employee training
Risks
Financial institution legacy accounts may lack Know Your Customer (KYC).
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Synthetic Identity: Use of stolen identity information combined with fraudulent information to create a new ‘synthetic’ identity, which is used to open fraudulent accounts and make fraudulent purchases. Strong enrollment processes may help mitigate synthetic identity risk throughout the transaction process.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Sensitive Data used to open an account:
Name
Date of Birth Address
Social Security Number
Risks Associated with the Sensitive Payment Data
If compromised, this data can be used to fraudulently set up an account at a financial institution and be used for other identity theft crimes.
Payee ID / Enrollment
Enrollment of a payee includes identity (ID) proofing, management of users (enrollment, de-enrollment and changes) and determination of authority based on role
Overview of Security Methods and Associated Risks
Security Methods
Know Your Customer (KYC) and Customer Identification Program (CIP)
Employee training
Risks
Synthetic Identity: Use of stolen identity information combined with fraudulent information to create a new ‘synthetic’ identity, which is used to open fraudulent accounts and make fraudulent purchases. Strong enrollment processes may help mitigate synthetic identity risk throughout the transaction process.
Transaction*
Payer Authentication
Verification of the payer when originating payments
Payment Type Operation
Paper Check
Note: there is potential movement between paper and Check 21/electronic check
Payee of check may choose to request personal identification information from the payor.
Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)
Payee of check may choose to request personal identification information from the payor.
Electronic Funds Transfer (EFT) Conversion
Payee may choose to request personal identification information from the payor.
Overview of Security Methods and Associated Risks
Security Methods
Fraud mitigation services where Data From Enforcement (DFE) can verify the status of the payor’s Demand Deposit Account (DDA)
Employee training
Consumer and corporate customer education
Magnetic Ink Character Recognition (MICR), microprint and other document-related security checks to affirm the integrity of the check
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Limited opportunity to authenticate the payor at payment initiation
ABA routing gap
Remote Deposit Capture (RDC) / multiple deposit risk at financial institutions
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company Name (Originator)
Payor Address
Payor Phone Number (if provided)
Payor Driver’s License Number (if provided)
Payor Signature
Payor Financial Institution ABA
Payor Account Number
Check Image
Payee Account Data from Endorsement:
Payee‘s Signature from Endorsement
Payee’s Account Number
Payee ’s Financial Institution ABA
Risks Associated with the Sensitive Payment Data
Compromised check data, such as routing transit and deposit account numbers, may be used by a criminal to create or print fraudulent/counterfeit checks or to make payments over the phone.
Additional data compromised could be used for fraudulent account set-up and account takeover (account data, invoice data, address data, signature).
Initiation: Access Mode / Network
Environment in which the payment origination is requested
Payment Type Operation
Paper Check
Note: there is potential movement between paper and Check 21/electronic check
Typically, a check enters the bank to bank check collection system when the payee or a transferee deposits the check into their bank account at the Bank of First Deposit. Alternatively, the payee or transferee may present the item directly to the paying bank.
Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)
The payee or the payee’s financial services provider truncates the paper check and creates an electronic image of the check to go through the clearing process to the payor’s financial institution
Electronic Funds Transfer (EFT) Conversion
Vendor creates ACH transaction and transmits data to vendor’s financial institution.
Overview of Security Methods and Associated Risks
Security Methods
Fraud mitigation services where Data From Enforcement (DFE) can verify the status of the payor’s Demand Deposit Account (DDA)
Employee training
Consumer and corporate customer education
Magnetic Ink Character Recognition (MICR), microprint and other document-related security checks to affirm the integrity of the check
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Limited opportunity to authenticate the payor at payment initiation
ABA routing gap
Remote Deposit Capture (RDC) / multiple deposit risk at financial institutions
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company Name (Originator)
Payor Address
Payor Phone Number (if provided)
Payor Driver’s License Number (if provided)
Payor Signature
Payor Financial Institution ABA
Payor Account Number
Check Image
Payee Account Data from Endorsement:
Payee‘s Signature from Endorsement
Payee’s Account Number
Payee ’s Financial Institution ABA
Risks Associated with the Sensitive Payment Data
Compromised check data, such as routing transit and deposit account numbers, may be used by a criminal to create or print fraudulent/counterfeit checks or to make payments over the phone.
Additional data compromised could be used for fraudulent account set-up and account takeover (account data, invoice data, address data, signature).
Initiation: Device / Method Used to Initiate Payment
Type of interaction or device used to enter payment account information
Payment Type Operation
Paper Check
Note: there is potential movement between paper and Check 21/electronic check
The device used to initiate payments is the issuance of a paper check from the drawer to the payee. Payee or transferee may deposit the check to her bank in paper form or as an image. Alternatively, the payee or transferee presents the paper check directly to the paying bank for payment.
The Bank of First Deposit may image the check and clear the check as an image.
Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)
The electronic image of the check is sent to the payor’s financial institution, local clearing house exchange, or a collecting financial institution. Images typically are retained for purposes of record keeping laws and for reconciliation of exceptions.
Electronic Funds Transfer (EFT) Conversion
Point of sale or mail check to vendor for back office conversion to ACH.
Overview of Security Methods and Associated Risks
Security Methods
Fraud mitigation services where Data From Enforcement (DFE) can verify the status of the payor’s Demand Deposit Account (DDA)
Employee training
Consumer and corporate customer education
Magnetic Ink Character Recognition (MICR), microprint and other document-related security checks to affirm the integrity of the check
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Limited opportunity to authenticate the payor at payment initiation
ABA routing gap
Remote Deposit Capture (RDC) / multiple deposit risk at financial institutions
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company Name (Originator)
Payor Address
Payor Phone Number (if provided)
Payor Driver’s License Number (if provided)
Payor Signature
Payor Financial Institution ABA
Payor Account Number
Check Image
Payee Account Data from Endorsement:
Payee‘s Signature from Endorsement
Payee’s Account Number
Payee ’s Financial Institution ABA
Risks Associated with the Sensitive Payment Data
Compromised check data, such as routing transit and deposit account numbers, may be used by a criminal to create or print fraudulent/counterfeit checks or to make payments over the phone.
Additional data compromised could be used for fraudulent account set-up and account takeover (account data, invoice data, address data, signature).
Initiation: Funding Account for Payment
Entry and/or identification of the funding account (with format checks)
Payment Type Operation
Paper Check
Note: there is potential movement between paper and Check 21/electronic check
Typically, the Bank of First Deposit settles with its depositor by crediting the depositor’s account. The depositary bank obtains credit for an item by sending it forward for collection. At each step in bank to bank collection, a credit is settled to an account of the transferring or presenting bank, and a debit is settled to the account of the subsequent collecting bank or the paying bank. The paying bank obtains credit for the item debiting the drawer’s account.
Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)
Account holders can transmit check data directly to their financial institution so no physical deposit of check is necessary. Typically, the Bank of First Deposit settles with its depositor by crediting the depositor’s account. The depositary bank obtains credit for an item by sending it forward for collection. At each step in bank to bank collection, a credit is settled to an account of the transferring or presenting bank, and a debit is settled to the account of the subsequent collecting bank or the paying bank. The paying bank obtains credit for the item debiting the drawer’s account.
Electronic Funds Transfer (EFT) Conversion
Settlement for check to ACH converted items takes place as provided by the ACH operator’s agreement with its participating depository financial institutions.
Overview of Security Methods and Associated Risks
Security Methods
Fraud mitigation services where Data From Enforcement (DFE) can verify the status of the payor’s Demand Deposit Account (DDA)
Employee training
Consumer and corporate customer education
Magnetic Ink Character Recognition (MICR), microprint and other document-related security checks to affirm the integrity of the check
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Limited opportunity to authenticate the payor at payment initiation
ABA routing gap
Remote Deposit Capture (RDC) / multiple deposit risk at financial institutions
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company Name (Originator)
Payor Address
Payor Phone Number (if provided)
Payor Driver’s License Number (if provided)
Payor Signature
Payor Financial Institution ABA
Payor Account Number
Check Image
Payee Account Data from Endorsement:
Payee‘s Signature from Endorsement
Payee’s Account Number
Payee ’s Financial Institution ABA
Risks Associated with the Sensitive Payment Data
Compromised check data, such as routing transit and deposit account numbers, may be used by a criminal to create or print fraudulent/counterfeit checks or to make payments over the phone.
Additional data compromised could be used for fraudulent account set-up and account takeover (account data, invoice data, address data, signature).
Initiation: Payment Initiation Mechanism
Payment network, system and/or third party accessed
Payment Type Operation
Paper Check
Note: there is potential movement between paper and Check 21/electronic check
The method for initiating a check transaction is the issuance of a paper check. Each transfer or presentment of a check, whether paper or image, is legally a separate transaction that is initiated by delivering the item with the intention of giving the recipient the right to enforce the item.
Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)
The transfer of an imaged item from the payee or transferee to a Bank of First Deposit is typically initiated by secure electronic connections, using an app for remote deposit capture.
Overview of Security Methods and Associated Risks
Security Methods
Fraud mitigation services where Data From Enforcement (DFE) can verify the status of the payor’s Demand Deposit Account (DDA)
Employee training
Consumer and corporate customer education
Magnetic Ink Character Recognition (MICR), microprint and other document-related security checks to affirm the integrity of the check
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Limited opportunity to authenticate the payor at payment initiation
ABA routing gap
Remote Deposit Capture (RDC) / multiple deposit risk at financial institutions
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company Name (Originator)
Payor Address
Payor Phone Number (if provided)
Payor Driver’s License Number (if provided)
Payor Signature
Payor Financial Institution ABA
Payor Account Number
Check Image
Payee Account Data from Endorsement:
Payee‘s Signature from Endorsement
Payee’s Account Number
Payee ’s Financial Institution ABA
Risks Associated with the Sensitive Payment Data
Compromised check data, such as routing transit and deposit account numbers, may be used by a criminal to create or print fraudulent/counterfeit checks or to make payments over the phone.
Additional data compromised could be used for fraudulent account set-up and account takeover (account data, invoice data, address data, signature).
Payer Authorization: Payment Network Traversed
“Rails” used to route authorization requests to the holder of the funding account
Payment Type Operation
Electronic Funds Transfer (EFT) Conversion
ACH Network
Overview of Security Methods and Associated Risks
Security Methods
Fraud mitigation services where Data From Enforcement (DFE) can verify the status of the payor’s Demand Deposit Account (DDA)
Employee training
Consumer and corporate customer education
Magnetic Ink Character Recognition (MICR), microprint and other document-related security checks to affirm the integrity of the check
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Limited opportunity to authenticate the payor at payment initiation
ABA routing gap
Remote Deposit Capture (RDC) / multiple deposit risk at financial institutions
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company Name (Originator)
Payor Address
Payor Phone Number (if provided)
Payor Driver’s License Number (if provided)
Payor Signature
Payor Financial Institution ABA
Payor Account Number
Check Image
Payee Account Data from Endorsement:
Payee‘s Signature from Endorsement
Payee’s Account Number
Payee ’s Financial Institution ABA
Risks Associated with the Sensitive Payment Data
Compromised check data, such as routing transit and deposit account numbers, may be used by a criminal to create or print fraudulent/counterfeit checks or to make payments over the phone.
Additional data compromised could be used for fraudulent account set-up and account takeover (account data, invoice data, address data, signature).
Payer Authorization: Transaction Authorization
Determination of whether to approve or decline a transaction including authorization, time-frame, obligations, and any recourse decisions
Payment Type Operation
Paper Check
Note: there is potential movement between paper and Check 21/electronic check
The Bank of First Deposit may decide whether or not to accept a check deposit, as long as the account agreement provides for it.
Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)
The Bank of First Deposit may decide whether or not to accept a check deposit, as long as the account agreement provides for it. Bank of First Deposit may have additional edits for imaged items that must be met before an item will be accepted for deposit.
Overview of Security Methods and Associated Risks
Security Methods
Fraud mitigation services where Data From Enforcement (DFE) can verify the status of the payor’s Demand Deposit Account (DDA)
Employee training
Consumer and corporate customer education
Magnetic Ink Character Recognition (MICR), microprint and other document-related security checks to affirm the integrity of the check
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Limited opportunity to authenticate the payor at payment initiation
ABA routing gap
Remote Deposit Capture (RDC) / multiple deposit risk at financial institutions
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company Name (Originator)
Payor Address
Payor Phone Number (if provided)
Payor Driver’s License Number (if provided)
Payor Signature
Payor Financial Institution ABA
Payor Account Number
Check Image
Payee Account Data from Endorsement:
Payee‘s Signature from Endorsement
Payee’s Account Number
Payee ’s Financial Institution ABA
Risks Associated with the Sensitive Payment Data
Compromised check data, such as routing transit and deposit account numbers, may be used by a criminal to create or print fraudulent/counterfeit checks or to make payments over the phone.
Additional data compromised could be used for fraudulent account set-up and account takeover (account data, invoice data, address data, signature).
Format Exchange
Payment instructions, rules and formatting
Payment Type Operation
Paper Check
Note: there is potential movement between paper and Check 21/electronic check
Banks typically accept deposits of paper checks that conform to applicable ANSI standards.
Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)
For remote deposit, all of the technical and operational standards are typically controlled by the depository bank and/or its IT service provider. In bank to bank image exchange, format exchange is determined in exchange/clearing agreement. The industry default standard is ANSI X9.100-187, but this may be varied by agreement.
Electronic Funds Transfer (EFT) Conversion
NACHA rules and formats apply.
Overview of Security Methods and Associated Risks
Security Methods
Fraud mitigation services where Data From Enforcement (DFE) can verify the status of the payor’s Demand Deposit Account (DDA)
Employee training
Consumer and corporate customer education
Magnetic Ink Character Recognition (MICR), microprint and other document-related security checks to affirm the integrity of the check
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Limited opportunity to authenticate the payor at payment initiation
ABA routing gap
Remote Deposit Capture (RDC) / multiple deposit risk at financial institutions
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company Name (Originator)
Payor Address
Payor Phone Number (if provided)
Payor Driver’s License Number (if provided)
Payor Signature
Payor Financial Institution ABA
Payor Account Number
Check Image
Payee Account Data from Endorsement:
Payee‘s Signature from Endorsement
Payee’s Account Number
Payee ’s Financial Institution ABA
Risks Associated with the Sensitive Payment Data
Compromised check data, such as routing transit and deposit account numbers, may be used by a criminal to create or print fraudulent/counterfeit checks or to make payments over the phone.
Additional data compromised could be used for fraudulent account set-up and account takeover (account data, invoice data, address data, signature).
Receipt: Acknowledgement / Guarantee
Notification and confirmation of payment completion including terms for use
Payment Type Operation
Paper Check
Note: there is potential movement between paper and Check 21/electronic check
Paper check is retained by depository financial institution and then destroyed per retention policy.
Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)
Check 21 data is captured, retained, and destroyed by depository financial institution per retention policy.
Electronic Funds Transfer (EFT) Conversion
When data is captured for creation of ACH transaction, the paper check is destroyed by the vendor (typical for backroom conversions) or voided and returned to the consumer (typical for point of sale conversions).
Overview of Security Methods and Associated Risks
Security Methods
Fraud mitigation services where Data From Enforcement (DFE) can verify the status of the payor’s Demand Deposit Account (DDA)
Employee training
Consumer and corporate customer education
Magnetic Ink Character Recognition (MICR), microprint and other document-related security checks to affirm the integrity of the check
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Limited opportunity to authenticate the payor at payment initiation
ABA routing gap
Remote Deposit Capture (RDC) / multiple deposit risk at financial institutions
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company Name (Originator)
Payor Address
Payor Phone Number (if provided)
Payor Driver’s License Number (if provided)
Payor Signature
Payor Financial Institution ABA
Payor Account Number
Check Image
Payee Account Data from Endorsement:
Payee‘s Signature from Endorsement
Payee’s Account Number
Payee ’s Financial Institution ABA
Risks Associated with the Sensitive Payment Data
Compromised check data, such as routing transit and deposit account numbers, may be used by a criminal to create or print fraudulent/counterfeit checks or to make payments over the phone.
Additional data compromised could be used for fraudulent account set-up and account takeover (account data, invoice data, address data, signature).
Payee Authentication
Mode of access to funds (or accounts)
Overview of Security Methods and Associated Risks
Security Methods
Fraud mitigation services where Data From Enforcement (DFE) can verify the status of the payor’s Demand Deposit Account (DDA)
Employee training
Consumer and corporate customer education
Magnetic Ink Character Recognition (MICR), microprint and other document-related security checks to affirm the integrity of the check
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Limited opportunity to authenticate the payor at payment initiation
ABA routing gap
Remote Deposit Capture (RDC) / multiple deposit risk at financial institutions
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company Name (Originator)
Payor Address
Payor Phone Number (if provided)
Payor Driver’s License Number (if provided)
Payor Signature
Payor Financial Institution ABA
Payor Account Number
Check Image
Payee Account Data from Endorsement:
Payee‘s Signature from Endorsement
Payee’s Account Number
Payee ’s Financial Institution ABA
Risks Associated with the Sensitive Payment Data
Compromised check data, such as routing transit and deposit account numbers, may be used by a criminal to create or print fraudulent/counterfeit checks or to make payments over the phone.
Additional data compromised could be used for fraudulent account set-up and account takeover (account data, invoice data, address data, signature).
Clearing and Settlement: Settlement / Exchange of Funds
Actual movement of funds to settle funding arrangements and applicable fees
Payment Type Operation
Paper Check
Note: there is potential movement between paper and Check 21/electronic check
Interbank settlement for checks may be structured by clearing house rules, Federal Reserve Operating Circular, or by bank to bank agreement. In the absence of agreement, bank to bank settlement is made by cash or transfer to the Federal Reserve account of the bank receiving settlement.
Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)
Interbank settlement for checks may be structured by clearing house rules, Federal Reserve Operating Circular, or by bank to bank agreement. In the absence of agreement, bank to bank settlement is made by cash or transfer to the Federal Reserve account of the bank receiving settlement.
Electronic Funds Transfer (EFT) Conversion
ACH clearing effects interbank settlement on Federal Reserve accounts or directly between financial institutions in accordance with established agreements.
Overview of Security Methods and Associated Risks
Security Methods
Fraud mitigation services where Data From Enforcement (DFE) can verify the status of the payor’s Demand Deposit Account (DDA)
Employee training
Consumer and corporate customer education
Magnetic Ink Character Recognition (MICR), microprint and other document-related security checks to affirm the integrity of the check
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
Limited opportunity to authenticate the payor at payment initiation
ABA routing gap
Remote Deposit Capture (RDC) / multiple deposit risk at financial institutions
Social Engineering, which could include business email compromise, masquerading fraud, imposter fraud, etc.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Account Holder Data (must be protected wherever it is processed, stored or transmitted):
Company Name (Originator)
Payor Address
Payor Phone Number (if provided)
Payor Driver’s License Number (if provided)
Payor Signature
Payor Financial Institution ABA
Payor Account Number
Check Image
Payee Account Data from Endorsement:
Payee‘s Signature from Endorsement
Payee’s Account Number
Payee ’s Financial Institution ABA
Risks Associated with the Sensitive Payment Data
Compromised check data, such as routing transit and deposit account numbers, may be used by a criminal to create or print fraudulent/counterfeit checks or to make payments over the phone.
Additional data compromised could be used for fraudulent account set-up and account takeover (account data, invoice data, address data, signature).
Reconciliation
Reconciliation / Exception Handling
Process and responsibilities associated with reconciling and handling any exceptions or problems with a payment
Payment Type Operation
Paper Check
Note: there is potential movement between paper and Check 21/electronic check
The paying bank must initiate a return prior to its “midnight deadline” if it decides to dishonor a check presented by another bank. Bank to bank clearing arrangements may provide for automated means of asserting claims or requesting information related to exceptions. Warranty and indemnity claims may be asserted using requests for “adjustments” by agreement. Legal redress for breaches of warranty or for indemnity claims is available for the duration of the applicable statute of limitations. Claims based on negligence typically have a shorter time limit.
Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)
The paying bank must initiate a return prior to its “midnight deadline” if it decides to dishonor a check presented by another bank. Bank to bank clearing arrangements may provide for automated means of asserting claims or requesting information related to exceptions. Warranty and indemnity claims may be asserted using requests for “adjustments” by agreement. Legal redress for breaches of warranty or for indemnity claims is available for the duration of the applicable statute of limitations. Claims based on negligence typically have a shorter time limit.
Electronic Funds Transfer (EFT) Conversion
Governed by ACH rules.
User Protection / Recourse
Applicable rules, regulations, and legal means of recourse
Payment Flow Overview
Paper Check
Note: there is potential movement between paper and Check 21/electronic check
Checks are governed by the Uniform Commercial Code, various federal statutes (Expedited Funds Availability Act, C21 Act), and Regulation CC. These rules may be varied or expanded by clearing house rules, Federal Reserve Operating Circulars, or agreements that may be bilateral or unilateral.
Payment Type Operation
Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)
Checks are governed by the Uniform Commercial Code, various federal statutes (Expedited Funds Availability Act, C21 Act), and Regulation CC. These rules may be varied or expanded by clearing house rules, Federal Reserve Operating Circulars, or agreements that may be bilateral or unilateral.
Electronic Funds Transfer (EFT) Conversion
Governed by ACH rules. Consumer EFTs are subject to Regulation E.
Last Updated: 02/21/2018
Footnotes
*Note: Payments/Transfers Flow in Both Directions