Consumers and organizations have a variety of options for making and receiving payments. While these payment types share the ultimate goal of transferring funds from payer to payee, the path those funds travel and the approaches employed for safely and securely completing transactions vary. The Secure Payments Task Force developed the Payment Lifecycles and Security Profiles as an educational resource and to provide perspectives related to:

  • The lifecycles of the most common payment types, covering enrollment, transaction flow and reconciliation
  • Security methods, identity management controls and sensitive data occurring at each step in the payment lifecycles
  • Relevant laws and regulations, and other references, as well as challenges and improvement opportunities related to each payment type

The profiles employ a consistent format for describing the lifecycle of each payment type. The lifecycle template is not designed to represent the nuances of specific payment transaction flows, but as a broad taxonomy that can be applied across different payment types for understanding and comparing controls and risks. The profiles are not all-encompassing in describing the layered security strategies that may be employed by specific networks, providers or businesses and shouldn’t be considered an assessment of overall security of different payment types. The improvement opportunities noted in the profiles highlight areas for further industry exploration and are not intended as guidance or specific solutions to be implemented.

These valuable resources were developed through the collaborative efforts of more than 200 task force participants with diverse payments and security expertise and perspectives. It is the hope of the task force that by helping industry stakeholders better understand these payments processes, the security and risks associated with these processes, and potential improvement opportunities, they will be well positioned to take action to strengthen their payment security practices.

Note: These materials were created by the Secure Payments Task Force and are intended to be used as educational resources. The information provided in the Payment Lifecycles and Security Profiles does not necessarily reflect the views of any particular individual or organization participating in the Secure Payments Task Force. The document is not intended to provide business or legal advice and is not regulatory guidance. Readers should consult with their own business and legal advisors.

Feedback and/or questions related to the Payment Lifecycles and Security Profiles can be submitted by using the “provide feedback” form.

Check Definition: A check payment is a negotiable instrument drawn against deposited funds and used to pay a specific entity a specific amount of funds on demand. A check is routed from the payer to the payee and deposited at the payee’s financial institution. Some or all funds are made available to the payee on deposit and the item is routed to the payer’s financial institution for settlement. The payer’s financial institution shifts funds from the payer’s account upon receipt of the item. Historically, paper checks were physically routed, but today, much of check routing is done electronically.

Enrollment

Payer ID / Enrollment

Enrollment of a payer includes identity (ID) proofing, management of users (enrollment, de-enrollment, and changes) and determination of authority based on role

Payment Type Operation

Paper Check

Note: there is potential movement between paper and Check 21/electronic check

Financial Institution onboards account holder utilizing Know Your Customer (KYC) and underwriting

Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)

Financial Institution onboards account holder utilizing Know Your Customer (KYC) and underwriting

Electronic Funds Transfer (EFT) Conversion

Financial Institution onboards account holder utilizing Know Your Customer (KYC) and underwriting

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Payee ID / Enrollment

Enrollment of a payee includes identity (ID) proofing, management of users (enrollment, de-enrollment and changes) and determination of authority based on role

Overview of Security Methods and Associated Risks

Expand

Transaction*

Payer Authentication

Verification of the payer when originating payments

Payment Type Operation

Paper Check

Note: there is potential movement between paper and Check 21/electronic check

Payee of check may choose to request personal identification information from the payor.

Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)

Payee of check may choose to request personal identification information from the payor.

Electronic Funds Transfer (EFT) Conversion

Payee may choose to request personal identification information from the payor.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Initiation: Access Mode / Network

Environment in which the payment origination is requested

Payment Type Operation

Paper Check

Note: there is potential movement between paper and Check 21/electronic check

Typically, a check enters the bank to bank check collection system when the payee or a transferee deposits the check into their bank account at the Bank of First Deposit. Alternatively, the payee or transferee may present the item directly to the paying bank.

Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)

The payee or the payee’s financial services provider truncates the paper check and creates an electronic image of the check to go through the clearing process to the payor’s financial institution

Electronic Funds Transfer (EFT) Conversion

Vendor creates ACH transaction and transmits data to vendor’s financial institution.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Initiation: Device / Method Used to Initiate Payment

Type of interaction or device used to enter payment account information

Payment Type Operation

Paper Check

Note: there is potential movement between paper and Check 21/electronic check

The device used to initiate payments is the issuance of a paper check from the drawer to the payee. Payee or transferee may deposit the check to her bank in paper form or as an image. Alternatively, the payee or transferee presents the paper check directly to the paying bank for payment.

The Bank of First Deposit may image the check and clear the check as an image.

Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)

The electronic image of the check is sent to the payor’s financial institution, local clearing house exchange, or a collecting financial institution. Images typically are retained for purposes of record keeping laws and for reconciliation of exceptions.

Electronic Funds Transfer (EFT) Conversion

Point of sale or mail check to vendor for back office conversion to ACH.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Initiation: Funding Account for Payment

Entry and/or identification of the funding account (with format checks)

Payment Type Operation

Paper Check

Note: there is potential movement between paper and Check 21/electronic check

Typically, the Bank of First Deposit settles with its depositor by crediting the depositor’s account. The depositary bank obtains credit for an item by sending it forward for collection. At each step in bank to bank collection, a credit is settled to an account of the transferring or presenting bank, and a debit is settled to the account of the subsequent collecting bank or the paying bank. The paying bank obtains credit for the item debiting the drawer’s account.

Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)

Account holders can transmit check data directly to their financial institution so no physical deposit of check is necessary. Typically, the Bank of First Deposit settles with its depositor by crediting the depositor’s account. The depositary bank obtains credit for an item by sending it forward for collection. At each step in bank to bank collection, a credit is settled to an account of the transferring or presenting bank, and a debit is settled to the account of the subsequent collecting bank or the paying bank. The paying bank obtains credit for the item debiting the drawer’s account.

Electronic Funds Transfer (EFT) Conversion

Settlement for check to ACH converted items takes place as provided by the ACH operator’s agreement with its participating depository financial institutions.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Initiation: Payment Initiation Mechanism

Payment network, system and/or third party accessed

Payment Type Operation

Paper Check

Note: there is potential movement between paper and Check 21/electronic check

The method for initiating a check transaction is the issuance of a paper check. Each transfer or presentment of a check, whether paper or image, is legally a separate transaction that is initiated by delivering the item with the intention of giving the recipient the right to enforce the item.

Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)

The transfer of an imaged item from the payee or transferee to a Bank of First Deposit is typically initiated by secure electronic connections, using an app for remote deposit capture.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Payer Authorization: Payment Network Traversed

“Rails” used to route authorization requests to the holder of the funding account

Payment Type Operation

Electronic Funds Transfer (EFT) Conversion

ACH Network

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Payer Authorization: Transaction Authorization

Determination of whether to approve or decline a transaction including authorization, time-frame, obligations, and any recourse decisions

Payment Type Operation

Paper Check

Note: there is potential movement between paper and Check 21/electronic check

The Bank of First Deposit may decide whether or not to accept a check deposit, as long as the account agreement provides for it.

Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)

The Bank of First Deposit may decide whether or not to accept a check deposit, as long as the account agreement provides for it. Bank of First Deposit may have additional edits for imaged items that must be met before an item will be accepted for deposit.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Format Exchange

Payment instructions, rules and formatting

Payment Type Operation

Paper Check

Note: there is potential movement between paper and Check 21/electronic check

Banks typically accept deposits of paper checks that conform to applicable ANSI standards.

Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)

For remote deposit, all of the technical and operational standards are typically controlled by the depository bank and/or its IT service provider. In bank to bank image exchange, format exchange is determined in exchange/clearing agreement. The industry default standard is ANSI X9.100-187, but this may be varied by agreement.

Electronic Funds Transfer (EFT) Conversion

NACHA rules and formats apply.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Receipt: Acknowledgement / Guarantee

Notification and confirmation of payment completion including terms for use

Payment Type Operation

Paper Check

Note: there is potential movement between paper and Check 21/electronic check

Paper check is retained by depository financial institution and then destroyed per retention policy.

Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)

Check 21 data is captured, retained, and destroyed by depository financial institution per retention policy.

Electronic Funds Transfer (EFT) Conversion

When data is captured for creation of ACH transaction, the paper check is destroyed by the vendor (typical for backroom conversions) or voided and returned to the consumer (typical for point of sale conversions).

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Payee Authentication

Mode of access to funds (or accounts)

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Clearing and Settlement: Settlement / Exchange of Funds

Actual movement of funds to settle funding arrangements and applicable fees

Payment Type Operation

Paper Check

Note: there is potential movement between paper and Check 21/electronic check

Interbank settlement for checks may be structured by clearing house rules, Federal Reserve Operating Circular, or by bank to bank agreement. In the absence of agreement, bank to bank settlement is made by cash or transfer to the Federal Reserve account of the bank receiving settlement.

Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)

Interbank settlement for checks may be structured by clearing house rules, Federal Reserve Operating Circular, or by bank to bank agreement. In the absence of agreement, bank to bank settlement is made by cash or transfer to the Federal Reserve account of the bank receiving settlement.

Electronic Funds Transfer (EFT) Conversion

ACH clearing effects interbank settlement on Federal Reserve accounts or directly between financial institutions in accordance with established agreements.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Reconciliation

Reconciliation / Exception Handling

Process and responsibilities associated with reconciling and handling any exceptions or problems with a payment

Payment Type Operation

Paper Check

Note: there is potential movement between paper and Check 21/electronic check

The paying bank must initiate a return prior to its “midnight deadline” if it decides to dishonor a check presented by another bank. Bank to bank clearing arrangements may provide for automated means of asserting claims or requesting information related to exceptions. Warranty and indemnity claims may be asserted using requests for “adjustments” by agreement. Legal redress for breaches of warranty or for indemnity claims is available for the duration of the applicable statute of limitations. Claims based on negligence typically have a shorter time limit.

Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)

The paying bank must initiate a return prior to its “midnight deadline” if it decides to dishonor a check presented by another bank. Bank to bank clearing arrangements may provide for automated means of asserting claims or requesting information related to exceptions. Warranty and indemnity claims may be asserted using requests for “adjustments” by agreement. Legal redress for breaches of warranty or for indemnity claims is available for the duration of the applicable statute of limitations. Claims based on negligence typically have a shorter time limit.

Electronic Funds Transfer (EFT) Conversion

Governed by ACH rules.

User Protection / Recourse

Applicable rules, regulations, and legal means of recourse

Payment Flow Overview

Paper Check

Note: there is potential movement between paper and Check 21/electronic check

Checks are governed by the Uniform Commercial Code, various federal statutes (Expedited Funds Availability Act, C21 Act), and Regulation CC. These rules may be varied or expanded by clearing house rules, Federal Reserve Operating Circulars, or agreements that may be bilateral or unilateral.

Payment Type Operation

Check 21 / Electronic (Remote Deposit Capture or Mobile Remote Deposit Capture)

Checks are governed by the Uniform Commercial Code, various federal statutes (Expedited Funds Availability Act, C21 Act), and Regulation CC. These rules may be varied or expanded by clearing house rules, Federal Reserve Operating Circulars, or agreements that may be bilateral or unilateral.

Electronic Funds Transfer (EFT) Conversion

Governed by ACH rules. Consumer EFTs are subject to Regulation E.

 

Last Updated: 02/21/2018

Footnotes

*Note: Payments/Transfers Flow in Both Directions