Payment Network Updates for 2022

At CampusConnect 2021, the Nelnet Campus Commerce user conference, a breakout session on payment network updates was hosted by Cheryl Mickey, AAP, CTP, Business Analysts/Quality Analyst-QuikPay. In this session she covered a variety of topics regarding the Nacha rules that went into effect in 2021 and new rules for 2022, along with security updates from the payment card industry, and future Nacha updates.

Nacha implemented new rules in 2021 for supplementing fraud detection standards for WEB debits, enhanced Account Information Security Requirements, and adding some meaningful modernization to the clarity of their rules.

This Nacha rule implemented on March 19, 2021, and requires merchants and billers that use WEB Debits (any ACH debit payment that takes place online) to validate the consumer’s account information before accepting the first payment made. This rule is for internet initiated transactions where the payer authorizes an entity to pull funds from their bank account. All originators of web debits are required to use a commercially reasonable fraud detection system to screen web debits for fraud.  According to Cheryl, Nelnet Campus Commerce partners with a third party fraud detection service provider who maintains a database of over 4 billion consumer and business accounts.

The first phase of the Account Information Security Requirement went into effect in June 2021 and requires account numbers be protected by rendering them unreadable when stored electronically. This requirement applies to entities who have an ACH volume of 6 million transactions, or greater, annually. Nacha is implementing this rule in a phased approach with Phase 2 slated for June 2022.

When it comes to meaningful modernization, Nacha realized ACH rules are hard for most people to understand. In September 2021, an effort was made to modernize the rules to improve and simplify the ACH user experience. “The purpose of this rule is to provide clarity where the use of new technologies are being used for payments,” Cheryl explained. Included in this rule is Standing Authorizations which are advanced authorizations by a consumer of future debits at various intervals, meaning future transactions are initiated by the consumer through some further action.

Nacha will be implementing new rules in 2022. This will include Phase 2 of the account information security requirements; Phase 1 was covered above. Also, they will be introducing new updates for third-party sender roles and responsibilities.

Like Phase 1 of the account information security requirements, Phase 2 requires account numbers be protected by rendering them unreadable when stored electronically. This rule, which aligns with PCI requirements, goes into effect June 30, 2022, and applies to entities with a smaller ACH volume of 2 million transactions, or greater, annually. “Depending on if all ACH processing is outsourced or if some is still managed within institutions, this rule might apply to them,” Cheryl said.

She also shared some examples of when this requirement would apply. First, if institutions manage their own payroll or vendor payments, those authorizations and data storage would need to have account numbers rendered unreadable. Another example is check collection and converting them to electronic transactions. Institutions need to consider not only the account information on electronic data being made unreadable, but also what to do with the physical check and keeping the account information secure.

An update for third-party sender roles and responsibilities will go into effect on September 30, 2022. This update will require third-party senders to conduct a Risk Assessment in addition to a rules compliance audit. “A Risk Assessment covers things like user security settings, business continuity plans, and policies and procedures,” explained Cheryl. “Nelnet already does this on an annual basis, but if institutions are using a different third-party vendor they need to be sure that their vendor is aware of this rule, complies with it, and preforms an annual risk assessment,” Cheryl continued.

For 2022, the Payment Card Industry (PCI) Data Security Standard (DSS) will be releasing a new standard, Version 4.0, in Q1 with supporting documentation to be released in Q2. The existing standard, version 3.2.1, will not be retired for 18 months later, allowing time for the new requirements to be implemented. Version 4.0 will include future data requirements that will take effect in Q1 of 2025. This longer timeframe will allow even more time to complete any necessary implementations.

In addition to the new security standard update, PCI DSS will have new guidelines for conducting remote assessments. An onsite assessment is still the expected method for validation; however, there are reasons for when a remote assessment would need to be performed. This may include restrictions on travel, inability to meet in person, or if an entity is operating in a virtual environment without physical premises. Documentation will outline the procedures to perform a feasibility analysis as well as additional guidance on remote testing.

Card brands, like Visa and Discover Card, are issuing some updates in 2022 as well. The first to go into effect, in April 2022, is the use of an eight-digit BIN (Bank Identification Number). This is the first eight numbers on a card which are used to identify the card brand, issuing bank, and other details about the credit/debit card being used.

This new eight-digit BIN could bring some issues with storage of the primary account number as it has been common to only store the first six digits of a card and the last four. PCI rules already apply here as the first eight and any other four digits can already be stored; however it’s recommended to only store the first six digits unless the full BIN is needed.

Also being implemented are process changes that will require an approval to be requested on refund transactions. All requests for refunds will now be sent through the authorization network for approval. Along with this is an effort to enhance risk performance and prevent excessive authorization attempts. This will apply to a stored profile is being used to conduct a transaction. There will be authorization responses assigned to categories for if and when a reattempt for the authorization can occur.