Support Services
Back to website Submit a ticket
Welcome
Login  Sign up
  1. Support Services
  2. Solution home
  3. Merchant Resources
  4. Merchant Compliance

Web Debit Security Audit FAQs

Alyssa Schnick
Modified on: Wed, 23 Apr, 2025 at 12:02 PM


Dept. Process Owner: Success OperationsLast Updated: 04/23/2025



Effective January 2021, the National Automated Clearing House Association (Nacha) introduced a mandatory annual audit for all Originators of WEB debit entries. This measure is designed to protect sensitive financial information, specifically consumer bank account data used in ACH (Automated Clearing House) transactions, which do not involve payment cards.

This audit ensures that your organization complies with Nacha's Operating Rules and Guidelines, which safeguard consumer data and reduce fraud across the ACH network.

? What is Required?

All organizations originating WEB debit transactions are required to complete an annual security audit. This audit must verify that non-public financial information, such as bank account and routing numbers, is properly secured through formal practices and documented controls.

Your organization must have:

  • (a) Physical Security Controls:
    To protect documents or systems from theft, tampering, or environmental damage.

  • (b) Personnel & Access Controls:
    To ensure only authorized individuals have access to protected consumer financial information.

  • (c) Network Security Measures:
    To secure data during electronic capture, transmission, and storage—including encryption where applicable.

For full details on these requirements, refer to the https://www.nacha.org/resources/encryption-eresource

What Action is Required from You?

You are required to complete a Web Debit Security Audit Form provided by CSG Forte. This form captures the security measures currently in place at your organization and helps determine your compliance status under Nacha rules.

https://hardwareorderform.formstack.com/forms/web_debit_security_audit_merchant_v2

If your organization previously completed the audit, you must still complete a new attestation annually to confirm that no significant changes have been made to your data protection procedures or access controls.

Who Should Complete This Audit?

The audit should be completed by someone with comprehensive knowledge of your IT systems and security policies. Ideal candidates include:

  • A member of your IT department

  • Your third-party IT service provider or consultant

What If You’re Missing Some Policies or Controls?

If you cannot answer a question or indicate "No" for any of the audit requirements:

  • Your organization will be considered non-compliant.

  • A remediation plan and timeline will be required to achieve full compliance.

  • You can refer to resources such as the FCC Cybersecurity Hub for Small Businesses which offers:

    • Free and low-cost security tools

    • A customizable Cybersecurity Tip Sheet

    • The Small Biz Cyber Planner

Visit: FCC Cybersecurity for Small Businesses


Where can I find similar guidance on the protection of customer data?
As many data security requirements of ACH Transactions are covered under PCI Data Requirements, you can refer to the PCI Security Standards Council for tools and resources about data security for small merchants.

What If No One at My Organization Can Complete the Audit?

If you're unable to identify a responsible party internally:


Other Articles




Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.

Related Articles

View all