Single or recurring debit entries to a consumer’s account based on an authorization from the Receiver to the Originator via the Internet or a Wireless Network, excluding oral authorization via these channels.
Companies are required to employ commercially reasonable authentication methods to verify the identity of the consumer.
Confirmation that the record of the authentication used must be reproducible and available upon request.
The Authorization must:
Be in writing that is signed or similarly authenticated by the Receiver via the Internet or a Wireless Network;
Be communicated via a Wireless Network;
Be readily identifiable as an ACH debit authorization;
Must express its terms in a clear and readily understandable manner; and
Provide the Receiver with a method to revoke the authorization in the manner prescribed.
The Authorization should contain the following information:
Express authorization language
The amount of the transaction:
For a single entry payment
For a recurring entry that is for the same amount each interval, or
For a range of payments
The effective date of the transaction
The Receiver’s routing and account number
Authorization must be maintained and reproducible in hard copy format within 10 banking days upon request, for at least two (2) years from the Settlement date of the last entry, or after the termination or revocation of the authorization.
Company must be able to provide confirmation that security technology used for each Receiver session is, at a minimum, equivalent to 128-bit SSL encryption.
Fraud Detection and Prevention
Company must be able to provide confirmation that a commercially reasonable fraudulent detection system to screen each WEB entry has been implemented.
Network and System Security
Company must be able to provide confirmation that an annual audit is conducted to ensure that the financial information obtained from consumers is protected by security practices that include, at a minimum, adequate levels of:
Physical security to protected against theft, tampering, or damage;
Personnel and access controls (logical security) to protect against unauthorized access and use; and
Network security to ensure secure capture, storage, and distribution of financial information.
Responsibilities of Originators
As an Originator, it's crucial to understand and fulfill your responsibilities when initiating WEB entries. To ensure compliance with the rules and regulations governing WEB transactions, follow these key steps:
Security Practices and Procedures: Establish a commercially reasonable process to ensure the protection of financial information obtained from Receivers. This process should include annual audits and incorporate the following security measures:
Physical security to safeguard against theft, tampering, or damage.
Personnel and access controls to prevent unauthorized access and use.
Network security to guarantee secure capture, storage, and distribution of sensitive information.
Fraudulent Transaction Detection: Establish and implement a commercially reasonable fraudulent transaction detection system specifically for screening debit WEB Entries. This system should, at a minimum, perform the following functions:
Validate the account to be debited for its initial use.
Continuously monitor for any subsequent changes to the account number.
Authentication Methods: Establish and implement commercially reasonable methods of authentication to confirm the identity of the Receiver of the debit WEB Entry.
Authorization and Notice: Obtain proper authorization from the Receiver before initiating WEB entries.
Prompt Response to RDFI Requests: When the RDFI (Receiving Depository Financial Institution) submits a written request for proof of authorization, provide a copy of the internet authorization as seen by the consumer along with the authorization time and date stamp within ten Banking Days of receiving the request. This must be done if the request is received within two years of the Settlement Date of the WEB Entry. The authorization must:
Have the customer’s identity and assent to the authorization
Have clear & readily understandable terms
Provide that the customer may revoke the authorization only by notifying the merchant in the time and manner stated in the authorization
Have a signature (electronic) that is displayed in a manner that enables the customer to read the communication