What does the new NACHA mandate encompass?
NACHA, the National Automated Clearing House Association, has implemented a new rule to combat fraudulent ACH transactions in response to a rise in fraudulent activity in recent years.
This new WEB Debit Account Validation Rule requires that WEB Debit Originators or Third Party Services must provide a “commercially reasonable fraudulent transaction detection system” to screen WEB debits for fraud.
NACHA has defined commercially reasonable as being neutral in meaning but suggests one of the following four solutions:
- Prenotification Entry
- ACH micro-transaction verification
- Use of a commercially available validation service provided by either an ODFI or a third-party (ex. Plaid or Yodlee)
- Use of account validation capabilities or services enabled by APIs
The rule was originally set to take effect on March 19, 2021, but our partners have confirmed that they were granted delays of one year while acting towards a solution with a revised date of March 19, 2022.
What happens in the event of non-compliance?
In the case that fraudulent ACH activity is observed, NACHA will use this as a point to investigate.
Who is impacted by this mandate?
WEB Debit Originators, Third-Party Originators, and all of Zuora’s new customers processing ACH payments are responsible for making changes to verify ACH account information.
All existing ACH payment methods within Zuora are not subject to this additional validation as successful transactions with an ACH account are deemed as commercially reasonable methods of validation.
How is Zuora addressing this?
As was noted above, NACHA has not clearly defined what it means to have a “commercially reasonable fraudulent transaction detection system" because the concept of commercial reasonableness is dependent on the particular situation of each customer. However, NACHA has provided examples of what it believes to be sufficient.
Where possible, our intent is to grant our customers the ability to own their customer experience. This rule is no different and so we are committed to providing you with the flexibility to choose the experience that best works for you. You can choose to use existing gateways’ native verification engines if your gateway supports, your own verification service if you have built one, or any third party service you want to choose.
Customers choosing not to use Zuora’s Hosted Payment Pages or Direct POST, and instead use our APIs will be responsible for managing the verification. In this instance, please contact your gateway representative for more details on whether you are covered.
What updates are required from me?
All of our partners have their own solutions for handling the ACH verification with you, either in a completely transparent manner or through the addition of a validation service. We encourage you to contact your relationship manager for these gateway solutions to better understand what they can and cannot do to support you.
Which payment gateways support ACH verification?
Our gateway partners that have native ACH verification support should be contacted for more information on what needs to be done.
|Payment gateway||Payment gateway integration in Zuora||Native ACH verification?||Action Required?|
|Adyen||Adyen Integration v2.0||TBD|
|Adyen||Migrate to Adyen Integration v2.0|
|BlueSnap||BlueSnap, Payment API v2.0||No|
|CyberSource||CyberSource, Payment API v2.0||No|
|CyberSource Enterprise Gateway, API v1.97||No|
|CyberSource Enterprise Gateway, API v1.28||No|
|JPMorgan Chase Paymentech Orbital||Chase Paymentech Orbital Gateway||TBD|
|Chase Paymentech Orbital Gateway, API v7.0.1||TBD|
|Merchant eSolutions||Merchant eSolutions||TBD||TBD|
|Stripe v1||Migrate to Stripe v2|
|Access WorldPay (Note: this gateway will be available soon)||No|
|Vantiv (Litle)||Migrate to Access Worldpay|
|WorldPay (Corporate Gateway)||Migrate to Access Worldpay|