Bluefin Issues White Paper on Nacha Supplemental Data Security Rule and Bluefin’s ShieldConex® Data Security Platform

Share Article

The new rule will require the protection of stored ACH account numbers starting in June 2021.

“The supplement highlights a specific area specifying what data must be protected at rest – Account Numbers – and also specifies that this applies to electronic storage as part of the ACH process,” said Dan Fritsche, CISSP, author of the paper and founder of Alpine Security Consulting.

Bluefin, the leading provider of payment security technologies, including PCI-validated Point-to-Point Encryption (P2PE) solutions and ShieldConex® data tokenization, announced the issuance of a new white paper authored by Alpine Security Consulting on Nacha’s upcoming rule on Supplementing Data Security Requirements.

Beginning on June 30th, 2021, the new Nacha rule states that organizations handling over 6 million ACH payments annually will need to protect Account Numbers when at rest (stored electronically). On June 30th, 2022, the Rule will extend to organizations with over 2 million ACH payments annually.

“Data breaches are at an all-time high, with the number of breaches increasing 273% in the first quarter, compared to the same time last year, according to a study by cloud computing company Iomart,” said Ruston Miles, founder, Bluefin. “Cybercriminals are attacking every point of entry, whether online or at the point-of-sale, while simultaneously hacking into systems and networks to find clear-text personal and financial data that they can then resell on the Dark Web. Consumer account information is one of the most lucrative pieces of data that needs to be protected upon entry and storage.”

In 1986, Nacha updated their rules with a Data Security Policy aimed at encouraging ACH participants to implement up-to-date data security techniques and then stay current with relevant data security techniques to ensure a high level of quality and reliability to the ACH network. Since then, additional updates have been made to clarify the important aspects of data security, and to introduce timelines for more specific enforcement of the updates.

“The supplement highlights a specific area within Nacha’s Section 1.6, specifying what data must be protected when at rest – Account Numbers – and also specifies that this applies to electronic storage as part of the ACH process,” said Dan Fritsche, CISSP, author of the paper and founder of Alpine Security Consulting. “The paper also includes information on NACHA's existing requirements for transmission security and the alignment of storage and transmission protection rules relative to PCI requirements.”

The white paper clarifies which Nacha rules apply to which organizations and what this means when handling ACH transactions. The paper also reviews the updated ACH supplement, the timelines for enforcement, and how the ACH rules compare to PCI requirements. The paper discusses the methodologies for protecting account data, including encryption and tokenization, and highlights Bluefin’s ShieldConex® data security platform to address the new rule. ShieldConex is a vaultless, cloud-based, format-preserving tokenization (FPT) solution that provides protection for Account Data and Account Numbers not only in storage, but also upon entry into online web forms.

The white paper is available for download, along with an accompanying third-party, independent assessment on ShieldConex conducted by Qualified Security Assessor (QSA) and cybersecurity firm, Foregenix.

About Bluefin

Bluefin specializes in payment and data security technologies that protect point-of-sale (POS) and online transactions. Our security suite includes PCI-validated point-to-point encryption (P2PE) for contactless face-to-face, call center, mobile and unattended payments, and our ShieldConex® data security platform for the protection of personally Identifiable Information (PII), Personal Health Information (PHI), and payment data entered online. The company’s partner network currently includes over 130 processors, payment gateways and ISV’s operating in 32 countries, which provide Bluefin’s P2PE solutions direct to merchants, enterprises, healthcare organizations and more. Bluefin is a Participating Organization (PO) of the PCI Security Standards Council (SSC) and is headquartered in Atlanta, with offices in Waterford, Ireland. For more information, please visit

About Alpine Security Consulting

Alpine was founded by Dan Fritsche, CISSP, to fulfill a passion to help businesses, and the people that work in them, overcome today's cybersecurity challenges and succeed in new ways by leveraging the untapped value that an innovate approach to security can provide. With a background of over 20 years in technology, security and compliance, Alpine's skill set can help virtually any business learn how to leverage innovative security technologies with the result of translating security investments into tangible business value. For more information, please visit

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Danielle Duclos
Email >
Visit website