Everything ACH

A WEB entry is a transaction for which the authorization is received via the Internet.  WEB should only be used for Business to Consumer transactions and can only be debits; Single or Recurring.

Authentication:  Just like TEL transactions, WEB transactions require that the identification of the consumer be verified before the authorization piece takes place.*

Authorization:  While there is no specific authorization language, the WEB authorization must follow these 4 basic rules:

          1) be in a writing that is signed or similarly authenticated*        

          2) be readily identifiable as an ACH Debit authorization

          3) clearly and conspicuously state its terms, and

          4) must (for recurring payments only) provide the Receiver with a method to revoke                     their authorization by notifying the Originator in the manner prescribed.

 It’s a good idea from a Proof of Authorization standpoint to capture the IP address and time/date stamp for each transaction authorized.

 * Notes: 

WEB entries may be either Single one-time entries or Recurring entries designated by the use of an S – for Single or R – for Recurring in the Payment Type Code Field of the Entry Detail Record. 

The Originator must use a commercially reasonable procedure to verify the consumer’s Routing Number.

Authorization #1 – This means that the authorization is displayable for the consumer to read on a computer screen and the consumer should be prompted to print and retain a copy of the authorization.  The consumer must then be able to demonstrate their assent to the terms and conditions of the authorization by clicking an “I Agree”, or “OK”, or some such button before moving on to complete their transaction.

The Originator must ensure that the exchange of account information is only accomplished during a secure Internet session using at a minimum 128 bit RC4 Encryption and is considered Commercially Reasonable.

Originators of WEB entries are required by the ACH Operating Rules to conduct an Annual Security Audit of their security practices and procedures that include at a minimum, adequate levels of;

           1) physical security to protect against theft, tampering, or damage

          2) personnel and access controls to protect against unauthorized access and use, and

          3) network security to ensure secure capture, storage and distribution of financial                          information

You should understand that because of the anonymous nature of WEB transactions, they are considered a high risk type of ACH transaction.  That doesn’t mean that they are difficult to implement or cumbersome for your customers, it’s just the nature of the beast.  Stay tuned for ARC next.