(May 12, 2010) With processors, banks, and merchants across the country buttoning down credit and debit card data to keep them out of criminal hands, processors are starting to turn their attention to the information they and their client merchants collect from automated clearing house transactions. ProPay Inc., a Lehi, Utah-based merchant processor specializing in e-commerce payments, this week announced it is extending to ACH data the encryption and tokenization program it uses for clients’ card information.

While masking transaction data and generating tokens to stand in for these data is increasingly common for credit and debit card payments, few organizations that touch ACH transactions have taken such steps. “As far as I know, [ProPay] is unique,” says Avivah Litan, a technology analyst at Stamford, Conn.-based Gartner Inc. who follows data-security issues. “This is a first for a payment processor.”

ProPay says its ProtectPay service, which it introduced in February of last year for card data, is now commercially available for ACH transaction data, which includes sensitive credentials such as bank account and routing numbers. Indeed, ProPay officials argue that, if anything, ACH data can be even more dangerous in the wrong hands than card information. “If I get your account and routing number, there are any number of things I can do,” observes Chris Mark, executive vice president at ProPay for data security and compliance. “I can clean out your bank account.” Small businesses are particularly vulnerable to such fraud, since funds are usually long gone by the time businesses discover anything amiss, and banks are not obliged to make them whole.

Getting estimates of the extent of the problem isn’t easy, since most regulators and other organizations don’t measure it as a matter of routine, says Litan. Herndon, Va.-based NACHA, which regulates the ACH, and many banks point out that unauthorized return rates are dropping on the network, which reaches almost every financial institution in the country. But observers point out that much ACH fraud is tied to malware that sniffs out log-on credentials, allowing hackers to make electronic transfers of funds. Speaking at a security conference earlier this year, an examiner with the Federal Deposit Insurance Corp. put ACH- and wire-related fraud losses for small businesses at $125 million in the third quarter of last year. “We are seeing an increase in ACH-related crimes,” says ProPay’s Mark. “There’s definitely an increase in ACH data theft.”

ProPay’s new service encrypts ACH data as soon as they are received at the processor’s servers. The company then passes the data on to other gateways, if necessary, and assigns a sort of index number, or token, that corresponds to the data. The merchant receives and stores only the token, which is useless to thieves, but which can be used by the merchant if need be to call up transaction information.

Mark says ProPay doesn’t yet have a client using the new service, but adds that publicity surrounding it this week has generated interest. “We identified a need before we started getting a demand,” he says.

Many businesses just aren’t aware of their vulnerability, Mark argues. “They don’t perceive [ACH data] as high-risk data,” he says. “But criminals have picked up pretty quickly that it has a lot of value.” Litan says some of the complacency may stem from the fact that there is no equivalent to the Payment Card Industry data-security standard for the ACH. “You have to ask yourself why isn’t there a PCI around ACH and bank-account data,” she notes.