PCI compliance doesn't apply to ACH Payment Processing, but to utilize a processing platform that is PCI DSS Level 1 certified certainly doesn't hurt security measures around your ACH origination method. NACHA doesn't have an established security certification process like the credit card world does, but they do require that processes, controls and procedures are employed to protect sensitive data like bank account information. Tokenization accomplishes that.
A token is a reference object that consists of numeric or alphanumeric data that is returned to an application that replaces banking account data that is sent from the application for the purpose of originating an ACH transaction. The application could be an external software application that is integrated for payments processing and developed by an organization that has a processing relationship with a third party processor (TPP), or it could be an application developed by the TPP itself, e.g., a virtual terminal.
A reference token means absolutely nothing to a would-be data thief. On the other hand, theft of bank routing and account numbers could lead towards a pile of cash in the hands of an unscrupulous individual with access to the ACH network. While I'm not going to write-out a game plan for individuals of this sort, it is possible.
Let's not forget about the legal consequences for not protecting sensitive bank data. It would only take one individual to take on a company who hadn't been protecting the bank account data and was compromised and fraudulently obtained funds from the real account holders. Moreover, there can be chargeback fines imposed when the real account holders go to their bank and complete an affidavit asserting that they did not authorize the fraudulent transactions debited from their bank account.
There are still client-side solutions being used for originating and managing ACH/EFT transactions where the complete string of sensitive data is being transmitted. Why would any organization take such a risk when there are competent ACH solutions available that not only tokenize, but are also PCI DSS Level 1 compliant and QSA certified?
If you need a secure method for originating your ACH transactions, contact us and we'll walk you through solutions that can meet your needs.