The ACH Rules governing a payment or series of payments initiated by a payer on a website (WEB) require that certain printed disclosures be provided on the web page where the payment is initiated. Those disclosures must be presented in a clear and demonstrable manner prior to (or above) the button via which the payer “Submits” the payment.
Best practices dictate that the website either provide the ability for a receipt of the transaction to be printed or saved by the payer or an email notification verifying the details of the transaction be dispatched to the payer at the conclusion of the transaction.
Some reasonable mechanism should be in place to verify the identity of the payer. Ideally, the payment page will reside behind a personal account requiring the payer to log in with or establish a user name and password. The payer and/or account should be associated with a customer /account number or other information that verifies the payer is the customer of record.
The payment page must reside on a server protected by a shared or dedicated SSL Certificate and reside behind a secure firewall. When on the payment page, the URL will begin with the designation https://. The “s” indicates a secure server address. The Payment page must display the SSL Certificate Credentials and provider. Adequate additional security provisions should be in place such as activity monitoring and the server should be hosted in a secure datacenter or with a qualified web hosting provider. Please be certain that firewalls are regularly updated with current security patches and settings.
Example if authorization is for a single payment:
Text similar to that provided in the example below should appear adjacent to or above the tab on the payment page where the payer completes the transaction:
By clicking on “Submit” I hereby authorize (Business or Entity Name) to initiate an electronic withdrawal from the above indicated bank account in the amount entered (or provided) on this page. I understand that if this transaction is submitted after 6:00 PM Eastern Standard Time, it will have an effective date of no sooner than the next business-banking day and will show as a withdrawal from my account on that date. If I wish to rescind this authorization and cancel this payment, or the amount withdrawn from my account is different than the amount authorized herein, I may call (Customer Service Number) during the following business hours (Business Days and Hours). Furthermore, I assert that I am the owner or an authorized signer of the bank account provided.
Example if the authorization is for a series of recurring payments:
By clicking “Submit” I hereby authorize (Business Name or Entity) to initiate (monthly, weekly, quarterly , or annual) electronic debit withdrawals from the indicated bank account for payments in the amount of (Amount) (or as they become due and payable under the terms and conditions of the agreement) and as described herein.
The first payment will be withdrawn from your bank on (Month / Day) or (the following business banking day), then, (Number) subsequent payments on the (Day of each (Month or other specified cycle) for the duration of this authorization and term of your (Agreement, subscription, service plan, payment plan, etc). I understand that if this transaction is submitted after 6:00 PM Eastern Standard Time, it will have an effective date of no sooner than the next business-banking day and will show as a withdrawal from my account on that date. If I wish to rescind this authorization and cancel this payment, or the amount withdrawn from my account is different than the amount authorized herein, I may call (Customer Service Number) during the following business hours (Business Days and Hours). Furthermore, I assert that I am the owner or an authorized signer of the bank account provided.
It is strongly recommended but not required that your web payment application dispatch an email confirmation to the Payer. If providing an email confirmation, please do not include complete bank routing and account numbers in that email.
WEB Proof of Authorization:
A copy of the web page wherein the proper disclosures (per the sample above) were provided and where the payment information (Payer Name, Bank Name, Amount, Routing and Account Numbers) are entered.
Additionally, a system generated electronic record of the transaction which contains the following minimum information in no particular order or format:
- IP Address of the Payer
- An indication as to whether the Payer was “Authenticated”.
- “Authenticated” means did the Payer need to log into an account with a user name and password or other identifying information such as an account number in order to make the payment or did they first need to create an account on the system prior to making the payment.
- Alternatively, was a solution utilized in order to attempt to verify the identity of the Payer?
- Date and time stamp of the entry
- Payer Name
- Amount of the Payment
- Payer’s Bank Name
- Routing Number
- Account Number
- Purpose of the payment
- The IP Address of the web page where the payment was entered.
Although not required, it is recommended that you request and capture the address of the Payer as well as their phone number and email address. The more information that you capture in regard to the payment, the more apparent it is to an observer that the Payer did visit the payment page and did voluntarily enter the payment.
