NACHA sets forth the following requirements for WEB transactions (Pages OG183 – OG 190 of the 2005 NACHA rules book):

1).A commercially reasonable system must be in place to verify the receiver’s (checkwriter’s) identity.
2).The web site operator must maintain a secure site to provide security for the following information:
.......a).Entry data; route number; account number; PIN or identifying information.
.......b).Information captured or stored on the website must be encrypted using 128 bit RC4 encryption technology.
.......c).The web site operator must conduct an annual security audit meeting NACHA audit requirements.
.......d).Authorization must be provided through a digital signature, password, or some other authentication.

In order for Electronic Recovery, Inc. to process WEB transactions, the following would be required:

1) The merchant would have to sell a tangible good or service that is priced at a value that would be paid by a reasonable person. 2) The merchant would have to provide a written description of how the customer’s identity is validated, and the process would have to conform to NACHA’s guidelines as stated in the rules. 3) The merchant would have to capture, and store for 2 years, the digital authorization. This authorization must be provided upon request within 2 business days. 4) The merchant would have to submit a final security audit before processing WEB transactions, and each year thereafter.

Below is an excerpt from the 2007 NACHA Operating Guidelines, page OG 224, Section IV, Chapter XVI, Subsection F, Number2:

AUTHORIZATION REQUIREMENTS (Internet-Initiated Entries)

Originators of WEB entries must obtain the consumer’s authorization prior to initiating a debit entry under this application. Although the NACHA Operating Rules do not prescribe specific authorization language for the WEB application, the authorization must conform to the requirements of the NACHA Operating Rules, which require that the authorization (1) be in a writing that is signed or similarly authenticated by the Receiver, (2) be readily identifiable as an ACH debit authorization, (3) clearly and conspicuously states its terms, and (4) must (for recurring payments only) provide the Receiver with a method to revoke their authorization by notifying the Originator in the manner prescribed.

To meet the first requirement that the authorization be in writing, in the context of WEB entries, this means that the consumer must be able to read the authorization language displayed on a computer screen or other visual display. The Originator should prompt the consumer to print the authorization and retain a copy. The Originator must be able to provide the consumer with a hard copy of the authorization if requested to do so. Only the consumer may authorize the WEB transaction, and not a Third-Party Service Provider on behalf of the consumer.

The NACHA Operating Rules include the use of a digital signature or code to similarly authenticate a written authorization. This does not exclude other methods of similarly authenticating an authorization, such as a shared secret, passwords, biometrics, etc. To satisfy the requirements of the NACHA Operating Rules, which parallel Regulation E, the authentication method chosen must not only identify the consumer but also must demonstrate the consumer’s assent to the authorization.

The Federal Reserve Board, in its Official Staff Commentary to Regulation E, has clarified that the similarly authenticated standard permits signed, written authorizations to be provided electronically, and that such writing and signature requirements are satisfied by compliance with the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001 et set.), which defines electronic records (as contracts or other records created, generated, sent, communicated, received, or stored by electronic means) and electronic signatures. Electronic signatures include, but are not limited to, digital signatures and security codes.