PPD, TEL, AND WEB STANDARD ENTRY CLASS (SEC)

2.1 PPD, TEL, AND WEB STANDARD ENTRY CLASS (SEC)

2.1.1 WRITTEN AUTHORIZATION (PPD)

Best practices dictate that the ACH Payment Authorization be evidenced by a separate signature,
which is distinct from the customer’s signature accepting any contract for goods or services. The
customer should separately and specifically acknowledge the payment authorization as opposed
to simply incorporating the authorization language into the body of the agreement or contract.

2.1.2 SINGLE ENTRY WRITTEN PAYMENTS

Written authorization must include the below:

  • A clear indication of whether the entry is a debit or credit transaction

  • Customer’s name as it appears on the bank account

  • A statement that the customer is a signer on the account to be debited or credited

  • Name of originator (your company)

  • Customer’s bank Routing Number and Account Number, which you should verify before initiating the transaction

  • An express statement authorizing the payment amount

  • The effective entry date inclusive of recognition that the customer has given your company permission to debit the customer’s account

  • Date of authorization

  • Instructions about terms and conditions, sale, payment, subscription or service and how to revoke it, return, or terminate the transaction

  • Contact information for the originator (your company)

  • Revocation language that notifies the customer of their right to “revoke” their authorization only by following the terms for doing so as specified by the merchant
    in the authorization

2.1.3 Recurring Written Payments

Written authorization must include the below:

  • A clear indication of whether the entry is a debit or credit transaction

  • Verbiage indicating that the transaction is a recurring payment, as well as the timing, number, and frequency of payments

  • Customer’s name as it appears on the bank account

  • A statement that the customer is a signer on the account to be debited or credited

  • Name of originator (your company)

  • Customer’s bank Routing Number and Account Number, which you should verify before initiating the transaction

  • An express statement authorizing the payment amount

  • The effective entry date inclusive of recognition that the customer has given your company permission to debit the customer’s account

  • Date of authorization

  • Instructions about terms and conditions, sale, payment, subscription or service and how to revoke it, return, or terminate the transaction

  • Contact information for the originator (your company)

  • Revocation language that notifies the customer of their right to “revoke” their authorization only by following the terms for doing so as specified by the merchant
    in the authorization

2.1.4 REQUIREMENTS FOR USING INTERACTIVE VOICE RESPONSE (IVR) OR VOICE RESPONSE UNIT (VRU)

IVR or VRU authentication of a consumer’s authorization must include:

  • Any PIN code to authenticate the consumer’s identity should be at least 4 digits

  • If there isn’t a pre-existing relationship with the consumer, the PIN code should be
    printed on the written authorization previously mailed to the consumer to evidence
    the consumer’s possession of the written authorization

  • Retain a copy of the authentication code relayed by the consumer.

  • If the consumer verbally expresses the authentication code, you must make and retain an audio recording of the consumer’s statement of the code.

  • If the consumer relays the authentication code by key-entering it into a IVR or VRU, a record of the keystrokes must be retained.

  • You must retain a copy of both the written authorization and the IVR or VRU authorization, including the consumer’s use of the authentication code.

2.1.5 TELEPHONE PAYMENTS (TEL)

Telephone initiated entries may be used for orally initiated telephone debit transactions only.
Originators may not utilize TEL Standard Entry Class (SEC) code to transmit credit entries to their
client’s accounts unless those entries are refunds. Moreover, a merchant may only initiate a TEL
transaction with a customer with whom it has a prior relationship. If a merchant does not have a
prior relationship with a customer, the merchant can only process a TEL transaction if the customer
initiated the call. The merchant must take commercially reasonable steps to verify the identity of
the customer.

2.1.5.1 Single Entry Telephone Payment

Suggested best practice for one time payments are that you disclose that you are recording
the telephone conversation and that you record the customer’s verbal authorization and send
a confirmation email (must obtain permission to send email) or letter*. A recording is verifiable
evidence that the payment was compliant and duly authorization. The confirmation letter is
physical evidence that the transaction was authorized. (See example script at the end of the
packet)*
Sample Script must include the below:

  • Customer’s name as it appears on the bank account

  • A statement that the customer is a signer on the account to be credited or debited

  • Name and contact information of the originator (your company)

  • Customer’s bank Routing Number and Account Number, which you must attempt to verify using commercially reasonable means

  • Clear indication of the total amount of the transaction and the method for calculating the amount due

  • Verbiage indicating that the transaction is a one-time payment

  • Date of oral authorization inclusive of recognition of the business’ permission to debit the customer’s account (i.e. I authorize Company A to debit my account on today’s date_____.)

  • Confirm all payment details including payment effective date

  • Must provide the originator (your company) contact information that is available during normal business hours

  • A statement that the authorization will be used to originate a one-time ACH debit entry to the consumer’s bank account

  • The method the customer may use to revoke the authorization and the deadline for doing so

2.1.5.2 Recurring Telephone Payments

MUST contain both a voice recording and a confirmation reminder or letter* (See example script at
the end of the packet)*
Sample Script must include the below:

  • Customer’s name as it appears on the bank account and that they are the signer on the account

  • Name and contact information of the originator (your company)

  • Customer’s bank Routing Number and Account Number, which you must attempt to verify using commercially reasonable means

  • Clear indication of the total amount of each debit transaction and the method for calculating the amount due

  • Verbiage indicating that the transaction is a recurring payment, as well as the timing, number, and frequency of payments

  • Date of oral authorization inclusive of recognition of the business’ permission to debit the customer’s account (i.e. I authorize Company A to debit my account on today’s date_______.)

  • Confirm all payment details including payment effective date

  • Must provide the originator (your company) contact information that is available during normal business hours

  • A statement that the authorization will be used to originate recurring ACH debit entries to the customer’s bank account and the amount of each payment

  • The method the customer may use to revoke the authorization and the deadline for doing so
    *Never send the complete bank account in a non-encrypted email or letter. It is recommended that, for
    clarity sake, you should state only the last four digits of the account and omit the bank routing number.

2.1.6 REQUIREMENTS FOR USING INTERACTIVE VOICE RESPONSE (IVR) OR VOICE RESPONSE UNIT (VRU)

IVR or VRU authentication of a consumer’s authorization must include:

  • Any PIN code to authenticate the consumer’s identity should be at least 4 digits

  • If there isn’t a pre-existing relationship with the consumer, the PIN code should be printed on the written authorization previously mailed to the consumer to evidence
    the consumer’s possession of the written authorization

  • Retain a copy of the authentication code relayed by the consumer.

  • If the consumer verbally expresses the authentication code, you must make and retain an audio recording of the consumer’s statement of the code.

  • If the consumer relays the authentication code by key-entering it into a IVR or VRU, a record of the keystrokes must be retained.

  • You must retain a copy of both the written authorization and the IVR or VRU authorization, including the consumer’s use of the authentication code.

2.1.7 WEB AUTHORIZATIONS (WEB)

WEB transactions cannot be used to debit a corporate account. Although not required, it is
recommended that you request and capture the address of the customer as well as their
phone number and email address. The more information that you capture in regards to the
payment, the more apparent it is that the customer did visit the payment page and did
voluntarily enter the payment. After every transaction, a confirmation notice or sales receipt
must be sent to the customer for confirmation of the transaction*. The merchant must take
commercially reasonable steps to verify the identity of the customer. Moreover, you must
establish a methodology to ensure you use a secure Internet connection. The payment
page must reside on a server protected by a shared or dedicated TSL certificate.

2.1.8 SINGLE PAYMENT INITIATED ONLINE OVER THE INTERNET

  • Must be in writing and signed or similarly authenticated. You should prompt the

customer to print the authorization and retain a copy for their records.

  • Customer’s name as it appears on the bank account and that they are a signer on the account

  • Name and contact information of the originator (your company)

  • Customer’s bank Routing Number and Account Number, which you must attempt to verify using commercially reasonable means

  • Clear indication of the total amount of each debit transaction and the method for calculating the amount due

  • Must present a clear disclosure prior to the submit/payment button (i.e. I authorize Company A to debit my account.)

  • Effective entry date

  • Client authentication page (i.e.: full name, address, email, etc.)

  • ‘Submit’ payment button

  • A statement that the authorization will be used to originate a one-time ACH debit entry to the consumer’s bank account

  • The method the customer may use to revoke the authorization and the deadline for doing so.

*Best practice for WEB authorizations are to retain a copy of the sales email or letter as evidence ofthe transaction.

2.1.9 WEB CONFIRMATION EMAIL OR LETTER

Sales receipt to be printed, saved, or emailed verifying the following minimum information:

  • IP address of the customer

  • An indication as to whether the customer was “authenticated”

  • Date and time stamp of the entry

  • Effective date of the payment

  • Customer name and contact information

  • Amount of the payment

  • Bank Routing and Account Number

  • The method the customer may use to revoke the authorization and the deadline for doing so

2.1.10 RECURRING PAYMENT INITIATED ONLINE OVER THE INTERNET

  • Must be in writing and signed or similarly authenticated. You should prompt the customer to print the authorization and retain a copy for their records.

  • Customer’s name as it appears on the bank account and that they are a signor on the account

  • Name and contact information of the originator (your company)

  • Customer’s bank Routing Number and Account Number, which you must attempt to verify using commercially reasonable means

  • Clear indication of the total amount of each debit transaction and the method for calculating the amount due

  • Verbiage indicating that the transaction is a recurring payment, as well as the timing, number, and frequency of payments

  • Must present a clear disclosure prior to the submit/payment button (i.e. I authorize Company A to debit my account.)

  • Effective entry date

  • Client authentication page (i.e.: full name, address, email, etc.)

  • ‘Submit’ payment button

  • A statement that the authorization will be used to originate recurring ACH debit entries to the consumer’s bank account and the amount of each payment

  • The method the customer may use to revoke the authorization and the deadline for doing so

2.1.11 WEB CONFIRMATION/REMINDER EMAIL OR LETTER

Sales receipt to be printed, saved, or emailed verifying the following minimum information:

  • IP address of the customer

  • An indication as to whether the customer was “authenticated”

  • Date and time stamp of the entry

  • Effective date of the payment

  • Timing, number, and frequency of the transaction inclusive of recurring verbiage

  • Customer name and contact information

  • Amount of the payment

  • Bank Routing and Account Numbers*

  • The method the customer may use to revoke the authorization and the deadline for doing so

*Never send the complete bank account number in a non-encrypted email or letter. It is recommended that,
for clarity sake, you should state only the last four digits of the account and omit the bank routing number.
Best practice for WEB authorizations are to retain a copy of the sales email or letter as evidence of the
transaction.

 2.1.12 RECURRING PAYMENT INITIATED ONLINE OVER THE INTERNET

  • Must be in writing and signed or similarly authenticated. You should prompt the customer to print the authorization and retain a copy for their records.

  • Customer’s name as it appears on the bank account and that they are a signor on
    the account

  • Name and contact information of the originator (your company)

  • Customer’s bank Routing Number and Account Number, which you must attempt to
    verify using commercially reasonable means

  • Clear indication of the total amount of each debit transaction and the method for calculating the amount due

  • Verbiage indicating that the transaction is a recurring payment, as well as the timing, number, and frequency of payments

  • Must present a clear disclosure prior to the submit/payment button (i.e. I authorize
    Company A to debit my account.)

  • Effective entry date

  • Client authentication page (i.e.: full name, address, email, etc.)

  • ‘Submit’ payment button

  • A statement that the authorization will be used to originate recurring ACH debit entries to the consumer’s bank account and the amount of each payment

  • The method the customer may use to revoke the authorization and the deadline for doing so

2.1.13 WEB CONFIRMATION/REMINDER EMAIL OR LETTER

  • Sales receipt to be printed, saved, or emailed verifying the following minimum information:
    IP address of the customer

  • An indication as to whether the customer was “authenticated”

  • Date and time stamp of the entry

  • Effective date of the payment

  • Timing, number, and frequency of the transaction inclusive of recurring verbiage

  • Customer name and contact information

  • Amount of the payment

  • Bank Routing and Account Numbers*

  • The method the customer may use to revoke the authorization and the deadline for
    doing so

*Never send the complete bank account number in a non-encrypted email or letter. It is recommended that,
for clarity sake, you should state only the last four digits of the account and omit the bank routing number.
Best practice for WEB authorizations are to retain a copy of the sales email or letter as evidence of the
transaction.