Setting Up NACHA 2021 Data Security Rules
You can enable NACHA 2021 Data Security rules to do the following:
-
Store the account number of Automated Clearing House (ACH) in encrypted form so that users cannot view the account number.
-
Hide the Account Number field in view mode on the Company Bank Details and Entity Bank Details pages. The data entered in this field is stored in an encrypted form.
As per NACHA, the last date for enabling the NACHA Rules is on June 30, 2021. You can enable the rules on or before June 30, 2021 in NetSuite.
You cannot update Format Details record due to NACHA 2021 data security rules. The record can be updated only from Company Bank Details page.
To enable NACHA 2021 rules:
-
Go to Payments > Setup >Electronic Payments Preferences
-
Click Edit.
-
On the General Preferences subtab, check the Apply NACHA Rules box.
You can enable the Apply NACHA Rules box only in Administrator role.
-
Click Save.
-
Click OK in the popup window.
-
On the Encryption Details Form, enter a 16 digit secret key in the Encryption Secret Key field.
After setting up the secret key, the system uses the key to encrypt or decrypt the ACH account numbers.
-
Click Save.
After saving, all the ACH native templates and ACH account numbers on the Company Bank and Entity Bank Details pages will be encrypted and stored in the database.
If you are using custom templates, make sure you check the Encrypt Account Number and Hide Account Number boxes on each ACH custom template. Next, perform a dummy edit of the company bank and entity bank details on the custom template. To do this, open the Company Bank Details page in edit mode and click Save to ensure the account numbers are encrypted for custom templates. You must follow the same procedure for entity bank details on the Entity Bank Details page.
To configure the ACH Encryption after enabling the NACHA 2021 rules, you must perform the following actions:
-
You must disable the edit permission of the ACH payment encrypted files to prevent them from being edited as they are stored in the file cabinet. For more information on disabling the permissions, see the SuiteAnswers support article Role Able to Access Restricted Files via 'Attach File' Column or via File URL, ID 34568.
-
To get the decrypted account number, first you must check the Encrypt Account Number box on the custom template. Then replace the account number in the Account Number field on the custom ACH Bank File format template. Follow the same process for all custom ACH templates.
When you enable the Encrypt Account Number box, you must make sure you the following fields are added in their respective custom templates.
Field Type
Field Name
Field ID
Required
Reference Fields
Account Number
custrecord_2663_acct_num
No
Entity Reference Fields
Bank Account Number
custrecord_2663_entity_acct_no
No
-
The existing variable ebanks still holds all the values of the Entity Bank Details record. But, to get the decrypted account number, you must replace the value with ebanks_accountnums.list variable which will provide a list of account numbers in decrypted form. Replace the existing value with the new value ebankAccNum.custrecord_2663_entity_acct_no.
Example:
<#assign ebank = ebanks[payment_index]> <#assign ebankAccNum = ebank_accountnums.list[payment_index]> ${setLength(ebankAccNum.custrecord_2663_entity_acct_no,17)}. =>> Will print decrypted account number. ${setLength(ebank.custrecord_2663_entity_acct_no,17)}. =>> It will print encrypted account number(as stored in DB)
You must note the following information for ACH account number encryption:
-
ACH account numbers are not displayed in saved searches or reports.
-
You cannot preview a decrypted file. To view the file, download the decrypted file into your local machine by using the Download Decrypted File hyperlink on the Payment File Administration page.
To download the decrypted file:
-
Go to Payments > Payments Processing > Payment File Administration.
-
Click Edit next to a PFA record.
-
On the Payment File Administration record, click the Download hyperlink in the Download Decrypted File field.
-
To save the decrypted file into your local machine, click Save.
-
-
If you are using any third-party integration for file transfer, first download the file locally. Then, transfer the file again by uploading it into the file cabinet or any other location as required.
-
NACHA changes does not apply to old PFAs unless they are recreated or reprocessed, however, the account numbers are still not encrypted.
NetSuite is not responsible for any data breach after the files are downloaded into the local machine. The responsibility of securing the payment files depends entirely on the users or accounts.
Using the Encryption for Account Numbers
After you enable the NACHA 2021 rules and configure the ACH payment file encryption, account numbers of company bank and entity bank details are stored in encrypted form. This action can break any existing scripts, workflows or account number fields in use. In such scenarios, you can get access to the decrypted account numbers from the Encryption Details page. for the following fields in the custom records with account numbers.
Field Name |
Page |
Script ID |
Account Number Field |
Format Details |
Company Bank Details page |
customrecord_2663_format_details |
custrecord_2663_entity_acct_no |
Bank Details |
Entity Bank Details page |
customrecord_ |
custrecord_2663_entity_acct_no |
To access the decrypted account numbers, you must send an HTTP POST request with the required parameters from the Encryption Details page. The script can be run from any scheduled, UE, or MR scripts.
Electronic Payments Encryption Suitelet Details:
Name of the Suitelet |
EP Encryption Suitelet |
Script ID |
customscript_15152_encryption_suitelet |
Deployment ID |
customdeploy_15152_encryption_suitelet |
Mandatory Request Parameters |
action, actionInput |
Parameter Request Details:
Parameter Name |
Description |
Required Parameters |
Information |
action |
This parameter is the action performed by the Suitelet. It supports only encryption or decryption. |
Yes |
Values:
|
actionInput |
This parameter is a payload of the request on which the action is performed. |
Yes |
You must provide plain text for encryption. For decryption, you must provide the string form of cipher text. Example: {iv : dlfj123, ciphertext : kiuQTxCVioeX} |
featureKey |
This parameter retrieves the GUID secret key from the Encryption Details record. |
No |
If no value is provided for this parameter, the system uses the NACHA key. |
algorithm |
This parameter provides string value for supported encryption algorithms. |
No |
The default value for Default is AES. It currently supports algorithms available from crypto.EncryptionAlg of N/crypto module. |
inputEncoding |
Encoding of actionInput |
No |
Default values of this parameter are:
For more information on encoding support is available at N/encode encode.Encoding enum |
outputEncoding |
This parameter encodes the output generated in response |
No |
Default values:
For more information on encoding support is available at N/encode encode.Encoding enum |
padding |
This parameter is used to set the padding parameter in crypto.createCipher and crypto.createDecipher |
No |
Default value – PKCS5Padding Supported value – crypto.Padding enum |
GUID value is retrieved using the GUID secret key. GUID is stored in the Encryption Details record with a unique key. If no secret key is provided, the default NACHA key is taken for encryption/decryption.
NACHA secret key is used to get the default GUID value. A sample string is first encrypted, then the cipherPayload form is displayed with IV and Ciphertext values. This output is again fed as input for the decryption request and the result becomes plain text. The following script demonstrates the usage of encryption suitelet for encryption and decryption.
/**
*
*
* @NApiVersion 2.x
* @NScriptType ScheduledScript
*/
define(['N/url','N/https'],
function(url, https) {
function execute(context){
try{
var scriptID = 'customscript_15152_encryption_suitelet';
var deployementID = 'customdeploy_15152_encryption_suitelet';
var encryptParameters = {
action : 'encrypt',
actionInput : '12345678901234567890',
featureKey : 'NACHA' //can be blank for NACHA
};
var suiteletURL = url.resolveScript({
scriptId: scriptID,
deploymentId: deployementID,
returnExternalUrl : true
});
var response = https.post({
url: suiteletURL,
body: encryptParameters
});
log.debug('Encryption Response',response.body);//response.body.toString()
var encryptedObj = JSON.parse(response.body);
//Try decrypting
var decryptParameters = {
action : 'decrypt',
actionInput : encryptedObj.actionOutput,
featureKey : 'NACHA'
};