Automated Clearing House
Automated Clearing House is an electronic network for processing batches of debit and credit transactions between financial institutions in the USA. It is administered by the National Clearing House Association (NACHA).
The network can be used for the electronic transfer of funds between accounts. It is used for Direct Payment via Automated Clearing House (e.g. a recurring mortgage payments or an online consumer purchase) and Direct Deposit via Automated Clearing House (e.g. payroll payments, a refund made for an online purchase or a B2B payment).
The gateway allows you to process Direct Payments (payments) and Direct Deposits (refunds) via Automated Clearing House.
This page describes the requirements for processing Automated Clearing House payments via the Mastercard Gateway and provides an overview of the payment flow and details about the supported DirectAPI operations for Automated Clearing House payments.
Prerequisites
You must have an Automated Clearing House account configured with an Automated Clearing House acquirer.
- You must obtain explicit customer authorization before Automated Clearing House settlement can take place.
- Since Automated Clearing House is not a real-time network, returns can still take place even after the payment request has been submitted to the Mastercard Gateway.
- You must adhere to NACHA regulations. Compliance failure can carry substantial penalties. To keep up to date with current regulations, visit https://www.nacha.org/
- You must establish, implement and update policies, procedures and systems related to the initiation, processing and storage of entries, in order to:
- Ensure information confidentiality.
- Protect against threats to information security.
- Protect against unauthorized information use.
Automated Clearing House Data Flow
- The payer authorizes the payment or deposit.
NACHA-permitted Standard Entry Codes (SEC) are:
TEL
. Telephone-initiated entry.WEB
. Web-initiated entry.PPD
. Prearranged payment and deposits.
- The merchant sends a transaction request to the Mastercard Gateway.
Requests may be
PAY
,REFUND
orVOID
. - Mastercard Gateway issues a response containing status information (e.g.
APPROVED_PENDING_SETTLEMENT
).The transaction is added to the current batch for settlement.
The batch of transactions is closed in one of two ways:
- Once per day at the configured time.
- By you closing the currently-open batch by submitting an DirectAPI
CLOSE_BATCH
request. Any subsequent transactions will be added to a new batch.
At the end of the day, all closed batches that have not yet been submitted are collected into a settlement file and transmitted to the Automated Clearing House Acquirer.
- The Automated Clearing House Acquirer issues an immediate response, containing the validation result of the transmitted data (e.g.
APPROVED
orDECLINED
), and submits the payment requests to the Automated Clearing House network for processing.Notes:
- An
APPROVED
status issued by the Automated Clearing House Acquirer merely implies validated acceptance of the transmission for further processing; not an actual approval of the financial transaction. - To be notified of the Automated Clearing House Acquirer response, subscribe to Webhook Notifications.
- An
- The Automated Clearing House network manages the payment transactions between the applicable fincancial institutions.
- After a delay of up to 3 days, the Automated Clearing House Network sends an exception report of unapproved payment requests to the Automated Clearing House Acquirer, who will provide it for you .
Integrating Automated Clearing House payments
There are three options to integrate Automated Clearing House payments into your payment page:
If you have an existing Hosted Checkout integration, you can use Hosted Checkout to verify the Automated Clearing House payment details.
You can do this by setting interaction.operation=VERIFY
in the Create Checkout Session request. Hosted Checkout displays Automated Clearing House payments as a payment option to the payer. The data entered by the payer is verified using the verification methods supported by the configured acquirer.
You can determine the success of the verification operation by comparing resultIndicator
to successIndicator
. If the interaction was not successful, Hosted Checkout displays a message indicating that verification has failed and prompts the payer to try again.
If you have your own payment page then you can choose the Hosted Session integration option to have the Mastercard Gateway securely capture the Automated Clearing House payment details and store them into a payment session.
<html> <head> <!-- INCLUDE SESSION.JS JAVASCRIPT LIBRARY --> <script src="https://ap-gateway.mastercard.com/form/version/72/merchant/<MERCHANTID>/session.js"></script> <!-- APPLY CLICK-JACKING STYLING AND HIDE CONTENTS OF THE PAGE --> <style id="antiClickjack">body{display:none !important;}</style> </head> <body> <!-- CREATE THE HTML FOR THE PAYMENT PAGE --> <div>Please enter your Automated Clearing House details:</div> <div> <label class="control-label" id="ach-account-type-label">Account Type:</label> <select class="form-control col-sm-6" name="ach-account-type" id="ach-account-type"> <option value="CONSUMER_SAVINGS">Consumer Savings Account</option> <option value="CONSUMER_CHECKING" selected>Consumer Checking Account</option> <option value="CORPORATE_CHECKING">Business Checking Account</option> </select> </div> <div>Bank Account Holder: <input type="text" id="ach-account-holder" class="input-field" value="" readonly></div> <div>Bank Account Number:<input type="text" id="ach-account-number" class="input-field" value="" readonly></div> <div>Routing Number:<input type="text" id="ach-routing-number" class="input-field" value="" readonly></div> <div><button id="payButton" onclick="pay();">Pay Now</button></div> <!-- JAVASCRIPT FRAME-BREAKER CODE TO PROVIDE PROTECTION AGAINST IFRAME CLICK-JACKING --> <script type="text/javascript"> if (self === top) { var antiClickjack = document.getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); } else { top.location = self.location; } PaymentSession.configure({ fields: { // ATTACH HOSTED FIELDS TO YOUR PAYMENT PAGE FOR ACH ach: { accountType: "#ach-account-type", bankAccountHolder: "#ach-account-holder", bankAccountNumber: "#ach-account-number", routingNumber: "#ach-routing-number" } }, //SPECIFY YOUR MITIGATION OPTION HERE frameEmbeddingMitigation: ["javascript"], callbacks: { initialized: function(response) { // HANDLE INITIALIZATION RESPONSE }, formSessionUpdate: function(response) { // HANDLE RESPONSE FOR UPDATE SESSION if (response.status) { if ("ok" == response.status) { console.log("Session updated with data: " + response.session.id); } else if ("fields_in_error" == response.status) { console.log("Session update failed with field errors."); if (response.errors.bankAccountHolder) { console.log("Bank account holder invalid."); } if (response.errors.bankAccountNummber) { console.log("Bank account number invalid."); } if (response.errors.routingNumber) { console.log("Routing number invalid."); } } else if ("request_timeout" == response.status) { console.log("Session update failed with request timeout: " + response.errors.message); } else if ("system_error" == response.status) { console.log("Session update failed with system error: " + response.errors.message); } } else { console.log("Session update failed: " + response); } } } }); function pay() { // UPDATE THE SESSION WITH THE INPUT FROM HOSTED FIELDS PaymentSession.updateSessionFromForm('ach'); } </script> </body> </html>
- Include the
session.js
client JavaScript library hosted by the gateway in your payment page. The path to this file includes both the api version and the merchant identifier for the session. - Create the HTML for the payment page containing the Automated Clearing House payment fields.
To prevent submission of sensitive data to the server, ensure the sensitive data fields arereadonly
and do NOT have thename
attribute. - Invoke
PaymentSession.configure(configuration)
function.
The
configuration
object allows you to attach hosted fields to your payment page. You need to provide the following:
- session(optional), if you do not provide one, the client library creates a payment session.
- field selectors for Automated Clearing House payment fields, which when provided are replaced with corresponding proxy fields embedded in iFrames hosted by the Mastercard Gateway. The proxy fields will have the same look and feel as the replaced fields.
-
mitigation option(s) for clickjacking prevention
Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. To use Hosted Session, you must implement one or more of the following defenses against clickjacking attacks.
Frame Mitigation Option Implementation javascript
include "frame-breaker" JavaScript in your payment page. x-frame-options
your server should return an X-Frame Options HTTP response header. csp
your server should return Content-Security-Policy HTTP response header containing a frame-ancestors directive. You must specify which defenses are implemented via the
frameEmbeddingMitigation
parameter in thePaymentSession.configure(configuration)
call. For information on defending against clickjacking attacks, see Clickjacking Defense Cheat Sheet on the OWASP External Website. -
callbacks for handling various events during the Hosted Session interaction
initialized( )
: invoked when the hosted fields attach to your payment page.formSessionUpdate( )
: invoked in response to thePaymentSession.updateSessionFromForm('ach')
function (see next step)
- Invoke
PaymentSession.updateSessionFromForm('ach')
to store the collected Automated Clearing House details into a payment session. Once the operation completes,formSessionUpdate( )
callback is invoked with a result parameter. You must check theresult.status
value to determine if the operation was successful. See Handle Callback Responses. - You can use the returned payment session (session.id) to perform a tokenization or a payment transaction when required. For more information, see Perform an Operation Using the Session.
session.js Reference[JavaScript]
You can submit Automated Clearing House payment details directly to the Mastercard Gateway using the following operations.
You initiate an Automated Clearing House payment by submitting an DirectAPIPAY
request, and a refund by submitting an DirectAPIREFUND
request.
Ensure that you include the following information in your request:
sourceOfFunds.type = ACH.
sourceOfFunds.provided.ach.routingNumber
: The payer's bank routing number.sourceOfFunds.provided.ach.bankAccountNumber
: The payer's bank account number.sourceOfFunds.provided.ach.bankAccountHolder
: The payer's account holder name.sourceOfFunds.provided.ach.accountType
: The payer's bank account type.sourceOfFunds.provided.ach.secCode
: The SEC code for the Automated Clearing House payment applicable to this transaction.The SEC code must be one of:
TEL
: An Automated Clearing House Debit entry for a B2C payment authorized by the customer via the telephone. TEL may only be used when a relationship already exists between you and the payer or, when there is not an existing relationship, the payer initiates the contact with you.WEB
: An Automated Clearing House Debit entry for a B2C payment authorized via the internet or a wireless network.PPD
: An Automated Clearing House Debit or Credit entry based on an authenticated authorization provided by a payer. PPD is used for B2C payments (e.g. employee payroll, mortgage payments, or expense reimbursement).
You can void the previous transaction on an order by submitting an DirectAPIVOID
request for the order with the target transaction ID parameter referencing the PAY
or REFUND
request.
For a successful DirectAPIVOID
request, the referenced target transaction is removed from the batch and therefore will not be submitted to the Automated Clearing House Acquirer.
Transactions can no longer be voided once the batch containing the referenced target transaction has been closed for settlement (i.e. settlement is in progress) or has already been settled.
You can verify the payment details for an Automated Clearing House payment by submitting an DirectAPIVERIFY
request.
Currently, the Mastercard Gateway only supports semantic verification of the ACH payment details, but does not verify that the account is a valid bank account and the bank participates in Automated Clearing House.
Batch management and settlement
You can control batch closure by submitting an DirectAPICLOSE_BATCH
request with the acquirer ID for your Automated Clearing House acquirer. The acquirer ID is provided in transaction.acquirer.id
in the transaction response.
As a result, the current Automated Clearing House Acquirer batch in the Mastercard Gateway will be closed. Subsequent Automated Clearing House transactions will be added to a new the Mastercard Gateway-internal batch.
Reconciliation
The Retrieve Transaction response for successful Automated Clearing House transactions contains the identifier for the transaction that the acquirer uses in transaction.receipt
.
This identifier will be used in the Exception Detail Report provided by the Paymentech Salem Automated Clearing House acquirer. This contains all unsuccessful Automated Clearing House transactions and can be used to reconcile your payments.
The transaction status provided by the gateway (response.gatewayCode
) is not updated with the actual response from the Automated Clearing House network.
Testing Automated Clearing House transactions
You can test your integration using your TEST merchant profile.
The Mastercard Gateway provides an emulator that will return a response with response.gatewayCode=APPROVED
for all valid requests for Automated Clearing House payments.