ACH API for Developers

If you are an online retailer or e-commerce store, then you are well aware of the frustrations that can emerge at checkout. Statistics show that approximately 75.6% of shopping carts are abandoned globally, and that number rises to 85.65% on mobile devices.

To streamline the transaction process and allow teams to better manage credit card payments, bank payments, and even crypto payments, payment APIs and payment gateway APIs should be implemented into your payment system.

If you are looking to implement an ACH API into your website, app, or finance software, then you’ll want to keep in mind

  • ACH API features
  • Front-end development features
  • Security best practices
  • Developer resources


ACH API Features to Consider

In recent years, payment APIs have grown to be a major player in fintech. Payment APIs streamline the online payment transaction process and provide solutions to shopping cart abandonment rates and low conversion rates. 

For many, finding the right payment API can be difficult. However, implementing a payment API can protect your business against fraud and data breaches and also support simpler regulatory compliances. 

Depending on your business needs, you can choose an API that supports some of the following features: 

  • Number of payment method connections (such as credit cards, bank accounts, government accounts, and utility accounts)
  • ACH transfer
  • Payment gateway or API gateway
  • Verifying identity and/or authorization
  • Secure account linking
  • Checking credit
  • Setting up and managing recurring payments
  • Maintaining and tracking user accounts
  • Sending invoices
  • Digital wallets
  • KYC and PCI
  • Simple integration
  • Already developed wrapper or schema
  • Low transaction fees
  • Global payments
  • High-security payments
  • Accepts cryptocurrency
  • Tokenization
  • And, of course, accepting payments

In general, it is likely that you will need to compromise and find an API that can manage the features you deem most critical. At the moment, there is not one single API that can handle all of the items listed above. These available features will also differ depending on the payment process style, as APIs can be processed as digital payments, card processing, and direct or cardless payments. 

Most importantly, recognize that not all payment APIs support ACH payments. ACH payments, which are transactions that move across the U.S.-based Automated Clearing House (ACH) Network, facilitate fast transfers from one bank account to another. Common ACH transfers are things like direct deposit and are usually supported by a bank-to-bank transfer. However, ACH APIs can provide payment solutions between a merchant and customer so consumers can pay directly from their bank account.


Front-end Development for Facilitating Payments with the ACH API

The key feature for front-end development in facilitating ACH payments is the API gateway. The API gateway is a programmed element that facilitates and coordinates various API requests, streamlining each request from front-end to back. This element will sit at the front of your API to direct each system request. It functions as a single entry point to allow multiple API requests. 

The API gateway is how you are able to allow multiple requests into a single API. So if you are working with a payment API that offers another payment method like a credit card transaction but you want to add ACH transfers and crypto transfers, then integrating these request endpoints into the API gateway will make these transactions possible. 

The gateway, which features an HTTP server with FaaS function routes or microservices, will be able to invoke these functions or the microservice through an aggregating mechanism. This will allow your requests to be translated through to a computer client that uses microservices and multiple APIs.

Also, you’ll need to update your API payment gateway whenever a microserver is added, so keep this update process extremely light. 

In addition to streamlining, the API gateway will also serve several important functions:

  1. Allow central API management
  2. Provide design elements
  3. Load balancing
  4. Authenticating outside calls
  5. Request dispatching and service discovery
  6. Circuit breaker functioning
  7. And cache management

If you plan to facilitate multiple payment methods, an API gateway will increase security, decrease microservice complexity, translate communication elements, and virtualize services for streamlined testing. A good ACH API will either have this already integrated or provide this schema for developers.


Security Best Practices for ACH API Payment Data

If you are facilitating (processing, transmitting, or storing) any data related to money transfers, then you’ll need to be compliant under the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS compliance applies to anyone who works with a payment transaction (or who can access sensitive information like bank account numbers) and it supports these platforms in protecting their payment systems and prevent data breaches. 

Therefore, even if your API is secure, there are additional steps to go through in order to secure payment data. Steps include continual monitoring, remediation, and reporting. Each type of card has its own set of compliance procedures. Your company will need to be audited by a Qualified Security Assessor and complete an annual self-assessment questionnaire to validate your compliance.

Even if you are using a fully developed payment API that is PCI compliant, it is important that your company takes the necessary steps in order to facilitate this compliance. The simplest way to maintain compliance is to never see or have access to any of the payment card data. This can be done by routing the data through a verified payment processor. Otherwise, you can do the following:

  • You can use prebuilt payment forms through the ACH API. While prebuilt payment integrations can add security and ensure compliance, they aren’t always available. 
  • Serving the payment pages with a Transport Layer Security (TLS) to enable HTTPS. A TLS allows for the secure transmission of data between the client and the server by encrypting and verifying traffic integrity and verifying the client-server. TLS connections require a digital certificate filed by a certification authority as TLS validation.
  • Other ways to secure payment data to limit the use of outside and untrustworthy code, such as Javascript code from an external source as they can become compromised. 
  • When using webhooks, you’ll also need TLS for the endpoint. 
  • When setting up your ACH API, make sure to enable access controls for authentication. Depending on how the API is exchanged (such as integrated into a webpage vs an app), you’ll likely need an authentication step. This can happen through exchanging credentials or tokenization. Exchanging credentials are great for server-side applications (Monolithics like WordPress) and Single Page Apps (SPA). Mobile apps should run a token-based authorization for a native app flow. Other microserver architectures will use Single Sign-On (SSO) auth service.

For more on data and financial security, see the following resources:

The Open Web Application Security Project (OWASP)

SysAdmin, Audit, Network and Security (SANS)

National Institute of Standards and Technology (NIST)

Section 6500 of the Federal Deposit Insurance Corporations (FDIC)

Payment Card Industry Data Security Standards (PCI DSS)


ACH API Developers Resources

Today, the vast majority of payment APIs are powered by REST architecture, using HTTP and JSON language. And there are five common types of APIs for payment transactions:

  1. Message formats/protocols: Their core protocol is ISO 8583 standard, but it is better to understand this as protocol or message format. The ISO 8583 is not usually sent over TCP with socket connections, but it can operate over dial-up, direct links, and X.25 networks.
  2. SOAP XML Web Services: Simple Object Access Protocol (SOAP) is a W3C XML standard that allows publishable interfaces using WSDL, the common description language for web-services. SOAPs are commonly provided over HTTPS but some can run over transports as well.
  3. HTTP/S POST API: HTTP POSTs are largely created by custom developer HTTP requests that send direct messages to a network endpoint. Traffic is typically sent over an SSL/TLS encrypted HTTPS connection. HTTP POST APIs can send and receive XML, JSON, and simple key-value pairs, although JSON is preferred and the most lightweight.
  4. REST API: Representational State Transfer is an architectural style that expresses HTTP-based APIs, and these RESTful codes will be familiar to those who know HTTP POST styles as well. RESTfuls are organized differently, though, as it uses object design principles and provides multiple URL endpoints for each manipulated object.
  5. SDK: Software Dev Kits are client-side libraries to simplify coding for the interfaces listed above and to the appropriate coding language. SDKs parse the various messaging formats that are available for APIs (numbers 1-4, above).

Obviously, the type of ACH API you are implementing will depend on the needs of your company, how payment is processed, and the level of development needed for the API. Teams like Sila allow full API integration with detailed documentation, SDKs, GitHub docs, and Sandbox testing site.

Implementing an ACH API into your company’s payment system will streamline payment processing and open up new avenues for payment types. Because of this, you want to ensure that the API that you use will best facilitate the payment transaction and create a positive user experience. With developer platforms, you can take the very best of a payment API and adapt it to your needs.