FinStackCloud
RAILS · NACHA SEC CODES

NACHA SEC codes

The Standard Entry Class code (positions 51-53 of the Batch Header) is the single most consequential field in a NACHA file. It decides which authorization rules apply, what the receiver's dispute window is, what addenda format is allowed, and whether your file goes through at all. This page covers the 12 SEC codes that NACHA treats as the canonical set — what each one does, comparisons of the ones that look alike, and the cases where only one specific code is legally allowed.

Last updated: May 4, 2026 Reading time: 14 min 12 codes covered
THE ONE THING TO REMEMBER
SEC code = "how was this authorized?" Once you answer that, NACHA's rules — return windows, allowed addenda, retry limits, fraud-detection requirements — fall out automatically. Pick the code from the authorization, not from the payment.
How to read this page — NACHA mandate vs. industry practice. Not everything in production ACH is in the Rules book. Some requirements (return windows, mandatory addenda counts, account-validation-before-first-WEB-debit) are NACHA mandates — violating them is a Rules violation. Others (storing IP + timestamp on a WEB authorization, using TEL only for single entries despite 2011 rules allowing recurring, treating B2B TEL as off-limits) are industry practice — what your ODFI's risk team and most originators actually do, even though the Rules technically permit otherwise. This page labels each claim with one of those two categories so you know which is which.

Section 1 · The full map The 12 SEC codes you'll actually see

NACHA's own reference materials — the SEC Code Detail Cards and the Origination Handbooks — treat 12 codes as the canonical set. (NACHA's detail-card set is sometimes described as "13 codes" because they print WEB Credit and WEB Debit on separate cards, but in the file format these are the same three-letter SEC code WEB — so it's 12 distinct codes.) That's the list below, grouped into four practical categories: consumer-authorized, business (B2B), check-conversion, and international. The legacy POS code is included because NACHA still publishes a detail card for it, even though most modern originators won't generate one. Click any row to jump to its detail section.

SEC code landscape · canonical set 12 codes · 4 categories
Consumer-authorized 4 codes
PPD
Prearranged Payment & Deposit The default for paper-authorized recurring consumer payments. Payroll, rent, gym fees.
Most common code overall
WEB
Internet-Initiated Entry Consumer authorized via website or mobile app. SaaS billing, e-commerce. Credit + debit variants.
Mandatory fraud detection
TEL
Telephone-Initiated Entry Consumer authorized over the phone. Usually one-time.
Inbound call OR existing relationship
CIE
Customer-Initiated Entry Consumer-initiated bill-pay through online banking — originated by the consumer's bank.
Originated by RDFI / bill-pay
Business (B2B) 2 codes
CCD
Corporate Credit or Debit The B2B workhorse. Single payment between two businesses. Short return window (2 days).
B2B default
CTX
Corporate Trade Exchange CCD with up to 9,999 addenda records. For multi-invoice payments and X12 EDI remittance.
Multi-addenda · EDI
Check conversion & re-presentment 5 codes
ARC
Accounts Receivable Conversion Lockbox / billers convert a mailed-in paper check to ACH at processing time.
Mail-in check
POP
Point-of-Purchase Check converted at the cashier in front of the customer; check returned to them on the spot.
In-person POS
BOC
Back Office Conversion Check accepted at register, converted later in the back office. Customer notified by signage.
Back-office workflow
RCK
Re-presented Check A bounced paper check, re-presented as ACH. Limited to checks returned for NSF.
Re-presentment
POS
Point-of-Sale Entry Originally for shared ATM/POS network entries cleared via ACH. Largely supplanted by card networks today.
Legacy · still on NACHA card
International 1 code
IAT
International ACH Transaction Required if any leg of the transaction crosses the U.S. border. Mandates 7 specific addenda records carrying OFAC screening data.
Cross-border · OFAC

Reality check: ~95% of production traffic uses just 5 codes — PPD, CCD, WEB, TEL, and CTX. The check-conversion family (ARC/POP/BOC/RCK), CIE, and IAT cover specific operational workflows you'll only hit if you operate in those lanes.

Codes you might see in old documentation but won't encounter in production: ATX (zero-dollar acknowledgment of CTX/CCD), MTE (ATM machine transfer), SHR (shared network transaction), ENR (federal direct-deposit enrollment), DNE (federal death notification), TRC / TRX (image cash letter truncation), XCK (destroyed check). These exist in the historical NACHA spec but are either federal-government-only, used between banks inside check-imaging clearing operations, or effectively obsolete. A normal originator on a sponsor bank will not generate or receive these. They're omitted from the canonical 12 above on purpose.

Section 2 · Each code in detail What each SEC code actually does

Below: every code from the table above, in the same order. The five workhorse codes (PPD, CCD, WEB, TEL, CTX) get full deep-dives with format specs, gotchas, and real file examples. Specialized codes get a tight summary covering when they're used and what's distinctive.

PPD Prearranged Payment & Deposit Consumer · Most common

The default SEC code for any recurring consumer transaction with paper-based authorization. Direct deposit payroll is the textbook PPD use case — and so is rent collection from a tenant who signed an authorization form, recurring gym membership debits, government benefit deposits, and most consumer subscriptions established offline.

USE THIS WHEN
  • Receiver is a consumer (individual, not a business)
  • Authorization was obtained via signed paper form or similar offline method
  • Transactions are recurring or pre-scheduled
  • You want the simplest, most-supported SEC code that all RDFIs accept reliably
DON'T USE PPD WHEN
  • Authorization came from a website → use WEB
  • Authorization came over the phone → use TEL
  • Receiver is a business → use CCD
  • You're converting a check → use ARC, POP, or BOC

Format specifics

Service Class: Typically 220 for credit-only batches (payroll), 225 for debit-only (recurring billing), or 200 for mixed.

Transaction codes allowed: 22 (checking credit), 27 (checking debit), 32 (savings credit), 37 (savings debit). Plus their prenote variants 23/28/33/38.

Addenda: 1 maximum per entry. Type code 05. Free-text 80 chars in Payment Related Information.

Individual Name field (pos 55-76 of Entry Detail): Receiver's name. Required. ASCII-only, left-justified, space-padded.

Company Entry Description (pos 54-63 of Batch Header): Free-text, but receivers see this on their bank statement — use something they'll recognize like PAYROLL or RENT .

NACHA mandate Effective Entry Date. For non-Same-Day PPD, the Effective Entry Date in the Batch Header must be a future banking day. If you set it in the past, the ACH Operator will shift it forward to the next valid settlement date, which can desync your reconciliation against the date you assumed. Standard practice is 1-2 banking days after submission.

Real file example

A payroll batch from a fictional company. The SEC code is highlighted:

PPD payroll batch · 2 employees Highlighted: SEC code at pos 51-53
File Header101 071000013 1234567890 2605041200A094101FEDERAL RESERVE BANK ACME PAYROLL CO 00000001 Batch Header5220ACME PAYROLL CO 1234567890PPDPAYROLL 260504260506 1071000010000001 Entry Detail62207100001399876543210 0000125000ID0001 SARAH JOHNSON 0107100001000001 Entry Detail62207100001312345678901 0000098500ID0002 MICHAEL CHEN 0107100001000002 Batch Control820000000207100001260000000000000000000022350001234567890 107100010000001 File Control9000001000001000000020710000126000000000000000000002235000
WEB Internet-Initiated Entry Consumer · Online

The SEC code for any consumer payment where authorization happened on a website or mobile app. SaaS subscription billing, e-commerce checkout via ACH, peer-to-peer transfers initiated from an app — all WEB. NACHA imposes additional fraud-detection and account-validation requirements specifically because the authorization happens digitally.

USE THIS WHEN
  • Consumer authorized via web form, mobile app, or chatbot
  • You can produce evidence of the authorization (web session log, signed e-form) — NACHA doesn't mandate which evidence, but ODFIs typically expect timestamp, IP, and the displayed authorization text
  • You're billing a SaaS subscription or recurring online service
  • One-time online purchase paid via ACH (e.g. invoice paid through a portal)
DON'T USE WEB WHEN
  • Authorization came from a signed paper form → use PPD
  • Authorization came from a phone call → use TEL
  • Receiver is a business → use CCD
  • You haven't implemented commercially reasonable fraud detection

Format specifics

Service Class: Typically 225 (debit-only) for subscription billing, occasionally 220 for refunds, or 200 for mixed.

Transaction codes: Same set as PPD/CCD. Most WEB traffic is debits (TC 27 / 37) since it's billing.

Addenda: 1 maximum per entry. Type code 05.

Individual Name field: Receiver's name (consumer). Required, ASCII-only.

Payment Type Code (pos 77-78 of Entry, Discretionary Data): NACHA recommends R for recurring or S for single-entry, though this is not strictly enforced.

NACHA mandate Fraud detection (WEB debits — and as of 2026, more broadly). Originators of WEB debits have long been required to use a "commercially reasonable" fraudulent transaction detection system. As of the 2026 Risk Management Topics rule (Phase 1: March 20, 2026 for originators with ≥6M annual ACH volume; Phase 2: June 19, 2026 for the rest), this requirement expanded — all non-consumer originators above the volume threshold must implement risk-based fraud monitoring across all ACH entries, not just WEB. Practice NACHA does not specify what the system must do — that's where industry practice fills the gap. In production this typically means: device fingerprinting at authorization, IP geolocation checks, anomaly detection on amount/frequency, velocity rules, and account validation (which separately is a WEB-specific mandate, see below).
NACHA mandate Account validation at first use (WEB debits only). Per the WEB Debit Account Validation Rule (effective March 19, 2021; enforced from March 19, 2022), originators of WEB debits must validate the account before the first debit to a new account number. The rule does not apply to WEB credits, and does not require validation of ownership — only that the account is open and accepts ACH. Acceptable methods named in NACHA's own guidance: prenote ($0 ACH entry), micro-deposits, third-party account validation API (Plaid, GIACT, Finicity), or evidence of a previously successful ACH transaction to the same account.

Real file example

WEB SaaS subscription · monthly billing Highlighted: SEC code + recurring marker
File Header101 071000013 5555555555 2605040900C094101FEDERAL RESERVE BANK SAAS BILLING CO 00000001 Batch Header5225SAAS BILLING CO 5555555555WEBMONTHLY 260504260506 1055555550000001 Entry Detail62707100001399887766 0000004900CUST-50229 ALEX HUANG R 0107100001000001 Entry Detail62707100001312398765 0000004900CUST-50314 MARIA SANTOS R 0107100001000002 Batch Control820000000207100001260000000098000000000000000005555555550 105555555000001 File Control9000001000001000000020710000126000000009800000000000000000
TEL Telephone-Initiated Entry Consumer · Phone

The phone-channel sibling of WEB. Use TEL when a payment was authorized during a phone conversation — most often a one-time charge initiated when a consumer calls customer service. Common for utility bills, late-fee payments, and emergency payments where the customer can't easily get to a website.

USE THIS WHEN
  • Authorization happened during a phone conversation (live agent or IVR)
  • The call is inbound from the consumer, OR there's a pre-existing relationship (written agreement, or goods/services purchased in the last 2 years)
  • You can produce the required authorization evidence — see the callouts below; requirements differ for single-entry vs. recurring
  • It's a single-entry / one-off payment — TEL can carry recurring per NACHA Rules, but in practice most originators use PPD for recurring instead (see practice note below)
DON'T USE TEL WHEN
  • The call is outbound cold telemarketing — no inbound call AND no pre-existing relationship = TEL is prohibited
  • You don't have any retained authorization evidence (recording or written confirmation)
  • The payment is recurring AND you don't want to comply with the stricter Reg E + dual-evidence requirements — use PPD instead

Format specifics

Service Class: Typically 225 (debit-only).

Transaction codes: Almost always 27 (checking debit) or 37 (savings debit).

Addenda: 1 maximum, type code 05.

Individual Name field (pos 55-76): Required. Consumer's name as ASCII text. 22 characters.

Same Day ACH: TEL is eligible for Same Day ACH (subject to per-entry $1M cap and ODFI cutoff times) — useful for urgent utility payments before service shutoff.

NACHA mandate Inbound call OR pre-existing relationship. TEL may be used only when (a) the consumer initiated the call to you, OR (b) you have a pre-existing relationship — defined by NACHA as either a written agreement in place, or the consumer having purchased goods or services from you within the last 2 years. Cold outbound telemarketing-to-ACH is prohibited under either definition.
NACHA mandate Authorization evidence — single-entry vs. recurring differ.
Single-entry TEL: Originator must either make an audio recording of the oral authorization, or send the consumer a written notice confirming the authorization before the entry settles. One or the other — not both.
Recurring TEL: Originator must comply with Reg E for preauthorized transfers, which means both an audio recording and a written copy of the authorization sent to the consumer. The dual-evidence burden is why most originators avoid recurring TEL and use PPD instead.
Either way, the evidence must be retained for 2 years from the authorization date (single) or termination/revocation (recurring).
Practice TEL with a business receiver — technically allowed since 2017, rarely supported. NACHA's 2017 rule changes removed the consumer-only restriction on TEL, so business receivers are now permissible under the Rules. In practice, most ODFI origination platforms still treat TEL as consumer-only because their risk and compliance models were built before the change, and B2B TEL volume is too small to justify rebuilding. For a one-time B2B phone authorization, the standard production approach is CCD with the call recording retained as authorization evidence.
Practice TEL is overwhelmingly single-entry. Although NACHA rules have allowed recurring TEL since the September 2011 amendment, the dual-evidence requirement above (recording + written notice + Reg E pre-notification of amount changes 10 days in advance and date changes 7 days in advance) makes it operationally heavier than just collecting a paper PPD authorization. Most production TEL traffic is single-entry one-offs.

Real file example

TEL one-time utility payment Highlighted: SEC code at pos 51-53
File Header101 071000013 4444444444 2605041615D094101FEDERAL RESERVE BANK METRO UTILITY CO 00000001 Batch Header5225METRO UTILITY CO 4444444444TELUTIL BILL 260504260504 1044444440000001 Entry Detail62707100001345678901234 0000018745CUST-A88291 JENNIFER WONG 0107100001000001 Batch Control820000000107100001260000000018745000000000000004444444440 104444444000001 File Control9000001000001000000010710000126000000018745000000000000000
CIE Customer-Initiated Entry Consumer · Bill-pay origination

CIE is the inverse of normal consumer ACH: the consumer's bank originates the entry on the consumer's behalf, sending money to a biller. This is what powers traditional online banking bill-pay. Most originators don't generate CIE files — banks and bill-pay processors do. If you're a biller, you'll receive CIE credits, not send them.

Initiated by: The consumer's bank (acting as ODFI on their behalf).

Direction: Always credit — money flows from the consumer's account to the biller.

Addenda: 1 maximum. Carries the biller's account number / customer reference.

When you'd encounter it: If you operate AR for a utility, telco, or any company that accepts online bill-pay, your incoming ACH credit feed will include CIE entries.

CCD Corporate Credit or Debit Business · B2B default

The B2B equivalent of PPD. Use CCD when both the originator and receiver are businesses. The trade-off compared to PPD: stricter authorization requirements (you need a written agreement between the two companies), but a much shorter unauthorized return window — only 2 banking days, not 60. This is what makes CCD operationally faster for B2B workflows.

USE THIS WHEN
  • Receiver is a business / non-consumer entity
  • You have a written agreement authorizing ACH
  • You want the short B2B return window (2 banking days for unauthorized)
  • Single-invoice or simple cash transfer between corporate accounts
DON'T USE CCD WHEN
  • Receiver is a consumer — use PPD/WEB/TEL
  • You need multiple invoices in one payment with structured remit data → use CTX
  • The receiver's account is a personal account even if the business owner uses it

Format specifics

Service Class: 220 (credit-only) for AP runs, 225 (debit-only) for collection runs, 200 for mixed.

Transaction codes allowed: Same as PPD — 22/27/32/37 and prenote variants 23/28/33/38.

Addenda: 1 maximum per entry, addenda type code 05. The 80-char Payment Related Information field is typically used for invoice number(s) or PO reference.

Receiving Company Name field (pos 55-76, 22 chars): The receiver's business name. NACHA's spec calls this field "Receiving Company Name/ID Number" specifically for CCD (PPD's equivalent at the same byte position is "Individual Name" for a consumer). Same byte position, different field semantics.

Discretionary Data (pos 77-78 of Entry): Often used for internal department/cost-center codes.

Practice Receiver name match. Many RDFIs perform some level of receiver-name match against the receiving business account, and a mismatch can contribute to R03 (No Account) returns. Put the registered business name as it appears on the receiver's bank account — not the contact person's name, not a DBA the bank doesn't know about. NACHA itself doesn't mandate name-matching at the RDFI, but most large RDFIs do some form of it as part of their fraud / compliance posture.

Real file example

CCD vendor payment · 1 invoice Highlighted: SEC code + addenda
File Header101 071000013 9876543210 2605041340B094101FEDERAL RESERVE BANK BUYER CO INC 00000001 Batch Header5220BUYER CO INC 9876543210CCDVENDOR PAY260504260506 1098765430000001 Entry Detail62207100001312345678 0000450000INV-2026-0871 SUPPLIER DELTA LLC 1098765430000001 Addenda705INVOICE 2026-0871 NET30 PO REF 4471 00010000001 Batch Control820000000207100001260000000000000000000045000098765430 109876543000001 File Control9000001000001000000020710000126000000000000000000004500000
CTX Corporate Trade Exchange Business · EDI · Multi-addenda

CCD's heavyweight cousin, designed for B2B payments that need to carry structured remittance data — multiple invoices in one payment, ANSI X12 EDI segments, line-item breakdowns. The defining feature: up to 9,999 addenda records per entry, vs. CCD's hard limit of 1. If your AP department wants to send a single payment that covers 50 invoices and have it auto-reconciled on the receiver's side, CTX is how you do that in ACH.

USE THIS WHEN
  • One payment covers multiple invoices (consolidated AP)
  • You need to send structured EDI data alongside the payment (820, 835, etc.)
  • Receiver's AR system auto-reconciles ACH credits with invoice IDs
  • Both parties have EDI translator infrastructure set up
DON'T USE CTX WHEN
  • You only have one invoice per payment → CCD with 1 addenda is enough
  • The receiver can't process X12 EDI — many small businesses can't
  • You haven't tested the EDI handoff end-to-end with the receiver

Format specifics

Service Class: Same as CCD: 220, 225, or 200.

Transaction codes: Same set as CCD — 22/27/32/37.

Entry Detail layout differs from PPD/CCD: CTX uses a different Entry Detail Record field layout. The bytes that PPD and CCD use as one continuous 22-character name field (pos 55-76) are split in CTX into:

  • pos 55-58 (4 bytes): Number of Addenda Records — a 4-digit count, 0001 to 9999
  • pos 59-74 (16 bytes): Receiving Company Name / ID Number — the receiver business name, truncated to 16 chars
  • pos 75-76 (2 bytes): Reserved (blank)

Other Entry Detail positions (Identification Number at 40-54, Discretionary Data at 77-78, Addenda Record Indicator at 79, Trace Number at 80-94) are unchanged from PPD/CCD.

Addenda content: ANSI X12 segments (typically transaction sets 820 — Payment Order/Remittance Advice, or 835 — Healthcare Claim Payment).

NACHA mandate Number of Addenda Records (pos 55-58) must match exactly. The 4-digit count at positions 55-58 must equal the actual number of addenda (type-7) records that follow this Entry Detail. Off-by-one or a stale counter against an updated addenda block causes the file to fail validation at the ODFI or Operator. This is the single most common CTX bug — automated build pipelines that recalculate counts last sometimes leave the field stale.
Practice Receiver-side EDI parsing capability. CTX is only useful if the receiver actually parses the X12 segments. Many small/medium businesses receive CTX, see a lump sum credit, and have no automation to break it down — they'll call you asking what invoices it covers. Confirm EDI capability with the receiver's AR team before sending CTX. (NACHA does not require the receiver to be EDI-capable — this is purely a practical issue.)

Real file example

CTX consolidated payment · 3 invoices in 3 addenda Highlighted: SEC code + addenda count at pos 55-58
File Header101 071000013 1111111111 2605040800E094101FEDERAL RESERVE BANK BUYER CORP 00000001 Batch Header5220BUYER CORP 1111111111CTXVENDOR PMT260504260506 1011111110000001 Entry Detail622071000013555555555 0000875000PMT-2026-411 SUPPLIER ALPHA 00030010000001 Addenda 1/3705RMR*IV*INV-2026-0411*PI*250000\REF*CN*CONTRACT-A881\ 00010000001 Addenda 2/3705RMR*IV*INV-2026-0412*PI*325000\REF*CN*CONTRACT-A881\ 00020000001 Addenda 3/3705RMR*IV*INV-2026-0413*PI*300000\REF*CN*CONTRACT-A881\ 00030000001 Batch Control820000000407100001260000000000000000000087500001111111110 101111111000001 File Control9000001000001000000040710000126000000000000000000008750000
ARC Accounts Receivable Conversion Converted check · Mail-in

The most common check-conversion code. A consumer mails a paper check to a lockbox or biller (utility, credit card, mortgage), and the biller converts it to ACH at processing time instead of depositing the physical check. The check itself is destroyed after capture; the ACH entry uses the routing/account information from the MICR line.

NACHA mandate Required notice: Originator must have provided clear and conspicuous notice (typically on the bill or remittance envelope) that mailed checks may be converted to ACH, before receiving the check.

NACHA mandate Eligibility: Personal consumer checks only. Excluded: business checks, money orders, traveler's checks, cashier's checks, federal/state/local government checks, and any check over $25,000.

NACHA mandate Source document retention: Originator must retain a reproducible, legible image or copy of the front of the source document (the check) for 2 years from the settlement date of the entry, and produce it within 10 banking days when an ODFI requests it.

Return window: 60 days (R10 / R11 unauthorized), like other consumer SEC codes. Administrative returns (NSF, account closed) follow the standard 2-banking-day window.

POP Point-of-Purchase Converted check · In-person

Used at a physical point of sale: the customer hands the cashier a paper check, the cashier runs it through a check reader, the system converts it to ACH on the spot, the customer signs an ACH authorization receipt, and the void check is handed back. Common at retail registers and check-cashing-style payment terminals.

Required notice: Posted notice at point of sale + signed authorization receipt.

Eligibility: Consumer-source personal checks under $25,000. No business checks.

Distinguishing feature: Customer is physically present and signs at time of conversion. Voided check is returned.

BOC Back Office Conversion Converted check · Back-office workflow

The middle ground between ARC and POP. The customer hands a check at the register or drop box, but conversion happens later in a back office (typically end-of-day batch). The customer is notified by signage at the register; no on-the-spot signature is required. Common at retail chains where front-of-house staff aren't trained on ACH conversion.

Required notice: Conspicuous signage at the point where the check is accepted, plus a copy on the receipt.

Eligibility: Same limits as POP — personal checks under $25,000.

Workflow distinction: Conversion happens in batch later, not in real time. The voided check may or may not be returned to the customer at the register.

RCK Re-presented Check Re-presentment · NSF only

A previously bounced paper check, resubmitted as ACH instead of as a physical re-deposit. Strictly limited to checks that were returned for NSF (insufficient funds) or uncollected funds — not for stop-payments, account-closed, or fraud-related returns. RCK can be re-presented up to twice within 180 days.

Eligible only when: Original check was returned R01 (NSF) or R09 (uncollected funds).

Notice required: Originator must have given notice on the original transaction that bounced checks may be re-presented electronically.

Limit: Up to 2 RCK re-presentments per original check, within 180 days of the original date.

IAT International ACH Transaction Cross-border · OFAC mandate

Mandatory whenever any leg of the transaction crosses the U.S. border — even if both the originating and receiving banks happen to be U.S. institutions, but funds came from or are bound for a non-U.S. financial agency. The format is fundamentally different: instead of 1 optional addenda, IAT requires 7 specific addenda records carrying originator, beneficiary, and intermediary bank information for OFAC screening.

NACHA mandate 7 mandatory addenda records. Every IAT entry must be followed by exactly 7 specific addenda records carrying Bank Secrecy Act "Travel Rule" data:

  • Type 10: First IAT addenda — transaction type code, foreign payment amount, foreign trace number, receiving individual/company name
  • Type 11: Originator name + street address
  • Type 12: Originator city, state/province, country, postal code
  • Type 13: Originating DFI name + ID + branch country code
  • Type 14: Receiving DFI name + ID + branch country code
  • Type 15: Receiver identification + receiver street address
  • Type 16: Receiver city, state/province, country, postal code

OFAC mandate OFAC screening. RDFIs (and gateway operators on inbound IAT) are required by U.S. law — not just NACHA — to OFAC-screen IAT entries. Missing or malformed addenda records will be rejected for non-compliance.

Foreign Exchange handled outside ACH: The Entry Detail Record's amount field carries U.S. dollars. FX conversion happens at one of the gateway banks, not in the ACH network itself. The foreign-currency amount, ISO currency codes, and FX reference are carried in the batch header and Type 10 addenda.

NACHA mandate Optional addenda — Type 17 and Type 18. Beyond the 7 mandatory addenda, an IAT entry can carry up to 2 Type 17 addenda (remittance info, 80 chars each) and up to 5 Type 18 addenda (foreign correspondent bank info — required if a correspondent bank is involved). Total addenda per IAT entry maxes out at 12 (7 mandatory + 2 + 5, with the optional 17/18 jointly capped at 5 by some Operators' implementations).
POS Point-of-Sale Entry Legacy · still on NACHA card

Originally for shared POS network entries — debit-card transactions cleared through ACH between regional networks before card networks took over. NACHA still publishes a detail card for POS, so it remains in the canonical 12, but in production today it's largely supplanted by Visa, Mastercard, and the major debit networks. Don't confuse with POP: POS is card-network-related; POP is check conversion at the cashier. Different codes, different worlds.

Original use: Shared regional ATM/POS network purchases settled via ACH.

Today's reality: Most POS-style transactions clear through card networks. ACH POS appears mainly in older credit-union and regional network setups.

Common confusion: POS (card network) vs POP (check conversion) — they share three letters and "point-of-sale" semantics but are completely different codes.

Section 3 · Codes that look alike Side-by-side comparisons of the easy-to-confuse pairs

Several SEC codes overlap enough that picking between them is the actual decision you'll face in production. The four comparisons below cover the questions that come up most often.

Reading the "return window" rows. Every "return window" row in the tables below is specifically the unauthorized return window — the one a Receiver can use to dispute a transaction they didn't authorize (R10 / R11 / R29). Administrative returns (NSF, account closed, invalid account, NOC corrections) are separately governed by NACHA and almost always have a 2-banking-day window regardless of consumer vs. business. So the consumer / business distinction matters mainly for unauthorized disputes — that's the window R10 / R11 / R29 numbers refer to.
CCD VS CTX Both B2B
TL;DR — Same audience (B2B), same return rules. Pick CTX only when one payment must carry remittance data for multiple invoices, and the receiver can actually parse X12 EDI. Otherwise CCD with one addenda is simpler and universally supported.
Dimension CCD CTX
Receiver type Business Business
Authorization Written agreement Written agreement (often broader trading partner agreement)
Unauthorized return window 2 banking days (R29) 2 banking days (R29)
Max addenda per entry 1 9,999
Addenda content Free-text 80 chars (invoice ref, PO) ANSI X12 EDI segments (820, 835, etc.)
Receiver-side capability Any RDFI accepts Receiver must have EDI translator
Receiver name field length 22 chars (pos 55-76) 16 chars (pos 59-74; pos 55-58 holds 4-digit addenda count)
Best for Single invoice / single payment Consolidated AP, multi-invoice settlements
PPD VS WEB Both consumer
TL;DR — Same receiver (consumer), same 60-day return window. The split is purely where the authorization happened. Paper form / in-person → PPD. Website / mobile app → WEB. WEB carries extra fraud-detection and account-validation obligations because the authorization is digital.
Dimension PPD WEB
Receiver type Consumer Consumer
Authorization channel Paper / signed in person Web form / mobile app
Unauthorized return window 60 days (R10 / R11) 60 days (R10 / R11)
Fraud detection mandate Required for WEB debits (commercially reasonable)
Account validation mandate Required at first use, WEB debits only
Recurring vs single-entry Both, leans recurring Both, leans recurring
Best for Payroll, rent, offline subscriptions SaaS billing, e-commerce, online portals
WEB VS TEL Both consumer · digital authorization
TL;DR — Same fraud-detection regime, same return window. The split is just the authorization channel: keystrokes (WEB) versus voice (TEL). TEL adds the requirement that the consumer initiated the call, or that you have a pre-existing customer relationship — cold-call-to-ACH is forbidden.
Dimension WEB TEL
Authorization channel Web form / mobile app Phone call (live or IVR)
Unauthorized return window 60 days (R10 / R11) 60 days (R10 / R11)
Fraud detection mandate Required since 2021 (WEB debits — "commercially reasonable") No code-specific mandate — but as of 2026, large originators must run risk-based fraud monitoring across all entry types, which catches TEL too
Inbound caller / pre-existing relationship Not required Required: either inbound call from consumer OR pre-existing relationship (written agreement, or purchase within last 2 years)
Authorization evidence Web session log / signed e-form (NACHA mandates "commercially reasonable", method-neutral) Single-entry: audio recording OR written confirmation. Recurring: BOTH recording AND written authorization (Reg E)
Recurring vs single-entry Both, often recurring Allowed since 2011, but most production traffic is single-entry due to dual-evidence burden on recurring
Best for SaaS subscription, e-commerce One-off utility / late-fee phone payment
ARC VS POP VS BOC All check conversion
TL;DR — All three convert a paper check to ACH. The split is where in the workflow conversion happens: ARC = mailed in to lockbox, POP = at the cash register in front of the customer, BOC = accepted at register but converted later in the back office. Pick by your physical workflow, not by amount or account type.
Dimension ARC POP BOC
Where check is received Mailed in / lockbox At cashier (in person) At cashier or drop box
When conversion happens At lockbox processing Real-time at the register Later, in back office batch
Customer signature at conversion No (notice on bill envelope) Yes (signed receipt) No (signage at register)
Voided check returned? No (destroyed at lockbox) Yes (handed back) Sometimes (varies)
Personal check only? Yes Yes Yes
Max amount $25,000 $25,000 $25,000
Best for Utility / credit card billing Retail with trained POS staff Retail without trained POS staff

Section 4 · Cases where only one code is allowed Scenarios where the SEC code is forced

Sometimes you don't have a choice — the situation forces a specific SEC code, and using anything else is either a NACHA rule violation or guaranteed to be returned. The list below is the most common forced-pick scenarios.

IAT Any cross-border leg
If any leg of the transaction touches a non-U.S. financial agency — even if both endpoint banks are U.S. banks — you must use IAT. Disguising it as PPD or CCD is a NACHA rule violation and an OFAC compliance failure. There is no judgment call here.
CCD B2B with single-invoice remittance
When both parties are businesses and the remittance fits in one 80-char addenda. PPD is wrong (consumer code), CTX is over-engineering. The B2B + single-invoice scenario is CCD's lane.
CTX B2B with multi-invoice EDI remittance
When the receiver expects ANSI X12 820 or 835 segments alongside the payment, and the count of remittance items exceeds 1. CCD's hard limit of 1 addenda makes it impossible. Confirm the receiver can parse the segments before committing to CTX.
WEB Consumer authorized on a website / app
If the authorization happened in a digital session — checkout flow, signup form, in-app — WEB is the only correct code. Using PPD here skips the mandatory fraud-detection regime and exposes you to NACHA Rules enforcement and rule-violation fines.
TEL Consumer authorized on a phone call
One-time consumer charge authorized verbally. Must be inbound or pre-existing-customer; cold outbound calls cannot use TEL. WEB is wrong (no web session), PPD is wrong (no signed paper authorization).
RCK Re-presenting a bounced check
A paper check that came back R01 (NSF) or R09 (uncollected). RCK is the only SEC code authorized for re-presentment in ACH — and only for those two return reasons. Using PPD/CCD as a "retry" is a rule violation.
ARC Lockbox check conversion
Mailed-in personal check to a biller, converted to ACH. POP is wrong (no in-person customer), BOC is wrong (no register acceptance). ARC is the lockbox-specific code with its own notice requirement on the bill.
POP In-person register conversion
Customer hands a check at the register, signs an authorization receipt, gets the void check back. The signed receipt is what differentiates POP from BOC — if you can't get a signature, you can't use POP.
How to think about "forced" vs "preferred" picks. The scenarios above are forced — using the wrong SEC code is a rule violation. Outside of these, there's still often a "preferred" code (e.g. PPD for offline recurring) — but if you use a different valid code, the file will still process, you'll just inherit different rules. Forced-pick scenarios fail outright.
Validate your SEC code matches your batch
The Inspector cross-checks SEC code against Transaction codes, addenda count, and Service Class — flagging combinations that look invalid before your ODFI sees the file.
Open Inspector →