Please note: email messages are not secure. Please refrain from entering personal, confidential information in the message, such as your social security or account numbers. Thank you.


Online Banking Privacy and Security

Safeguarding your personal information when interacting with us via the Internet is extremely important. Merrimack 24 Online Banking has been designed with that in mind. Merrimack County Savings Bank will continue to enhance and maintain prudent security standards and procedures to protect against unauthorized online access or use of your nonpublic personal information and records, applying the same high standards in caring for your personal information as we do for transactions you conduct with us in person. The following information details the types and methods of security controls we use to ensure your online transactions remain safe. We also provide other information that you can use to help secure your data.

Cybersecurity Resources

The Merrimack urges customers to be vigilant and proactive in securing their electronic information. An informative brochure and companion video concerning best practices are now available for business customers. We encourage everyone to view them.

We also recommend, the federal government's website to help you be safe, secure and responsible online. The Federal Trade Commission manages, in partnership with the federal agencies. The Merrimack encourages you to browse for useful tips on how to avoid scams, secure your personal computer and protect your kids online.

Additionally, we have made available five educational videos on phishing, identity theft, internet fraud, social media and portable devices. Be sure to check them out to learn all you can about online security.


The Merrimack uses several layers of technology to ensure the confidentiality of your transactions across the Internet. Security begins with your browser. SSL protocol (Secure Sockets Layer) is used to provide privacy for the data flowing between the browser and the bank server. SSL is an open protocol for securing data communication across computer networks, and it provides a secure channel for data transmission through its encryption capabilities. It allows for the transfer of digitally signed certificates for authentication procedures, and provides message integrity, ensuring that the data can't be altered en route.

When a customer account is created, the bank assigns a password, which is sent to the customer along with an account verification letter. In addition to password protection, the bank also provides server authentication using the latest in public key encryption. Public/private key pairs are used specifically for authentication. The public key can be distributed, using a certificate that verifies the identity of the owner. The private key is kept secret. A message encrypted with a public key can only be read after decryption with the private key.

To start a transaction, the customer uses his or her browser to send a secure message via SSL to the bank. The bank responds by sending a certificate, which contains the bank's public key. The browser authenticates the certificate, and then generates a session key that is used to encrypt data traveling between the customer's browser and the bank server.

The session key is encrypted using the bank's public key, and sent back to the bank. The bank decrypts this message using its private key, and then uses the session key for the remainder of the communication.

By exchanging messages using the public/private key pair, the customer can be assured they are actually communicating with the bank, and not a third party trying to intercept the transaction. When a session is encrypted, a padlock icon appears in either the right or left lower corner of the browser's screen, the specific location may vary by browser. For example, on Internet Explorer, the icon will appear on the right, whereas on Netscape, the icon will appear on the left. A second test to ensure the session is encrypted is to place your cursor over the padlock icon, at which time an "SSL Secured (128 bit)" label will appear. If the padlock icon is not visible, or the "SSL Secured (128 bit)" label does not appear, encryption is not in use and the current session is not secure.

Firewalls and Routers

Merrimack County Savings Bank works diligently to ensure that your transactions and personal data are protected against any type of intruder attack. All customer data is stored behind protective Firewalls and Routers that constantly monitor inbound traffic to your accounts. Unwanted or suspicious traffic is immediately denied based on all known intruder patterns or attempts. The Firewalls and Routers are audited on a periodic basis by a third party security company to ensure that they are functioning properly and are indeed protecting your accounts.

Internal Controls and Customer Responsibility

Strict internal procedures are in place within the bank, controlling every aspect of bank administration from training employees to confirming customer transactions to preventing service interruptions. Employee access to your information is restricted to those who have a business reason to know such information. New advances in security technology are happening daily, and we are constantly evaluating the security architecture to ensure that it provides the highest level of privacy and safety for bank customers.

Customers have their own set of responsibilities in providing security for their Internet bank account. Passwords must be kept secret. Users should make sure that no one is physically watching as passwords are entered. It is important to remember to exit the browser when leaving the computer.

If the PC is left unattended with the browser running and a valid user name and password cached, anyone can gain access to the account. Users should also take precautions to keep computers clean and free from viruses and spyware that could be used to capture password keystrokes.


When browsing our website, personal information, such as your e-mail address, is not collected. Some areas of our website require information, such as your e-mail address or your account number, to enable you to perform certain tasks (e.g., to review your accounts or correspond with us). In these cases, we collect the information necessary to interact with you.

If you visit us on the Internet, we may place a "cookie" on your browser that records the number of visits made to our various Web pages; however, personal information is not collected. If you use our Merrimack 24 Online Banking or Bill Pay programs, you may receive additional cookies that contain your unique identifier, allowing you to view and manage your accounts. These cookies may be linked to personally identifiable information.


Messages sent using the secure forms within our website are secure. Look for the icon of a padlock to verify a form's security. We preserve the content of your e-mail, your e-mail address and our response, so that we can more efficiently respond to any follow-up questions from you. We also retain this information to meet legal and regulatory requirements.

Regular Internet E-mail is Not Secure. Please do not send confidential information such as social security or account numbers to us via regular e-mail. In instances where e-mail addresses are provided, they are provided for information inquiries of a non-sensitive and non-confidential nature. Since an Internet e-mail response back to you would not be secure, we will not include confidential information in an unsecured e-mail response.

Phishing and Identity Theft

"Phishing" refers to activities of cyber-criminals who create an imitation of an existing legitimate web page and trick people into providing sensitive personal information. We will never send an e-mail that provides a link to the Merrimack 24 Online Banking logon screen. The recommended best practice is to access the logon screen from the link on our website homepage at or to go directly to the logon screen by keying in its address (URL):

In the worst case of phishing, you could find yourself a victim of identity theft. With the sensitive information obtained from a successful phishing scam, these thieves can take out loans or obtain credit cards and even driver's licenses in your name. They can do damage to your financial history and personal reputation that can take years to unravel. But if you understand how phishing works and how to protect yourself, you can help stop this crime.

How it works

In a typical case of phishing, you'll receive an e-mail that appears to come from a reputable company that you recognize and do business with, such as your financial institution. In some cases, the e-mail may appear to come from a government agency, including one of the federal financial institution regulatory agencies.

The e-mail will probably warn you of a serious problem that requires your immediate attention. It may use phrases, such as "Immediate attention required," or "Please contact us immediately about your account." The e-mail will then encourage you to click on a button to go to the institution's Web site. In a phishing scam, you could be redirected to a phony Web site that may look exactly like the real thing. Sometimes, in fact, it may be the company's actual Web site. In those cases, a pop-up window will quickly appear for the purpose of harvesting your financial information. In either case, you may be asked to update your account information or to provide information for verification purposes: your Social Security number, your account number, your password, or the information you use to verify your identity when speaking to a real financial institution, such as your mother's maiden name or your place of birth.

If you provide the requested information, you may find yourself the victim of identity theft.

How to Protect Yourself

  1. Never provide your personal information in response to an unsolicited request, whether it is over the phone or over the Internet. E-mails and Internet pages created by phishers may look exactly like the real thing. They may even have a fake padlock icon that ordinarily is used to denote a secure site. If you did not initiate the communication, you should not provide any information.
  2. If you believe the contact may be legitimate, contact the financial institution yourself. You can find phone numbers and Web sites on the monthly statements you receive from your financial institution, or you can look the company up in a phone book or on the Internet. The key is that you should be the one to initiate the contact, using contact information that you have verified yourself.
  3. Never provide your password over the phone or in response to an unsolicited Internet request. A financial institution would never ask you to verify your account information online. Thieves armed with this information and your account number can help themselves to your savings.
  4. Review account statements regularly to ensure all charges are correct. If your account statement is late in arriving, call your financial institution to find out why. If your financial institution offers electronic account access, periodically review activity online to catch suspicious activity.
  5. Review your credit report at least annually to monitor for unfamilar transactions. Contact or call 1-877-322-8228 for your free annual credit report.
  6. Report suspicious e-mails or calls to the Federal Trade Commission through the Internet at, or by calling 1-877-IDTHEFT.

What to do if you fall victim

Contact your financial institution immediately and alert it to the situation. Report all suspicious contacts to the Federal Trade Commission through the Internet at, or by calling 1-877-IDTHEFT. If you have disclosed sensitive information in a phishing attack, you should also contact one of the three major credit bureaus and discuss whether you need to place a fraud alert on your file, which will help prevent thieves from opening a new account in your name. Here is the contact information for each bureau's fraud division:

P.O. Box 740250
Atlanta, GA 30374

P.O. Box 1017
Allen, TX 75013

P.O. Box 6790
Fullerton, CA 92634