Organizations handling debit and ATM personal identification numbers (PINs) are responsible for safeguarding this sensitive information. This responsibility not only makes sense from a customer service perspective amidst rising identity theft cases, but keeping PINs secure is required to comply with the American National Standards Institute (ANSI) rules on PIN security and for membership in major payment networks like NYCE, Pulse, and Star.
Payment networks require their members to complete and submit the Technical Report 39 (TR-39) every other year to maintain good member standing. (TR-39 was formerly known as TG-3.) Considered a basic network operating rule, TR-39 has been viewed as the industry standard in PIN security and key management. Penalties for TR-39 noncompliance include fines and denial of access for not meeting operating rules of the network. Should fraud occur in a noncompliance scenario, the organization could face strict financial and legal consequences.
The TR-39 Audit is conducted by a certified auditor and involves a review of an organization’s controls around PIN-based transactions. Policies and procedures regarding encryption, key management, and key protection are reviewed against TR-39 standards. The TR-39 Audit may include a review of encryption controls, an inspection of key inventory and associated protocols, as well as an inspection of datacenters, HSMs, and physical safes. Areas of noncompliance will be flagged so the organization can identify corrective actions for remediation.
Although the TR-39 Audit may be viewed as another compliance hurdle, it is a critical audit that allows organizations to effectively secure the sensitive data that customers have entrusted to them. Understandably, organizations would want to resolve any security holes that could lead to fraud, fines, and a decline in business. Under the guidance of a certified TR-39 Auditor, the organization should feel confident that the TR-39 Audit will reveal any opportunities to strengthen PIN security and key management and in so doing, secure the organization’s standing as a trusted place to do business.