Dara Security

TR-39 Audit

Background

A TR-39 (PIN Security and Key Management) and/or VISA PIN Audit provides a certified report on an organization's controls around PIN-based transactions; including encryption, key management, and key protection. This can include both symmetric and asymmetric encryption controls, key inventory and ceremony, inspection of datacenters, HSMs, Point of Sale (POS) devices and physical safes.

 

For retailers, an audit is generally required as part of a contract from an Electronic Funds Transfer (EFT) or debit network for a bank; or, from a bank to a merchant retailer if they switch their own debit transactions. Generally, banks of whom drive their own ATMs or process debit card transactions are required to pass a TR-39 audit. However, Pulse requires all acquiring members to pass a TR-39 audit. Third parties, such as key loading facilities, may also need an audit to be performed.

 

Validation

Having a Visa PIN/TR-39 audit performed validates that your policies and procedures surround PIN encryption and key management are compliant with Visa PIN and/or TR-39 standards. During the audit, noncompliant areas will be identified so corrective actions can be taken to remediate issues. In the end, this helps to safeguard debit and ATM PINs that traverse your system to protect your customer's finances and privacy. Finally, failing an audit could impact the organization's ability process debit card transactions.

 

Dara Security Experts

Dara Security's Certified TR-39 Auditors (CTGA) are qualified to perform audits for PULSE, STAR and NYCE network members. Our auditors are experts in understanding both the technical aspects, as well as the business aspects of your organization; with backgrounds in cryptography and transaction security. Furthermore, Dara Security not only has experience in auditing complex debit card environments, but it also has helped small to large retailers and financial institutions develop and implement compliant debit card systems as well.