At least every two years, EFT network members are required to submit a Security Compliance Review for PIN and Key Management ANSI/X9 TR-39 that assesses the organization’s compliance with ANSI/X9 TR-39 standards and network operating rules. This detailed and comprehensive security program is aimed at safeguarding consumer PIN and cryptographic systems used to protect the EFT payment system.
TR-39 Guidelines require:
- Encryption Keys be used only for a single designated purpose;
- No one person have knowledge of, or access to, all of the components of any Key (dual control/split knowledge);
- Encryption Keys never exist in written form and only in physically secure devices (Temper Resistant Security Module – TRSM);
- Documented procedures exist for the management of these control objectives.
If you experience changes in your ATM network you may have to provide an updated TR-39 (formerly TG-3) review to the EFT networks outside the “even year” schedule. This report must be filed immediately after the triggering event, which can include any of the following material changes:
- Change in ATM Processor
- Change in key loading responsibility (who loads the key)
- Known or suspected key compromise
- Change in Processor’s EFT application software
- Significant change in key management procedures (excluding an upgrade to TDEA)
PKM has experienced, certified IT auditors who understand the complexity of ANSI/X9 TR-39 standards; PIN and Key management principles and techniques; and the details involved with performing Security Compliance Reviews. PKM is CTGA Certified to peform audits for PULSE, STAR and NYCE network members and is on the approved auditor lists for both PULSE and STAR Networks, Inc. CTGA certification is required to perform audits of direct and indirect processors. Direct and indirect processors must submit proof of audit to the networks. Non processing members, while not required to submit audit papers to the networks, should be in compliance with the networks operating rules and the TR-39 guidelines.