 |
|
|
||||||
|
||||||||
 |
||||||||
|
|
 |
|
|
|
Do You Need to Complete A TR-39 (TG-3)? The major PIN Debit Networks continue to have various requirements for their members relating to the completion of a PIN Audit. The follwing flow chart should help financial institutions determine their compliance requirements. Flow Chart. The Managing Director of BCG has been featured in a recent article in “Credit Union Management” magazine. The Heartland Compromise is leading financial institutions to demand tighter security from entities handling credit and debit card data. The Washington Credit Union League is among those promoting stiffer penalties and more accountability from entities causing data breaches. They want to recover the expense of card replacement from the breached entity. As states enact tougher laws it will be encumbent upon each entity that handles PIN debit encryption keys to make sure that they meet the ANSI X9 control objectives for PIN and Key Management. Heartland Compromise leads to a class action lawsuit. In what may turn into a flood of claims, a lawsuit has been filed in the US District Court in New Jersey. This is another indication that there could be severe consequences for those that do not meet their network compliance requirements. Compliance and risk management officers should now be considering their institution’s PIN debit Key Management processes to determine their level of compliance and supporting documentation (TG-3). Compliance Confusion: STAR networks has revised its requirements for the TG-3 submission from non-processing acquirers. Effective November 2008, non-processing acquirers no longer need to submit their TG-3 reviews to STAR on a biennial basis. This has lead to confusion among financial institutions about whether the TG-3 review still needs to be completed. It is important for STAR Members to understand that removing the requirement to submit the review to STAR in no way changes the obligations and liabilities of a STAR Member to comply with STAR security requirements including the requirements pertaining to PIN and Key Management. If a STAR Member were to fail to comply with such requirements and a compromise were to occur that could have been prevented if that STAR Member had been compliant, STAR will hold that STAR Member liable for the resultant fraud losses incurred by each other participant in the STAR Network. We recommend that each STAR Member should, therefore, continue to conduct a periodic TG-3 review of its environment to ensure that it and any third party acting on its behalf is compliant with STAR security requirements.
Credit Union Management Magazine, a monthly publication for senior executives and directors of credit unions, has published an article in its July 2008 issue from Bankcard Compliance Group entitled, ATM PIN Security. A copy of the article is provided here.
A ruling on July 16th 2008, by the U.S. Third Circuit Court in Philadelphia may set a precedent for financial institutions to recover costs associated with the reissuing of bankcards due to a security breach by a third party. This court ruled in favor of Pennsylvania State Employees Credit Union and Sovereign Bank on an appeal they made to a breach of contract claim against BJ’s and Fifth Third Bank. The ruling reverses the district court ruling and will allow Pennsylvania State Employees CU and Sovereign Bank to continue with their case for compensation for losses. Although this could provide an important avenue for reimbursement of losses incurred due to other’s negligence, it could also be considered a warning for financial institutions to make sure that they are in compliance with their relevant network operating guidelines. The full text of the ruling is provided here.
The Credit Union Executive Society, CUES, has named Bankcard Compliance Group an approved vendor for PIN Security Services.
NYCE, STAR, and Pulse have introduced new auditor requirments in 2007. A new certification and accreditation entitled “Certified TG-3 Auditor” (CTGA) has been developed by these networks to improve and standardize the quality of the audits and the security controls used to protect PIN debit transactions. To earn the CTGA, an auditor must complete mandatory training and continuing education as well as pass a comprehensive exam. This new certification significantly strengthens the ability of a financial institution to objectively evaluate the competence of an auditor. Bankcard Compliance Group is pleased to provide a CTGA certified auditor for its clients. Please see the attached press release for more information. Press Release
The CUNA Technology Council, a national network of credit union technology professionals, published this article in its newsletter “CONNECTED”. The article, TG-3 TIME AGAIN, explains the purpose of the review and the benefits to the financial institution that completes the review. The entire article is available at: www.cunatechnologycouncil.org/download/ctc804.pdf
|
|
|
|
[Home] [About Us] [Contact Us] [News] [Pricing] |