Compliance Confusion: STAR and PULSE networks have revised their requirements for the TR-39 submission from non-processing acquirers. Non-processing acquirers no longer need to submit their TR-39 reviews to STAR or PULSE on a biennial basis. This has lead to confusion among financial institutions about whether the TR-39 review still needs to be completed. It is important for STAR and PULSE Members to understand that removing the requirement to submit the review in no way changes the obligations and liabilities of a STAR and PULSE Member to comply with their security requirements including the requirements pertaining to PIN and Key Management. If a Member were to fail to comply with such requirements and a compromise were to occur that could have been prevented if that Member had been compliant, STAR or PULSE will hold that Member liable for the resultant fraud losses incurred by each other participant in the Network. We recommend that each STAR and PULSE Member should, therefore, continue to conduct a periodic TR-39 review of its environment to ensure that it and any third party acting on its behalf is compliant with TR-39 security requirements.
"Credit Union Management" Magazine, a monthly publication for senior executives and directors of credit unions, has published an article in its July 2008 issue from Bankcard Compliance Group entitled, ATM PIN Security. A copy of the article is provided here.
Help Protect against PIN Debit Compromise by Staying Compliant with Network Mandates
Consumers prefer PIN Debit for security and ease-of-use
Bankcard Compliance Group is now in its 13th year of providing PIN Security Reviews
As reported December 13th, 2013, on security blog KrebsonSecurity, a simple but effective POS skimmer is now available for purchase by crooks. The skimmer is designed to look like the model of POS to be attacked and can fit over the top of the device and appear "normal" to users. The device can be installed and removed quickly after it has captured strip data and PIN's.
Brazilian crooks, not to be outdone, have also found a new skimming device for attacking an ATM. As security reporter Brian Krebs reported in his blog on December 13th, officials in Curitiba Brazil, found a completely fake ATM covering a real ATM and allowing the crooks to skim PIN's and card data.
The NCUA's Office of General Counsel maintains a rolling review schedule that identifies one-third of NCUA's existing regulations for review each year and provides notice of those regulations under review for the current year. For 2014 this included CFR 748 Guidelines for Safeguarding Member Information.
This regulation includes the development and implementation of a credit union's Information Security Program to provide administrative, technical, and physical safeguards appropriate to the nature and scope of its activities. It is important to note that subprovisions of Subtitle A of Title V of the Act states that a credit union must protect the security and confidentiality of the nonpublic personal information of its consumers. Furthermore, CFR 716.3 e 1 (ii) states that an individual who provides nonpublic personal information to you in connection with the use of your ATM is your consumer.
Be sure your credit union has properly developed and implemented a PIN Security and Key Management Security program to protect your PIN debit transactions. The industry standard for validation of PIN security is the TR-39 review.
The Managing Director of BCG recently presented a seminar on the subject of ATM PIN Security to the Association of Credit Union Internal Auditors. A copy of the slides are available here.