All VISA® clients and third party agents that process PIN's at ATMs and point-of-sale PIN-entry devices must comply with the PCI PIN Security Requirements. The completion of the PCI PTS V1.0 Security review forms by the end-of-year is required as validation of compliance with the PCI PIN Security requirements. Failure to comply may result in fines starting at $10,000 and increasing by $10,000 every thirty days of non-compliance. (VISA® International Operating Regulations ID #151012010410000746)
This review is designed to ensure that keys, key components, and key loading or storage devices are properly managed. This is to prevent a security exposure, which, if exploited, could result in losses to the consumer, network, and/or the financial institution. VISA® requires that the person completing the review be independent from operations and possess knowledge relating to PIN and Key management and that the acknowledgement of compliance form be signed by an officer of the firm.
We recommend having an independent professional PIN security auditor (CTGA) review your current encryption controls, procedures, and documentation. The review itself can help identify any shortcomings and develop action plans to achieve compliance. Furthermore, the field review is usually completed within a single day with minimal interruption to staff.
Bankcard Compliance Group can assist entities with the request for an extension of the compliance due date of 12/31/2012 if they are not prepared to perform the audit by the end of the year.
The Managing Director of BCG was featured in a recent article in “Credit Union Management” magazine.
Compliance Confusion: STAR and PULSE networks have revised their requirements for the TR-39 submission from non-processing acquirers. Non-processing acquirers no longer need to submit their TR-39 reviews to STAR or PULSE on a biennial basis. This has lead to confusion among financial institutions about whether the TR-39 review still needs to be completed. It is important for STAR and PULSE Members to understand that removing the requirement to submit the review in no way changes the obligations and liabilities of a STAR and PULSE Member to comply with their security requirements including the requirements pertaining to PIN and Key Management. If a Member were to fail to comply with such requirements and a compromise were to occur that could have been prevented if that Member had been compliant, STAR or PULSE will hold that Member liable for the resultant fraud losses incurred by each other participant in the Network. We recommend that each STAR and PULSE Member should, therefore, continue to conduct a periodic TR-39 review of its environment to ensure that it and any third party acting on its behalf is compliant with TR-39 security requirements.
"Credit Union Management" Magazine, a monthly publication for senior executives and directors of credit unions, has published an article in its July 2008 issue from Bankcard Compliance Group entitled, ATM PIN Security. A copy of the article is provided here.
Help Protect against PIN Debit Compromise by Staying Compliant with Network Mandates
Consumers prefer PIN Debit for security and ease-of-use
Bankcard Compliance Group is now in its 10th year of providing PIN Security Reviews