News 2014
T: +1 877 378 5344
F: +1 518 832 6710

Copyright Bankcard Compliance Group 2014

Compliance Confusion: STAR and PULSE networks have revised their requirements for the TR-39 submission from non-processing acquirers.   Non-processing acquirers no longer need to submit their TR-39 reviews to STAR  or PULSE on a biennial basis.  This has lead to confusion among financial institutions about whether the TR-39 review still needs to be completed.  It is important for STAR and PULSE Members to understand that removing the requirement to submit the review in no way changes the obligations and liabilities of a STAR and PULSE Member to comply with their security requirements including the requirements pertaining to PIN and Key Management. If a Member were to fail to comply with such requirements and a compromise were to occur that could have been prevented if that Member had been compliant, STAR  or PULSE will hold that Member liable for the resultant fraud losses incurred by each other participant in the Network. We recommend that each STAR and PULSE Member should, therefore, continue to conduct a periodic TR-39 review of its environment to ensure that it and any third party acting on its behalf is compliant with TR-39 security requirements.

"Credit Union Management" Magazine, a monthly publication for senior executives and directors of credit unions, has published an article in its July 2008 issue from Bankcard Compliance Group entitled, ATM PIN Security.  A copy of the article is provided here.
Help Protect against PIN Debit Compromise by Staying Compliant with Network Mandates
Consumers prefer PIN Debit for security and ease-of-use
Bankcard Compliance Group is now in its 11th year of providing PIN Security Reviews
Certified PIN Security and Key Management Auditors (CTGA)
TR-39 / 

As reported  December 13th, 2013, on security blog KrebsonSecurity, a simple but effective POS skimmer is now available for purchase by crooks. The skimmer is designed to look like the model of POS to be attacked and can fit over the top of the device and appear "normal" to users.  The device can be installed and removed quickly after it has captured strip data and PIN's. 

Brazilian crooks, not to be outdone, have also found a new skimming device for attacking an ATM. As security reporter Brian Krebs reported in his blog on December 13th, officials in Curitiba Brazil, found a completely fake ATM covering a real ATM and allowing the crooks to skim PIN's and card data.

The  NCUA's Office of General Counsel  maintains a rolling review schedule that identifies one-third of NCUA's existing regulations for review each year and provides notice of those regulations under review for the current year.  For 2014 this will include CFR 748 Guidelines for Safeguarding Member Information.

This regulation includes the development and implementation of a credit union's  Information Security Program to provide administrative, technical, and physical safeguards appropriate to the nature and scope of its activities.  It is important to note that subprovisions of Subtitle A of Title V of the Act states that a credit union must protect the security and confidentiality of the nonpublic personal information of  its consumers.  Furthermore, CFR 716.3 e 1 (ii) states that an individual who provides nonpublic personal information to you in connection with the use of your ATM is your consumer. 

Be sure your credit union has properly developed and implemented a PIN Security and Key Management Security program to protect your PIN debit transactions. The industry standard for validation of PIN security is the TR-39 review.

The Managing Director of BCG was featured in a recent article in “Credit Union Management” magazine.

The Managing Director of BCG recently presented a webinar on the subject of ATM PIN Security to a group of Commercial Bank Internal Auditors.  A copy of the slides are available here.

Would You Do Your Own Dental Surgery? --  Most EFT networks allow non processing entities to perform their own TR-39 Security review. To many, that makes about as much sense as doing your own dental surgery.  Most Financial Institutions are not qualifed to undertake such a review as they do not have trained staff that are knowledgeable of audit techniquies, trained in the ANSI X.9 PIN and Key Management Encryption controls, and indepdendent from the operations being reviewed. The TR-39 Sections IV and V contain over 90 control objectives.  These must be well understood to determine which are relevant to the particular environment and to properly implement to maintain compliance. Yet some networks continue to let them go merrily along the way performing "self-audits", checking off the boxes, or skipping the process altogether.  As a potential customer of a Financial Institution that performs a self-audit, should we customers be entitled to know if they performed a self-audit? Some might feel safer if they knew the TR-39 review had been conducted by an independent and network certified auditor.