The NCUA continues to stress that cybersecurity is a key concern, especially at it relates to electronic delivery channels including ATM's. The CFR 748 regulation includes the development and implementation of a credit union's Information Security Program to provide administrative, technical, and physical safeguards appropriate to the nature and scope of its activities. It is important to note that subprovisions of Subtitle A of Title V of the Act states that a credit union must protect the security and confidentiality of the nonpublic personal information of its consumers. Furthermore, CFR 716.3 e 1 (ii) states that an individual who provides nonpublic personal information to you in connection with the use of your ATM is your consumer.
Be sure your credit union has properly developed and implemented a PIN Security and Key Management Security program to protect your PIN debit transactions. The industry standard for validation of PIN security is the TR-39 review.
The FFIEC in cooperation with the OCC, FDIC, and NCUA has released a cybersecurity assessment tool to help financial institutions identify their cyber risk activities, assess the level of risk, and determine their ability to mitigate the risk.
This tool specifically addresses the ATM delivery channel risk and defines minimum risk controls expected from each financial institution. If you own ATM's at branch and/or retail locations, the FFIEC considers that you have a risk level of moderate to significant for this activity. The TR-39 and PCI PIN reviews can help ensure that an institution meets the associated controls for these risk levels.
Bank and Credit Unions are not (yet) required to use the assessment tool, however, the OCC and FDIC examiners will begin using the tool in late 2015, and the NCUA has indicated that their examiners will be using the tool by mid-2016. Although it is not a required assessment, the history of regulatory initiatives would indicate that it may soon become a requirement. All three regulators indicate that during the IT portion of the 2016 exams that they will be using this tool to measure information security risk controls.
The September 2016 issue of Credit Union Management magazine contains an article authored by Peter Trombley on Board responsibility for ATM and PIN Security control requirements . A copy of the article is available here.
The Managing Director of BCG, Peter Trombley, presented to the Region 5 - ACUIA conference on 9/28/15. His presentation on PIN Security and Key Management described the current Regulatory, Contractual, and Financial requirements surrounding this compliance issue. Copies of the presentation slides are availavble here.
As of July 2015, VISA® is now requiring that all financial institutions that acquire a VISA® PIN debit transaction perform appropriate due diligence to ensure compliance with all of the relevant PCI PIN v2.0 controls. Assessment results do not need to be submitted to VISA®, however, VISA® may request evidence of compliance or request an on-site PIN Security review of any organization, at any time, to ensure the security of their payment system. Individuals performing the assessment must have adequate knowledge on the PCI PIN Security requirements but do not have to be VISA® approved security assessors. Although VISA® does not explicitly mandate the completion of the PCI PIN v2.0 and associated SAQ, they readily admit that it would be hard for a financial institution to internally verify compliance without completing one.
The Managing Director of BCG, Peter Trombley, presented to the ACUIA national conference in Boston on 6/25/15. His presentation on PIN Security and Key Management updated the attendees on the increasing focus of regulators on payment system compliance risks.