Valuable Resources
BKD Financial Services Webinar Series
For additional information or to register for these informative one-hour webinars, please see our Financial Services webinars page.
Qualified, experienced BKD client service professionals write the contents of these articles. We urge you to carefully consider all of the facts and circumstances of your situation before applying specific information in our articles. Consult your BKD advisor before acting on any matter covered in these articles.
February 2010

PULSE Network Now Requires PIN Security and Key Management
Audits for All Institutions Every Even-Numbered Year

Bookmark and Share
Insights Archive
Webinars

John Mills
As 2010 begins, your attention is probably focused on liquidity, asset quality and regulatory changes. While you focus on these major topics, do not neglect other issues and changes that might seem less important. The PULSE Network, an electronic funds transfer (EFT) network and large processor of debit card transactions, has implemented a change you may not yet be aware of. Beginning in 2010, PULSE is requiring all acquiring members to complete a TR-39 (PIN security and Key Management, previously known as TG-3) audit and submit the audit report by December 31 of every even-numbered year.

Previously, PULSE required all processors that are directly or indirectly connected to the PULSE switch, and that manipulate PIN data, to complete these audits every even-numbered year, but only occasionally required them of non-processing entities. Now, both types of acquiring entities must submit the review on a regular basis.

The TR-39 audit, which tests ATM and point-of-sale (POS) terminals, has existed for several years. ATMs and POS terminals encrypt data using algorithms that depend on confidential information (also known as encryption keys) that must be entered into each device. If a key is compromised, it eliminates the security of that device and could potentially infect the other keys used by the institution. If this happens, the confidential data is no longer secure, and as you can imagine, the ramifications can be severe.

The TR-39 audit focuses on compliance with standards established by the American National Standards Institute (ANSI) surrounding transactions and information processed through ATMs and POS terminals, and in most cases, the person performing the review must be a certified TR-39 auditor. PULSE, along with NYCE and STAR (two other EFT networks) developed the certification program. The TR-39 audit is used to evaluate the policies and procedures of a financial institution. Proper procedures reduce the likelihood a device could be compromised and establish the steps to be performed if a compromise is detected.

The PULSE Network is not the only network that requires TR-39 audits. Other EFT networks may require this review, but in general, it is required only for processing institutions. Since the TR-39 audit is based on ANSI standards, it is almost identical across all networks. In the past, networks have not invested significant effort in policing this requirement, so some financial institutions are unaware and noncompliant. If a violation or incident is discovered at an entity that has not performed a TR-39 audit, actions taken by the EFT network could be severe. We recommend checking with the EFT network(s) to which your institution belongs to make sure it is compliant with the network’s rules.

To successfully perform the TR-39 audit, an auditor must determine if the policies and procedures are being followed. Some of the significant policies, procedures and controls included in the audit are:

  • Use of dual control and split knowledge
  • Maintenance of proper logs
  • Proper handling and storage of encryption keys
  • Use of compliant devices and encryption techniques

BKD has a certified TR-39 auditor on staff and has been performing these audits for several years. For more information on this issue or related matters, please contact your BKD advisor.