VISA PIN / TR-39 Audit

The overall objective is to ensure PIN Security by testing in compliance to control objectives in cryptographic equipment and key encryption and management.

A TR-39 (PIN Security and Key Management) and/or VISA PIN Audit provides a certified report on an organization’s controls around PIN-based transactions; including encryption, key management, and key protection. This can include both symmetric and asymmetric encryption controls, key inventory and ceremony, inspection of datacenters, HSMs, Point of Sale (POS) devices, and physical safes.


This audit will validate that your policies and procedures surrounding PIN encryption and key management are compliant with Visa PIN and/or TR-39 standards. During the audit, noncompliant areas will be identified so corrective actions can be taken to remediate issues. This helps to safeguard debit and ATM PINs that traverse your system, protecting your customers' finances and privacy. Finally, failing an audit could impact your organization’s ability to process debit card transactions.


SecureState’s Certified TR-39 Auditors (CTGA) are qualified to perform audits for PULSE, STAR, and NYCE network members. Our auditors are experts in understanding both the technical and business aspects of your organization, with backgrounds in cryptography and transaction security. SecureState not only has experience in auditing complex debit card environments, but it also has helped small to large retailers and financial institutions develop and implement compliant debit card systems.

Approach and Methodology

The TR-39 audit covers POS and ATM operations in banks, credit unions, processors, merchants, ESOs, etc. The PIN Security Compliance Guideline is intended to implement a uniform security review. All entities that handle PINs and/or cryptographic keys used to secure PINs should complete a PIN Security Compliance review.

This guideline applies to all organizations using the Triple Data Encryption Algorithm – TDEA (reference 7) for the encryption of PINs used for retail financial services such as POS and ATM transactions, messages among retailers and financial institutions, and interchange messages among acquirers, switches and card issuers. The guideline should be completed by all organizations acquiring or processing transactions containing PINs, from the terminal driving system to the authorizing entity.

SecureState’s approach to a TR-39/VISA PIN Audit includes the following steps:

  • Review documented procedures for key management
  • Audit key loading facilities
  • Analyze data related to encryption techniques
Get Started!