The TR-39 audit covers POS and ATM operations in banks, credit unions, processors, merchants, ESOs, etc. The PIN Security Compliance Guideline is intended to implement a uniform security review. All entities that handle PINs and/or cryptographic keys used to secure PINs should complete a PIN Security Compliance review.
This guideline applies to all organizations using the Triple Data Encryption Algorithm – TDEA (reference 7) for the encryption of PINs used for retail financial services such as POS and ATM transactions, messages among retailers and financial institutions, and interchange messages among acquirers, switches and card issuers. The guideline should be completed by all organizations acquiring or processing transactions containing PINs, from the terminal driving system to the authorizing entity.
SecureState’s approach to a TR-39/VISA PIN Audit includes the following steps:
- Review documented procedures for key management
- Audit key loading facilities
- Analyze data related to encryption techniques