Pub. 11 2014 Issue 3

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G N E W M E X I C O R E A L I Z E D R E A M S Fall • 2014 15 A TM networks have establ ished requi rements that include regular audits of machines’ PIN security and encryption-key management funct ion. And these requirements don’t af fect only f inancia l inst itut ions—other organi zat ions involved in PIN secur it y and encr ypt ion-key management must a lso comply. PINSecurity and KeyManagement: Complying with Audit Guidelines By Francis Tam, Partner, Moss Adams LLP The Accredited Standards Committee’s Technical Report No. #39 (TR-39) is an audit guideline for PIN security and key management based on two standards from the American National Standards Institute: X9.24 on key management and X9.8 for PIN security. Because of the au- dit’s complexity and the subject matter’s technical nature, many organizations don’t have sufficient internal resources to complete these reviews or obtain the nec- essary certification. Who Must Comply? All financial institutions and mer- chants that are processing members of the STAR or PULSE network, directly or indirectly, are required to have a TR-39 audit performed biennially by a certified auditor and to submit their report to the network. Nonprocessing members of STAR or PULSE must also comply with this audit requirement, but they aren’t required to submit their reports to the network. The audit’s due date for STAR and PULSE members is December 31 of every even-numbered year, unless the networks grant an extension to that member. Any member of NYCE that process- es transactions and directly connects to NYCE must also have this audit per- formed. If a financial institution process- es transactions but is indirectly connect- ed to NYCE, the audit isn’t required. The TR-39 due date for NYCE members is also December 31, but it’s every two years from a member’s first TR-39 audit. In addition, other ATM network ser- vice providers mandate that customers to comply with their own customized version of the PIN security and encryp- tion-key management requirements. For example, CO-OP network clients are re- quired to complete a self-assessment and submit the results via the CO-OP online reporting tool. The due date is December 31 of every even-numbered year. What Are Common Audit Findings, and How Can I Avoid Them? A new concern for many organizations is Microsoft’s announcement that, as of April 8, 2014, it will no longer support Windows XP—the operating system used by many ATMs. This means no new up- dates will be provided when security vul- nerabilities are discovered. The inability tomaintain security for this operating sys- n PIN SECURITY  continued on page 16 NMBA ASSOCIATE MEMBER