TG-3 ATM Audit

At least every two years, EFT network members are required to submit a Security Compliance Review for PIN and Key Management ANSI X9/TG-3 that assesses the organization’s compliance with ANSI X9/TG-3 standards and network operating rules. This detailed and comprehensive security program is aimed at safeguarding consumer PIN and cryptographic systems used to protect the EFT payment system.

Tg-3 Guidelines require:

• Encryption Keys be used only for a single designated purpose;
• No one person have knowledge of, or access to, all of the components of any Key (dual control/split knowledge);
• Encryption Keys never exist in written form and only in physically secure devices (Temper Resistant Security Module - TRSM);
• Documented procedures exist for the management of these control objectives.

If you experience changes in your ATM network you may have to provide an updated TG-3 review to the EFT networks outside the "even year" schedule. This report must be filed immediately after the triggering event, which can include any of the following material changes:

• Change in ATM Processor
• Change in Key loading responsibility (who loads the Key)
• Known or suspected Key compromise
• Change in Processor’s EFT application software
• Significant change in Key management procedures (with the exception of upgrade to TDEA)

PKM has experienced, certified IT auditors who understand the complexity of ANSI X9/TG-3 standards; PIN and Key management principles and techniques; and the details involved with performing Security Compliance Reviews.

Click here to download more information about PKM's TG-3 ATM Audit process.