TR-39 ATM Security Audit
Protect Your Data with a TR-39 ATM Security Audit
As a bank executive, you understand the importance of protecting sensitive information. It not only makes sound business sense, but it’s also required by regulators. At PKM, we too understand the importance of protecting your customers’ data. A TR-39 (formerly TG-3) is a security audit that offers you and your customers reassurance that every effort is being taken to protect sensitive ATM information and, moreover, the integrity of your business.
A TR-39 ATM security audit will verify compliance against your network operating procedures and TR-39 guidelines. The guidelines help to ensure that your encryption Keys never exist in written form (except in physically secure TRSM device) and are only being used for a single designated purpose. They also help you determine that no one person in your organization has knowledge of, or access to, all of the components of any Key and that you have properly documented procedures for the management of these control objectives.
When Would I Need a TR-39 Security Audit?
A TR-39 security audit is characteristically required by EFT networks and regulators on an “even year” schedule. However, if you experience any changes in your ATM network, you will likely need to provide an updated TR-39 review immediately following the triggering event. Triggering events can include a variety of material changes to your network, such as:
- a change in ATM processor
- a change in Key loading responsibility
- a known or suspected Key compromise
- a change in processor’s EFT application software
- an introduction of new ATM services
PKM’s experienced, certified IT auditors understand the complexity of ANSI/X9 TR-39 standards, PIN and Key management principles and techniques, and the details involved in performing security compliance reviews. PKM is CTGA-certified to perform audits for PULSE, STAR and NYCE network members, and our firm is an approved auditor for both PULSE and STAR Networks. Not just any auditor can perform these complex security compliance reviews; CTGA certification is required to perform audits of direct and indirect processors, who must submit proof of security compliance to the networks.