TR- 39 (formerly TG-3) ATM Audit
Systems Services
- SSAE 16 Resource Center
- SAS 70 Resource Center
- Risk Management Assessment
- SOX 404 IT Controls
- Outsourced Information Technology Internal Auditor
- IT General Controls Review
- Network Vulnerability Assessment
- Agreed-Upon Procedures Engagements
- Auditing Application Controls
- Audit Support for IT General & Application Controls
- Penetration Testing
- TR-39 (formerly TG-3) ATM Audit
- IT Infrastructure
At least every two years, EFT network members are required to submit a Security Compliance Review for PIN and Key Management ANSI/X9 TR-39 that assesses the organization’s compliance with ANSI/X9 TR-39 standards and network operating rules. This detailed and comprehensive security program is aimed at safeguarding consumer PIN and cryptographic systems used to protect the EFT payment system.
TR-39 Guidelines require:
- Encryption Keys be used only for a single designated purpose;
- No one person have knowledge of, or access to, all of the components of any Key (dual control/split knowledge);
- Encryption Keys never exist in written form and only in physically secure devices (Temper Resistant Security Module - TRSM);
- Documented procedures exist for the management of these control objectives.
If you experience changes in your ATM network you may have to provide an updated TR-39 (formerly TG-3) review to the EFT networks outside the "even year" schedule. This report must be filed immediately after the triggering event, which can include any of the following material changes:
- Change in ATM Processor
- Change in Key loading responsibility (who loads the Key)
- Known or suspected Key compromise
- Change in Processor’s EFT application software
- Significant change in Key management procedures (with the exception of upgrade to TDEA)
PKM has experienced, certified IT auditors who understand the complexity of ANSI/X9 TR-39 standards; PIN and Key management principles and techniques; and the details involved with performing Security Compliance Reviews. PKM is CTGA Certified to peform audits for PULSE, STAR and NYCE network members and is on the approved auditor lists for both PULSE and STAR Networks, Inc. CTGA certification is required to perform audits of direct and indirect processors. Direct and indirect processors must submit proof of audit to the networks. Non processing members, while not required to submit audit papers to the networks, are required to perform the audits and keep them on file.
Follow this link for more information about PKM's TR-39 (formerly TG-3) ATM Audit process.
| About
Us | People | Services
| Industries | Careers
| Site Map | Home |
Events |
Contact Us |
Copyright 2011. All rights reserved. Secure
Document Transfer or Secure Payment Processing
