PIN/KEY Management Audit and TG-3

December 12, 2008

The STAR, Pulse and NYCE ATM networks are all requiring some form of PIN/KEY management audits.  They are unfortunately inconsistent in their audit requirements and seemingly wavering in application.

Case in point – STAR has been requiring non-processors to have a TG-3 audits performed. (All three networks require certain processors to have TG-3 audits performed).  In late November, STAR sent a confusing letter to network subscribers stating that TG-3 audits would no longer need to be “filed” by non-processors.  This notice coming just a month or so before the filings had been previously due.   Many TrustCC non-processor clients still had the audits performed.

The purpose of this post is to announce the release of TrustCC’s sample TG-3 Key/PIN management procedures.  Our sample is now available on the TrustCC website .  Our TG-3 audits have revealed that many banks and credit unions do not fully understand important Key management security procedures and do not have compliant practices to prevent ATM fraud.  The sample procedures are intended to help community banks and credit unions comply with “best practices” whether or not they have a TG-3 audit requirements.

The sample will need to be revised on a client by client basis.  The revisions should be specific to the financial institution and should focus on the principle of “dual control and separate knowledge.”

Please contact TrustCC should you require any assistance with TG-3 or other IT audit/security matters.

–  TrustCC


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: