| TG3/TR39 Pin Security and Key Management Training Course Agenda
Day 1 Agenda
· Introduction to historic data encryption algorithms
· Emergence of modern encryption algorithms; e.g. DES, 3DES and Public Key Algorithm
· Application of 3DES and Public Key algorithms to retail banking applications
· Logical structure of data flow in transactions originating from ATMs
· Description of all encryption keys used within an ATM environment
· Description of all encryption Keys used between a financial institution and EFT networks as transactions are routed to/from networks
· Description of the encryption Keys used within a POS environment
· Description of cryptographic hardware modules used in processing ATM and/or POS transactions.
· Risks and threats in compromise of each one of the keys used to protect ATM or POS transactions
· Class Exercise
· Review of class exercise, Questions-Answers
Day 2 Agenda
· Review of X9.8 standard on Retail Banking PIN Management
· Review X9.24 standard on Retail Banking Key Management
· Management of encryption Keys throughout their entire lifecycle, covering:
- Key Generation,
- Key Distribution,
- Key Usage,
- Key Loading,
- Key Storage, and
- Key Destruction.
· Principles of Dual Custody and Split Knowledge
· Roles and Responsibilities of Key Management team
· Use of proper Cryptographic modules; i.e. Tamper Resistant Security Modules for processing PINs
· Secured Environments
. Key Bundling - e.g. AKB per ANSI Technical Requirement #31 (TR-31)
· Required Audit Trails
· Class project
· Review of class project, Questions-Answers
Day 3 Agenda
· Review of Public-Private Key algorithm (also known as asymmetric encryption algorithm) to perform ‘Remote Key Loading' in ATMs.
· Review of digital signatures used to provide for integrity of Keys transferred between ATMs/HSMs, where remote key loading is deployed.
· Use of digital certificates, in conjunction Public Key algorithms, to provide for authentication of ATMs and Host processors.
· Role and operation of a ‘Certificate Authority' as a third party, offering digital certificates used in ‘Remote Key Loading' process.
· General guidelines on the lifetime of digital certificates on their issuance and revocation.
· Review of the new controls in section 5 of the 2008 released TG-3 audit guideline
· Latest updates with the major EFT networks; e.g. Star, Pulse and NYCE requirements, as it relates to TG-3 audits.
· Class Exercise
· Review of class exercise, Questions-Answers
· Network Exam (mandatory for auditors seeking “network” certification)
Please Note: The exam will be submitted to the networks for grading!
General Pin Security and Key Management Course in ATM/POS Operations
Day 1 Agenda, Use of Symmetric Key Cryptography
· DES/3DES algorithm and its use in ATM/POS PIN debit operations
. Various Keys used in ATM/POS PIN debit operations
. Various Key Management schemes using DES, pros & cons
· Key lifecycle phases and management of encryption Keys
. Key management team’s roles and responsibilities
· Cryptographic Device management
. Risks and threats of not managing Keys properly, i.e. Key Compromise
. Relevant Key management standards and best practices
· Class Exercise
· Review of class exercise, Questions-Answers
Day 2 Agenda, Use of Asymmetric Cryptography (aka Public-Private Key Cryptography)
· Asymmetric Key cryptography and the two US standard schemes; i.e. ECC & RSA
· Use of Asymmetric Cryptography in ATM/POS operations to perform remote Key loading
· Pros/Cons of the two asymmetric encryption
. Various elements that provide for authentication and trust in remote Key loading; e.g. Certification Authorities
· Cryptographic Device Management
· Risks and threats in the PKI environment, i.e. Key/CA Compromise
· Class project
· Review of class project, Questions-Answers
Key Management Policies and Procedures Writing Course Covering Symmetric & Asymmetric Key Cryptography
Please Note: The pre-requisite to this course is the core training class on PIN Security and Key Management.
Day 1 Agenda
· Brief review of TG-3 requirements on Key Management Policies and Procedures
· Key Management Team Roles and Responsibilities Procedures
· Addressing Key lifecycle phases
· Key Generation methods and procedures
· Key Storage procedures
· Key Distribution procedures
· Key Loading into ATMs, HSMs and KLDs
· Key Destruction procedures
· Key Compromise procedures in ATMs using manual Key loading
· Procedures on the compliance of cryptographic devices and ATMs
· Procedures on storage of cryptographic devices and tools
· Procedures on handling of cryptographic devices and tools
· Procedures on monitoring cryptographic errors in cryptographic devices and ATMs
· Procedures on checking on secured environments
· Procedures on retirement of cryptographic devices and ATMs
· Class project
· Review of class project, Questions-Answers
Day 2 Agenda
· Brief review of TG-3 requirements on Asymmetric Key Management (aka remote Key loading)
. Procedures on evaluating device and application controls
. Procedures on evaluating vendor products and services offering remote Key loading
. Procedures on managing functions as it applies to financial institution’s deployment of remote Key loading ATM/POS
. Role of third parties involved in Asymmetric cryptography and their controls and procedures
· Class Exercise
· Review of class exercise, Questions-Answers
REGISTRATION is done by directly emailing AzieAmini@Yahoo.com. Registration needs to be done at least 4 weeks in advance of the course date. The preferred payment method is a company check for the exact amount submitted at the time of registration.
NEW… Effective 2008, the three networks NYCE, PULSE and STAR have published a standard exam for all auditors who wish to obtain a certificate from this course by the networks. Such certificate is required for all "auditors" who wish to perform TG-3 audits for processing network member banks, credit unions, merchants and other financial service providers. Although all 3 listed networks have collectively come up with this exam, it should be mentioned that NYCE views this exam as optional and NOT mandatory, while STAR and PULSE view it as mandatory. Auditors who take this exam and receive a passing grade, will receive the certificate and the new CTGA (Certified Technical Guideline #3 Auditor) designation. Examination criteria and relevant information will be provided through each network's normal communication methods to their members.
For the “Refresher” course the same exam as the core will be required of the "auditors" who wish to perform this audit for processing network member banks, credit unions and financial service providers. Upon attending the core or refresher trainings, the trainees will receive a certificate of attendance issued by eSmart Solutions. Each certificate given for “Core” or “Refresher” training is valid for two consecutive years.
Fee for the full 3 day “Core” TG-3 Training course is $1400. Please note that this fee is just for the training. For those who wish to take the certification exam as well, the fee for that would be an additional $300.
Fee for the 1.5 day "Refresher" TG-3 Training course is $700. Please note that this fee is just for the training. For those who wish to take the certification exam as well, the reduced fee would be an additional $300.
Fee for just taking the TG-3 “Certification exam” (CTGA) by itself is $400. This is a 4 hour long exam and it is closed book/notes, to be graded by the networks. The certificate is issued by the networks and mailed directly to the individuals who receive a passing grade.
Fee for the 2 Day ”General PIN Security & Key Management, Based on Symmetric & Asymmetric Cryptography” course is $1000.
Fee for the 2 Day ”TG3 PIN Security & Key Management Procedure Writing” course is $1200.
CANCELLATION may be done up to 3 weeks in advance of the scheduled course, for a full refund. Cancellation within 2 weeks of the training will result in half of the training fee to be deducted. Any cancellation with less than 1 week notice will result in the entire fee to be forfeited.
ON-SITE Trainings are offered for those who prefer different dates or private onsite sessions. If interested in that option, please send us an email to find out more.
|
