PIN Security and Key Management Compliance (TG-3/TR-39) Audit Training

Technical Guideline #3, or TG-3, which has recently been renamed as technical Report #39 or TR-39, is a technical audit of the security of PIN debit transactions within Automated Teller Machine (ATM) or Point of Sale (POS) environments.  This audit guideline was developed by the American National Standards Institute (ANSI) to provide for general best practices and a minimum level of security in place with regards to management and handling of card holders' PINs in debit transactions as well as handling of cryptographic data used to protect such PINs.   This audit is critical to all parties involved in ATM or POS operations since with transactions being routed to various sites, unsecure practices of one entity can jeopardize all other participants in that environment so the liability can be enormous.    For this reason alone, the TG-3 audit criteria was developed by ANSI  with a team of auditors and data security professionals who collectively came up with this audit guideline to provide the industry with an acceptable level of security to be in the operations of financial institutions and their various service providers.
This audit is now mandatory by all major Electronic Fund Transfer (EFT) networks such as Star, NYCE and Pulse of their members on a bi-annual basis.

To perform the audit, EFT switches require well trained and certified auditors who have been through one or more training courses on the objectives of this audit, to perform the audit.   The training courses we offer provide for a thorough and detailed approach to educate auditors as well as ATM/POS IT support professionals on what is involved in proper PIN/Key management operations and compliance with the audit.

It is our pleasure to offer a number of training courses throughout the year that provide for an in-depth and thorough approach for performing or preparing for the TG-3 audit of PIN and Key management processes.   For course details, dates, and fees click on the links below.

In addition to the training sessions currently listed, we also provide for on-site trainings if there are a minimum number of trainees present.   If you are interested in that option, please send us an email to find out more about onsite trainings.

Key Management Policies and Procedure writing Course (per TG-3 Audit Controls)

Compliance with TG-3 audit means there needs to be clear and explicit procedures for any activity that involves use and handling of encryption Keys. These procedures need to address step by step actions that need to be taken by designated individuals to handle or process Keys. This training course provides for detailed description and examples of writing procedures to cover the lifecycle of encryption Keys, as used ATM and/or POS operations. In this 3 day training course we will cover the procedures for the following:

• Key Management Team Roles and Responsibilities
• Key Lifecycle Phases
• Key Generation
• Key Storage
• Key Loading
• Key Distribution
• Key Destruction
• Key Compromise in ATMs using manual Key loading
• Storage of cryptographic devices and tools
• Handling of cryptographic devices and tools
• Monitoring cryptographic errors in cryptographic devices and ATMs
• Repair and retirement of cryptographic devices and ATMs
• Remote Key Loading Procedures
• Key Compromise in ATMs using remote Key loading technology
This course provides for details examples of how to perform each function, and will provide a binder with these examples. The trainees will leave with the necessary knowledge of what is expected of them to develop and examples on how to do so.

For more details, training dates and fees click on the links below.