CONTRACTUAL COMPLIANCE DEADLINE APPROACHINGFinancial institutions with ATMs should perform periodic security reviews as is required in the signed ATM contract/agreement. Failure to conduct the reviews could result in significant fines if a breach occurs.

Financial institutions which accept credit/debit cards at their ATMs also need to conduct a card security compliance review, as is typically stated in the card contract/agreement. Even if your ATMs are managed through a service company, you may need to supply the completed security review forms to the service company.

Some service organizations have begun announcing fines that begin at $10,000 for non-compliance with the December 2012 filing deadline. It is recommended to have an independent professional security auditor review your current ATM and card practices and put together an integrated security review plan. Because of the compliance review similarity, it is usually cost effective to conduct both ATM and card reviews at the same time.

COMPOUNDED FINES FOR MISSING THE REVIEW DEADLINESVisa and MasterCard are requiring service companies (e.g., FIS, Jack Henry, etc.) and financial institutions accepting cards (ATM or POS) to comply with the PIN security program by 12/31/2012.

If your ATMs are managed through a service company, you may need to supply the completed security review and officer attestation forms to the service company. For a U.S. member who fails to complete and return the security forms, Visa will be issuing fines that begin at $10,000 and increasing by $10,000 every 30 days.

In preparation for the Visa deadline of 12/31/12, some service organizations are requiring their clients to submit evidence of the VISA compliance review earlier so that they can establish their compliance by year-end. For example, FIS is assessing a $500 penalty for not returning the PIN security forms by July 17, 2012, and a $1,000 penalty for each subsequent 30-day period the forms are not returned.

Financial institutions should verify with their servicing company for applicable deadlines and penalties.

accumepartners.com

Special alert

ATM and CARD SECURITy UPDATE

July 2012

Important Security Review Dates• Service providers need time to complete their reviews and some are requiring earlier review filings from

clients as early as July 17, 2012.

• TR-39 internal security review due by December 2012.

• PCI review filing due by December 2012.

This article discusses the need for security compliance reviews of institutions with automated teller machines (ATM) and instant issue credit/debit cards. Large fines are possible if compliance is not followed.  Although briefly discussed, this newsletter is not meant to cover institutions which process transactions. 

accumepartners.com

ATM AND CARD SECURITy TIESATMs rely on transaction authorization of a financial transaction by the card issuer or other authorizing institution via the communications network. This is performed through ISO 8583 standard messaging (financial transaction card originated messages and interchange message specifications). ATM transactions are required to use Triple DES (data encryption standard). Additional methods are often employed by the network providers and ISOs to ensure transaction security and secrecy on all communications traffic between the ATM and the Transaction Processor.

ATMs (and POS) devices use “PIN activated transactions.” Each transaction is originated using a debit or credit card and Personal Identification Number. With each interchange transaction, the security of the customer’s PIN must rely on the security procedures and controls of the various processing entities and the use of certified devices. The most common standard used to evaluate organizations is the Technical Guide (TR-39 formerly known as TG-3) developed by ANSI as part of the X9 standards for financial institutions.

TR-39 compliance is the standard required by all organizations that accept debit cards through ATMs. TR-39 is a contractual standard that is not government regulated. Because transactions using ATMs and debit cards (and POS and credit) are closely linked, the card standard, Payment Card Industry Data Security Standard (PCI DSS) has many similarities to the TR-39 standard. And like TR-39, PCI DSS is also a contractual standard that is not government regulated.

WHAT IS AN INTERbANk NETWORk?Most automated teller machines (ATMs) and point of sale devices (POS) are connected to interbank networks, enabling people to withdraw and deposit money from machines not belonging to the bank where they have their accounts or in the countries where their accounts are held, enabling cash withdrawals in local currency.

A few examples of common US interbank networks are STAR, CO-OP, NYCE, PULSE, PLUS, Cirrus, MAC and MOST. For credit unions, some common examples are Allpoint, CU$ and Shared Branching. Off-premise machines (outside the Bank’s network) are typically deployed by Independent Sales Organizations (ISOs).

bANkS AND CREDIT UNIONS: STAR AND CO-OPThe STAR Network began over 25 years ago and has grown into one of the nation’s largest PIN- secured electronic funds transfer (EFT) debit networks. The STAR Network expanded through growth, consolidation, mergers, acquisitions, combining regional debit networks across the country including HONOR, ALERT, MOST and lastly MAC in 2001.

In 2003, the STAR Network was acquired by First Data Corporation. Backed by First Data, the STAR Network provides products and services to financial institution members, as well as to processors and billers. The network offers cardholders access to secure electronic transactions.

In 2010, CO-OP Financial Services, the Electronic Funds Transfer (EFT) industry leader for credit unions,

Important:Please note that the examiners and regulators are not identifying this because thesecurity reviews are contractual obligations and are not government regulated.

accumepartners.com

extended its network access through an agreement with First Data Corp’s STAR Network and provides STAR Network access to credit union members.

WHAT DOES A TR-39 REVIEW ENTAIL?TR-39 was developed to document general best practices and a minimum level of security in place with regards to management and handling of card holders’ PINs in debit transactions, as well as handling of cryptographic data used to protect such PINs.

A compliance review is critical to all parties involved in ATM or POS operations, including Instant Issue Debit/Credit Card issuers, with transactions being routed to various sites since unsecure practices of one entity can jeopardize all other participants in that environment so the liability can be enormous.

This compliance review is now mandatory by all major Electronic Fund Transfer (EFT) networks such as STAR/First Data, NYCE, Pulse and CO-OP or their members (e.g., Jack Henry, FIS, etc.) on a bi-annual basis (i.e., even years).

Compliance with TR-39 means there are clear and explicit procedures for all activities involving ATMs, PINs and encryption keys.

The review areas include an evaluation of the following:• Compliance with applicable standards and

requirements (e.g., ANSI TR-39 and other gateway operating rules)

• Required TR-39 Policies & Procedures• ATM Maintenance Procedures• Related Security Reviews• Related Vendor Reviews• PIN Security and Key Management Practices• ESO (Encrypting Service Organization) Compliance• Repair and Retirement of ATMs

WHAT DOES A PCI DSS REVIEW ENTAIL?The Payment Card Industry (PCI) also requires periodic security reviews for those institutions issuing, accepting or processing credit/debit cards. The Payment Card Industry uses a security assessment document from the PCI Security Standards Council titled Payment Card Industry (PCI) Data Security Standard (DSS). The current standard is PCI DSS Version 2.0, October 2010.

The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS SAQ to meet various scenarios. The forms include an attestation of compliance to be signed by an officer of the financial institution.

WHAT TO DO – NExT STEPIf you have a card agreement, either directly with Visa, MasterCard or through a service provider as an acquirer, it is recommended to have an independent professional security auditor (e.g., CISA certified) review your current ATM and card practices and put together an integrated security review plan.

Because of compliance review similarities, it is usually cost effective to conduct all of the required card and ATM reviews at the same time. Institutions who are processing transactions are urged to contact a QSA (Qualified Security Auditor) or CTGA (Certified TG-3 Auditor) that is aligned with their business and certified by the issuing company (Visa, MasterCard, STAR). If you have a global presence, you should seek an agency that is well known in your business regions in order to attract more business.

accumepartners.com

Copyright 2012 Accume Partners, All rights reserved. Information contained in this article is not intended to provide specific advice and guidance. You should consult your own professional services provider in connection with matters affecting your own interests.

QUESTIONS AND ANSWERS

1. What is new?

Nothing is really new. ATM network and card security review requirements are typically documented in your contract with your ATM network provider and card agreements.

2. Why am I just hearing about this?

The security review and compliance requirements are outlined by your ATM network and card provider 3-5 years in advance. It is because deadlines are nearing and potential fines are being communicated that awareness is heightened.

3. Why aren’t the examiners and regulators identifying this?

Because the security reviews are contractual obligations and are not government regulated.

4. What contracts/agreements do I need to review?

(a) ATM network provider(b) All card agreements

5. What should I look for in the agreements?

Statements requiring (periodic) security reviews.

6. Why is it not more specific?

The contract/agreement boiler plates tend to be general in nature and allow the financial institution to offer various products and services. The specific products and services are usually listed for service and billing; however, the security and compliance reviews are usually considered part of the financial institution’s compliance and audit responsibilities and are rarely explicitly listed in a contract/agreement.

7. How do I determine what I need?

You should contact your audit or compliance department to review the products and services being offered and assist you in determining the specific security compliance review requirements.

AbOUT ACCUME PARTNERS

Accume Partners helps financial institutions mitigate risks, enhance the overall control environment, achieve compliance with the latest rules, regulations and pronouncements and improve overall operational efficiency. Our scope of services include risk management, regulatory compliance, internal audit, Sarbanes-Oxley compliance, FDICIA compliance, board of directors/audit committee briefings, training, information security, pre- and post-system implementation reviews, business continuity planning and process improvement advisory (lending, trust, accounting and finance, branch platform, deposit operations and customer service). Please visit us at accumepartners.com.

For more information on ATM and Card Security, please call or e-mail any of these Accume Partners’ contacts:

Paul NobbsManaging Director, NJ Banking & FinancialServices Industries609.332.7132 pnobbs@accumepartners.com

Glenn HoffmanManaging Director, Upstate NY & New England203.803.7345ghoffman@accumepartners.com

Nicole LloydManaging Director, Mid-Atlantic717.903.3142nlloyd@accumepartners.com

K.D. MehraManaging Director, NY Banking347.576.5652kmehra@accumepartners.com

Larry FausoneDirector631.764.2102lfausone@accumepartners.com

Edul BamjiDirector862.377.9644ebamji@accumepartners.com

Steven OxenbergSenior Manager267.987.6567soxenberg@accumepartners.com

Audrey MagennisSenior Manager267.980.0244amagennis@accumepartners.com

accumepartners.com