© 2019 RSM US LLP. All rights reserved.
VISA PIN/TR-39 Audit
Organizations can harden personal identification number (PIN) security by testing controls for cryptographic equipment, key encryption and key management.
Organizations that handle personal identification numbers (PINs) or the keys employed in PIN processing must audit the security of these processes. Failing an audit could harm your organization’s ability to process debit card transactions. A VISA PIN/technical report 39 (TR-39) audit covers point of sale (POS) and ATM operations in banks, credit unions, processors, merchants and encryption support organizations (ESOs).
Multiple entities, including independent sales organizations, merchant services and other facilitators, are involved in the processing of interchange transactions that utilize PINs. This can result in different procedures for handling PINs, along with varying levels of security.
The VISA PIN Security Compliance Guideline standardizes a security review of these processes. This guideline speciﬁcally applies to organizations that encrypt PINs using the triple data encryption algorithm (TDEA), used in POS and ATM transactions and elsewhere. Organizations that acquire or process transactions containing PINs should ensure compliance to this guideline.
RSM’s VISA PIN/TR-39 audit process validates that your policies and procedures surrounding PIN encryption and key management comply with VISA PIN and/or TR-39 standards. During the audit, noncompliant areas will be identiﬁed so you can take corrective actions. This helps to safeguard debit and ATM PINs that cross your system, protecting your customers' ﬁnances and privacy.
RSM’s approach to a VISA PIN/TR-39 audit includes the following steps:
- Review documented procedures for key management
- Audit key loading facilities
- Analyze data related to encryption techniques