Normal layout Medium Layout Large Layout Normal Text Medium Text Large Text
CastleGarde - TG-3 Audit: Pin Security and Key Management Review
  Services > TG-3 Audit Search      
CastleGarde - TG-3 Audit: Pin Security and Key Management Review
 TG-3 Audit

Overview

CastleGarde will provide a TG-3 Audit of the credit union's PIN Security and Key Management practices performed by a Certified TG-3 Auditor. The "Big Three", STAR / PULSE / NYCE, have set new Audit requirements for audits in 2008.  CastleGarde is required by the ANSI X 9 (American National Standards Institute) standards to use the PIN Security Compliance Guideline to ensure a uniform security review. 

All entities handling PINs and/or cryptographic keys used to secure PINs must complete a PIN Security Compliance review.  Beginning in 2008, the X9 standard requires this review be performed by a certified external examiner. The audit for each mandatory control objective must be performed each even year beginning in 2008 and a report submitted to the required processors by the end of that calendar year.

 The mandatory control objectives are based on requirements set forth as follows:
  • X9.8 (Banking, Personal Identification Number Management and Security Part 1)
  • X9.24-2004 (Retail Financial Services Symmetric Key Management, Part 1: Using Symmetric Techniques)
  • X9.24-2005 (Retail Financial Services Symmetric Key Management, Part 2: Using Asymmetric Techniques for Distribution of Symmetric Keys)
Sections ‎4.4 and ‎5.5 of this guideline include additional control objectives related to miscellaneous security issues that are considered best business practices, but are not covered under existing X9 standards. CastleGarde evaluates both the mandatory and optional control objectives for applicability.
 
CastleGarde as the organization administering the review is required to use the form and guidance specified by X9.24-2004. If the credit union utilizes Symmetric Keys (as is typical in an ATM network), the review is limited to Part 1 of the guideline.
 
The X9 guidelines for PIN Security and Key Management are applied to all organizations, regardless of size, as a measure of compliance with industry best practices for ensuring the safe and secure handling of PINs, security Keys, and Key management. These same standards are utilized by entities ranging in size and complexity from one ATM up to and including international financial concerns with millions of ATMs, point of sale devices, and hundreds of branches. The intent of the X9 guidelines is to ensure a common, uniform methodology to proven policy and procedures.
 
The TG-3 audit measures Compliance Control Objectives in 4 functional areas:
  1. General Security Procedures Control
  2. Tamper Resistant Security Module Management Control (TRSM)
  3. General Key Management Control
  4. Additional Key Management Procedures

The guidelines detail 39 functional items, called “Steps”, to be reviewed across the 4 functional areas. Most of these Steps contain the text “Documented procedures exist and are followed”. The intent is that the condition being reviewed would be common practice in a network compliant Electronic Funds Transfer (EFT) operation. 

The audit requires an onsite review, inspection, and assessment of processes and procedures utilized by the organization in support of the PIN Security and Key Management practices. CastleGarde's Certified TG-3 Auditor will determine if documented procedures do exist and if those documented procedures are being followed in daily practice. CastleGarde's Certified TG-3 Auditor will verify that the documented procedures are adequate to ensure compliance with the control objective.

Deliverables

The TG-3 Audit results in a report being submitted to the credit union along with the necessary response forms that must be completed by the credit union and provided to the STAR / NYCE / PULSE organization as proof of the completion of the necessary audit. 
Copyright 2008 CastleGarde, Inc.