TR-39 Audit
Definition
Billions of PIN activated transactions are switched through shared ATM and POS networks each year. Each of these transactions is originated using a debit or credit card and Personal Identification Number. With each interchange transaction, the security of the customer's PIN must rely on the security procedures and controls of the various processing entities and use certified devices such as Host Security Modules (HSM). The most common standard used to evaluate organizations is the Technical Guide (TR-39 formerly known as TG-3) developed by ANSI as part of theX9 standards for financial institutions.
Background
TR-39 is a standard that is required by all organizations that accept debit cards. This standard has many similarities to PCI:, however is solely focused on the protection of the PIN associated with debit cards. Just like PCI:, TR-39 is a contractual standard that is not government regulated.
During the TR-39 audit, if any control weaknesses are noted, the organization is required to document action plans for strengthening them. If an organization fails to implement the remedial plans outlined in the TR-39, the network or networks can fine user organizations or even deny them access for not meeting network operating rules. Also, if fraud occurs and your organization has not completed the audit requirements, financial and legal responsibility will be placed more heavily on your organization.