PIN Security and Key Management Audits
Various audits are required by payment networks and brands to validate proper PIN security and key management practices. These audits include Visa's PIN audit and the TR-39 (TG-3) audit utilized by NYCE, PULSE and STAR. All entities handling PINs or cryptographic keys used in PIN processing must complete a PIN Security and Key Management audit and provide reporting of compliance to the appropriate networks.
Example entities required to assess based on these criteria include payment processors, payment gateways, retail merchants conducting PIN translation, key injection facilities, certificate authorities used by Pin Entry Devices (PEDs) and Encryption Service Providers.
PSC can conduct either of these two audits individually or in concert, delivering a cost effective and complete PIN security assessment. These assessments are conducted by a Certified TG-3 Assessor (CTGA) and in compliance with the guidelines created by the networks.
The PSC approach is to deliver a comprehensive checklist to the client then conduct an on-site assessment including:
- Review of policies and procedures
- Review of results of procedures
- Observation of procedures being correctly performed
- Inspection of hardware and software used for PIN processing
- Inspection of physical facilities used for PIN processing or key injection
After completion of testing of the control objectives, PSC will produce a detailed gap analysis report should any gaps exist or completed reports ready for submission to the networks for passing entities.
All assessments are conducted under PSC's mature compliance framework, including using industry accepted sampling methodologies, meticulous quality assurance process and peer review.
Please contact us for more information