Sunday, October 2, 2011

PIN Security and Key Management Control based guidelines

I found this document on PIN Security and Key Management from controls and audit perspective...
Billions of PIN activated transactions are switched through shared ATM and POS networks each year. Each of these transactions is originated using a debit or credit card and Personal Identification Number. With each interchange transaction, the security of the customer's PIN is under the control of as many as eight or more processing entities. The financial institution, which issues the card, must rely on the security procedures and controls of the acquiring entities with which the card issuer may not have any business relationship.
The number of interchange transactions is increasing, as is the number of organizations processing interchange transactions (merchants, merchant processors, financial institution processors, third party processors, and switches). As the number of organizations involved in processing interchange transactions increases, so does the risk to financial institutions due to ineffective or inadequate security systems and procedures at the acquiring or intermediary systems.
Regional and national interchange networks generally mandate security requirements in their operating rules and procedures. Historically, reviewing security procedures and systems for compliance to the network operating rules was left to the network member or processor. Because the technical expertise in the area of EFT security can vary greatly between and within organizations, the depth of the review can vary greatly. In order to standardize the process for reviewing security processes and procedures, and to eliminate unnecessary redundant compliance documents throughout the industry, this PIN Security Compliance Guideline has been developed.