Mandatory Debit Card PIN Security Reviews
Practice Development and Social Service Opportunities

By Bruce Sussman, Joel Lanz, and Darlene Kargel

E-mail Story Print Story

CPAs play a unique role by assisting companies in safeguarding “electronic cash.” The venue for this assistance is the American National Standards Institute’s (ANSI) X9.TG-3-2006, “Guideline for Financial Services TG-3-2006; Retail Financial Services Compliance Guideline, Online PIN Security and Key Management.” Completion of Technical Guideline 3 (TG-3) is required by all EFT network members who facilitate ATM and debit card payments.

Identifying the Market Both TG-3 and Payment Card

Industry (PCI, which is a similar Visa/MasterCard compliance guideline) services require that organizations accepting or processing PINs adhere to rigorous processes for safeguarding consumer information and the related cryptographic systems used to protect the EFT payment system. CPAs who pursue TG-3 and PCI engagements will benefit from the growing replacement of checks and cash with debit cards and other forms of electronic cash. CPAs need to be cognizant of entrance or training requirements before entering this market. Relevant considerations include the following:

• Identifying key marketplace participants;
• Understanding card association and network rules;
• Recognizing the CPA’s responsibility to serve socially useful goals (e.g., reducing electronic crime and increasing public confidence in the electronic-banking system);
• Acquiring technical skills by attending classes to develop a baseline competency and obtaining appropriate experience;
• Properly structuring the engagement letter and report, including using appropriate professional standards;
• Charging and collecting appropriate fees to compensate for the work and related engagement risks; and
• Performing the required procedures.

Key Marketplace Participants

CPAs who offer ATM TG-3 and PCI services must understand the roles of the four categories of marketplace participants.

Banks issue ATM and debit cards to accountholders. The debit cards can be used at ATMs located anywhere in the U.S. and overseas. When used with a PIN, ATM cards trigger EFT network audit requirements (TG-3) of ATM networks and card associations.

Retailers accept ATM and debit cards, which may be used to purchase goods at a variety of retail outlets, including mass merchants, fuel retailers, specialty stores, quick-service restaurants, and mom-and-pop stores. Retailers may also deploy their own ATMs with nationally recognized card trademarks (e.g., NYCE, PULSE, Star, Visa). The ownership of the ATMs may trigger rules that may require a TG-3 audit.

Third-party processors acquire and process transactions from point-of-sale (POS) terminals located at retailers and other locations such as ATMs on behalf of banks, credit unions, and retailers. Third-party processors may also install ATMs or POS terminals, or these functions may be outsourced to encryption service organizations (ESO).

EFT networks or card associations typically maintain the infrastructure (including data centers, applications, host computers) that move requests for switching transactions from ATM or POS terminals through the telecommunications networks to the issuing banks. They also move funds from the issuing banks to the merchants to “settle” ATM and POS transactions. Most important, EFT networks and card associations enforce security and audit rules governing the conduct of banks, retailers, and third-party processors that participate in the network. The rules provide for potential fines and disconnection from the network for flagrant violations of TG-3– or PCI-based standards.

Understanding Standards

These four types of participants may have contractual or rule-based obligations to file a TG-3 “PIN Security Audit.” Typically, the audits are due every two years. The processor or acquirer member typically files the audit with the network. EFT network rules can be obtained from the EFT network member.

Visa, MasterCard, and Discover issued the PCI standards for entities that process or store personally identifiable data, such as card numbers and names. Part 1 of the PCI standards mimics preexisting TG-3 requirements from regional EFT networks, which stipulate specific information handling and device safeguarding procedures.

Penalties for EFT network members who have not completed the relevant compliance reviews can be significant, from $5,000 initially and $1,000 weekly to potential disconnection.

Most EFT networks place the responsibility for compliance-related losses on the processor and acquiring entity—typically, the retailer and processor who accept the PIN. This creates opportunities for introducing relevant risk-management services.

The compliance review must be completed prior to connecting the retailer and its processor to the EFT network. EFT networks allow non-CPAs to perform the compliance review, but do not specify that the compliance review be performed under any specific assurance, fieldwork, or consulting standard. This latitude may create wide diversity in the scope and reliability of the work product.

Most EFT networks require that auditors attend TG-3 training. This training focuses on the audit implications of the required PIN security and the management of symmetric cryptographic keys as specified in relevant ANSI standards. The training applies controls common to the CPA’s core competence to the retail world of symmetric key management (e.g., segregation of duties, dual control, physical safeguard of assets, and procedural documentation).

Organizations that accept debit and ATM cards are typically bound by EFT network rules that require compliance with other applicable laws, such as Federal Trade Commission privacy and safeguard rules. Such companies face a rising tide of federal and state legislation mandating privacy safeguards.

The CPA’s Social Responsibility

CPAs have historically served the public interest through helping businesses safeguard assets by assessing the risk of fraud and defalcations due to internal control weaknesses. Performing a TG-3 compliance review is consistent with this responsibility, because businesses will be better equipped to safeguard consumer data gained through the EFT payment cycle and can respond affirmatively to privacy legislation.

To date, 22 states have enacted laws that require consumers to be notified if personal information has been subject to a security breach; another 13 states have proposals for such laws. Although the new laws are similar to California’s SB1386, varying state requirements will likely put pressure on Congress to pass a federal version of SB1386.

Retailers are not immune to legislative pressures. According to a recent study by Deloitte & Touche, “There is a significant portion of the population that is becoming concerned about identity theft, and it is influencing their purchasing decisions.” Similarly, retailers and CPAs have a shared interest in programs that reduce the risks of identify theft, skimmed or stolen customer PINs, and loss of confidential information due to noncompliance with TG-3 and PCI guidelines. Retailers experiencing losses due to electronic crime may pass along increased transaction costs to the consumer, or may decide to not accept debit cards. Risks associated with these outcomes may be mitigated by adhering to TG-3 and PCI standards, by acquiring the requisite technical skills to audit and secure a POS/ATM system, and by properly planning the audit.

Acquiring Requisite Technical Skills

As with any engagement, a CPA must determine whether she possesses the requisite technical skills to perform the engagement. To begin, the CPA should obtain a copy of the TG-3 from the Accredited Standards Committee X9, Inc. The actual standard appears online at the X9 Standards Store (webstore.ansi.org/ansidocstore/dept.asp?dept_id=80), a collaborative effort between the Accredited Standards Committee X9, Inc. (ASC X9) and ANSI to manage the sale and distribution of X9’s U.S. standards, technical guidelines, and other documents.

While much of the foregoing may appear to be technically oriented, one need not be a cryptographer or computer scientist to effectively perform a TG-3 or PCI review. As of this writing, several hundred CPAs nationwide are performing such compliance reviews and very few, if any, are cryptographers. Rather, TG-3 requires CPAs to draw upon well-honed skills and core competencies which, for example, relate to:

• Identifying dual controls;
• Asset inventorying and safeguarding;
• Documenting process flows among acquirers, networks, and retailers;
• Assessing appropriate segregation of duties;
• Observing installation/maintenance procedures of POS terminals and ATM machines;
• Evaluating management controls and procedures;
• Interpreting complex transactions and systems involving multiple participants; and
• Analyzing data for meaningful relationships.

The current TG-3 appears in five sections. Section Four contains control objectives for symmetric key management, while Section Five control objectives focus on the management of asymmetric keys used to distribute symmetric keys. Both sections Four and Five are presented in four subsections. The following describes the four subsections for Section Four (which is more representative of most EFT payment key management schemes today), whereas Section Five represents the genesis of new key management technologies available to the EFT payment but not yet widely implemented.

Section 4.1 addresses general security and controls. CPAs will need to determine whether the environment used for accepting and processing PINs has “physically, logically and procedurally protected access controls or other mechanisms designed to prevent any penetration of the system [that] would result in the disclosure of PINs or cryptographic keys.” CPAs will need to understand physical access safeguards to the PIN entry devices during storage, installation, servicing, and operation. CPAs will also need to design appropriate tests, such as validation, inspection of system documentation, and inquiry of the vendor, to determine that PINs are encrypted immediately and compliantly. This section also addresses the secure handling and destruction of sensitive information and the prevention of unauthorized PIN observation (commonly known as “shoulder surfing”). This section should also prompt CPAs to inquire about the forms in which PINs are stored within the POS or ATM systems. PINs must never exist in clear or humanly recognizable form when outside the required secure hardware, referred to as tamper-resistant security modules (TRSM).

Section 4.2 deals with general security controls applying to the management of TRSMs. CPAs will also need to refer to vendor websites and documentation to determine if the device meets ANSI/network specifications for tamper resistance, a characteristic that causes the ATM or PIN pad to cease functioning or to “zeroize” the PIN and cryptographic keys if physical access is attempted. CPAs will also need to understand controls over the inventory of encryption keys, POS devices, ATMs, and documents accessed during each stage of the life cycle.

Section 4.3 focuses on general cryptographic key management and controls. This section prompts CPAs to walk through how the retailer manages encryption keys (used to encrypt PINs and other encryption keys). CPAs will need to understand how encryption keys are created and entered into the POS and ATM devices and related host systems. An ideal step would be to catalog each type of encryption key in use by function, location, and device type. Once this information is assembled, it may be feasible to sort the data in their encrypted forms (known as cryptograms) to identify duplicate and weak (easily guessed) values.

Section 4.4, “Optional Key Management Procedures,” leads the CPA to evaluate other control objectives that represent industry best practices, whereas the previous three sections’ control objectives specifically cite mandated statements from X9.8 and X9.24. Although this section is labeled “optional,” most EFT networks require it to be completed.

Structuring an Engagement

Because TG-3 and PCI use superlative terms such as “all” or “any,” steps should be taken within the engagement letter to limit a CPA’s liability. Using consulting or attest/agreed-upon procedures can address this issue.

Engagements executed under the AICPA standards for agreed-upon procedures should follow the following guidelines:

• CPAs should carefully structure the engagement letter to carefully define the out-of-scope area and to report expectations.
• The engagement letter should itemize the procedures to be performed.
• CPAs should indicate that the procedures have been signed off on by the client and the EFT network or card association, and that no other representations will be made regarding the sufficiency of the procedures relating to the report or any other purpose.
• The report should indicate that the CPA confirmed, reviewed, observed, or discussed relevant matters. No other opinion or conclusion should be expressed except those pertaining to the procedures agreed upon by the client and the network.
• CPAs should get a signed management representation letter as to the client’s assertion of “in-full compliance” or “not-in-full compliance” with the EFT network operating rules specifying compliance with TG-3 control objectives.
• The client, not the CPA, should sign any representation or certification letters sent to the network.

Pursuing the Opportunity

As cash-based payments lose market share to debit cards, competition for providing TG-3/PCI services will increase. Non-CPAs have the ability to compete with CPAs, but do not have to adhere to professional sampling, reporting, and field standards. CPAs are already well schooled in the disciplines that add value through a more reliable, comparable work product. Also, TG-3 and PCI reviews help position CPAs for providing consulting services relating to identity theft and electronic loss prevention. CPAs can position these services as promoting consumer safety and economic development, and thereby enhance the CPA’s image as a guardian of the public interest.

CPAs interested in entering this market should consider the following steps:

• Carefully evaluate the advantages and disadvantages of structuring the engagement as advisory, attest, or consultative.
• Prepare specific engagement letters outlining the CPA’s and management’s responsibilities. Management must remain responsible for the assertions and the sufficiency of procedures.
• Anticipate and price the documentation and reporting requirements.
• Identify businesses that accept transactions from credit and debit card associations.
• Identify training costs, and determine if staff have the skill sets to perform the engagement.
• Review card association requirements.

CPAs can communicate this service to new and existing clients as follows:

• Discuss the client’s information technology environment—how the business processes and stores information related to payments.
• Suggest ways in which clients can fulfill their responsibility to card associations and card processors.
• Most important, differentiate the CPA from the non-CPA by emphasizing the value of rigorous sampling, fieldwork, and reporting standards, and the CPA’s ability to view risks on an enterprise-wide basis.