Debit Card PIN Security Reviews
Practice Development and Social Service
Bruce Sussman, Joel Lanz, and Darlene Kargel
- Debit and ATM cards have become an increasingly popular
payment option for U.S. consumers, and merchants benefit significantly
from debit cards’ low transaction costs. Debit cards
have become so popular that they have now surpassed credit
card transation volume. They have also become favored targets
for thieves, who seek to capture or “skim” card
information and personal identification numbers (PIN) by circumventing
various electronic, procedural, and physical safeguards that
retailers and electronic funds transfer (EFT) networks use
to prevent such theft. The retailer and the cardholder are
usually the ultimate victims of such frauds.
play a unique role by assisting companies in safeguarding
“electronic cash.” The venue for this assistance
is the American National Standards Institute’s (ANSI)
X9.TG-3-2006, “Guideline for Financial Services TG-3-2006;
Retail Financial Services Compliance Guideline, Online PIN
Security and Key Management.” Completion of Technical
Guideline 3 (TG-3) is required by all EFT network members
who facilitate ATM and debit card payments.
the Market Both TG-3 and Payment Card
(PCI, which is a similar Visa/MasterCard compliance guideline)
services require that organizations accepting or processing
PINs adhere to rigorous processes for safeguarding consumer
information and the related cryptographic systems used to
protect the EFT payment system. CPAs who pursue TG-3 and
PCI engagements will benefit from the growing replacement
of checks and cash with debit cards and other forms of electronic
cash. CPAs need to be cognizant of entrance or training
requirements before entering this market. Relevant considerations
include the following:
Identifying key marketplace participants;
Understanding card association and network rules;
Recognizing the CPA’s responsibility to serve socially
useful goals (e.g., reducing electronic crime and increasing
public confidence in the electronic-banking system);
Acquiring technical skills by attending classes to develop
a baseline competency and obtaining appropriate experience;
Properly structuring the engagement letter and report,
including using appropriate professional standards;
Charging and collecting appropriate fees to compensate
for the work and related engagement risks; and
Performing the required procedures.
who offer ATM TG-3 and PCI services must understand the
roles of the four categories of marketplace participants.
issue ATM and debit cards to accountholders. The debit cards
can be used at ATMs located anywhere in the U.S. and overseas.
When used with a PIN, ATM cards trigger EFT network audit
requirements (TG-3) of ATM networks and card associations.
accept ATM and debit cards, which may be used
to purchase goods at a variety of retail outlets, including
mass merchants, fuel retailers, specialty stores, quick-service
restaurants, and mom-and-pop stores. Retailers may also
deploy their own ATMs with nationally recognized card trademarks
(e.g., NYCE, PULSE, Star, Visa). The ownership of the ATMs
may trigger rules that may require a TG-3 audit.
processors acquire and process transactions
from point-of-sale (POS) terminals located at retailers
and other locations such as ATMs on behalf of banks, credit
unions, and retailers. Third-party processors may also install
ATMs or POS terminals, or these functions may be outsourced
to encryption service organizations (ESO).
networks or card associations typically maintain
the infrastructure (including data centers, applications,
host computers) that move requests for switching transactions
from ATM or POS terminals through the telecommunications
networks to the issuing banks. They also move funds from
the issuing banks to the merchants to “settle”
ATM and POS transactions. Most important, EFT networks and
card associations enforce security and audit rules governing
the conduct of banks, retailers, and third-party processors
that participate in the network. The rules provide for potential
fines and disconnection from the network for flagrant violations
of TG-3– or PCI-based standards.
four types of participants may have contractual or rule-based
obligations to file a TG-3 “PIN Security Audit.”
Typically, the audits are due every two years. The processor
or acquirer member typically files the audit with the network.
EFT network rules can be obtained from the EFT network member.
MasterCard, and Discover issued the PCI standards for entities
that process or store personally identifiable data, such
as card numbers and names. Part 1 of the PCI standards mimics
preexisting TG-3 requirements from regional EFT networks,
which stipulate specific information handling and device
for EFT network members who have not completed the relevant
compliance reviews can be significant, from $5,000 initially
and $1,000 weekly to potential disconnection.
EFT networks place the responsibility for compliance-related
losses on the processor and acquiring entity—typically,
the retailer and processor who accept the PIN. This creates
opportunities for introducing relevant risk-management services.
compliance review must be completed prior to connecting
the retailer and its processor to the EFT network. EFT networks
allow non-CPAs to perform the compliance review, but do
not specify that the compliance review be performed under
any specific assurance, fieldwork, or consulting standard.
This latitude may create wide diversity in the scope and
reliability of the work product.
EFT networks require that auditors attend TG-3 training.
This training focuses on the audit implications of the required
PIN security and the management of symmetric cryptographic
keys as specified in relevant ANSI standards. The training
applies controls common to the CPA’s core competence
to the retail world of symmetric key management (e.g., segregation
of duties, dual control, physical safeguard of assets, and
that accept debit and ATM cards are typically bound by EFT
network rules that require compliance with other applicable
laws, such as Federal Trade Commission privacy and safeguard
rules. Such companies face a rising tide of federal and
state legislation mandating privacy safeguards.
CPA’s Social Responsibility
have historically served the public interest through helping
businesses safeguard assets by assessing the risk of fraud
and defalcations due to internal control weaknesses. Performing
a TG-3 compliance review is consistent with this responsibility,
because businesses will be better equipped to safeguard
consumer data gained through the EFT payment cycle and can
respond affirmatively to privacy legislation.
date, 22 states have enacted laws that require consumers
to be notified if personal information has been subject
to a security breach; another 13 states have proposals for
such laws. Although the new laws are similar to California’s
SB1386, varying state requirements will likely put pressure
on Congress to pass a federal version of SB1386.
are not immune to legislative pressures. According to a
recent study by Deloitte & Touche, “There is a
significant portion of the population that is becoming concerned
about identity theft, and it is influencing their purchasing
decisions.” Similarly, retailers and CPAs have a shared
interest in programs that reduce the risks of identify theft,
skimmed or stolen customer PINs, and loss of confidential
information due to noncompliance with TG-3 and PCI guidelines.
Retailers experiencing losses due to electronic crime may
pass along increased transaction costs to the consumer,
or may decide to not accept debit cards. Risks associated
with these outcomes may be mitigated by adhering to TG-3
and PCI standards, by acquiring the requisite technical
skills to audit and secure a POS/ATM system, and by properly
planning the audit.
Requisite Technical Skills
with any engagement, a CPA must determine whether she possesses
the requisite technical skills to perform the engagement.
To begin, the CPA should obtain a copy of the TG-3 from
the Accredited Standards Committee X9, Inc. The actual standard
appears online at the X9 Standards Store (webstore.ansi.org/ansidocstore/dept.asp?dept_id=80),
a collaborative effort between the Accredited Standards
Committee X9, Inc. (ASC X9) and ANSI to manage the sale
and distribution of X9’s U.S. standards, technical
guidelines, and other documents.
much of the foregoing may appear to be technically oriented,
one need not be a cryptographer or computer scientist to
effectively perform a TG-3 or PCI review. As of this writing,
several hundred CPAs nationwide are performing such compliance
reviews and very few, if any, are cryptographers. Rather,
TG-3 requires CPAs to draw upon well-honed skills and core
competencies which, for example, relate to:
Identifying dual controls;
Asset inventorying and safeguarding;
Documenting process flows among acquirers, networks, and
Assessing appropriate segregation of duties;
Observing installation/maintenance procedures of POS terminals
and ATM machines;
Evaluating management controls and procedures;
Interpreting complex transactions and systems involving
multiple participants; and
Analyzing data for meaningful relationships.
current TG-3 appears in five sections. Section Four contains
control objectives for symmetric key management, while Section
Five control objectives focus on the management of asymmetric
keys used to distribute symmetric keys. Both sections Four
and Five are presented in four subsections. The following
describes the four subsections for Section Four (which is
more representative of most EFT payment key management schemes
today), whereas Section Five represents the genesis of new
key management technologies available to the EFT payment
but not yet widely implemented.
4.1 addresses general security and controls. CPAs will need
to determine whether the environment used for accepting
and processing PINs has “physically, logically and
procedurally protected access controls or other mechanisms
designed to prevent any penetration of the system [that]
would result in the disclosure of PINs or cryptographic
keys.” CPAs will need to understand physical access
safeguards to the PIN entry devices during storage, installation,
servicing, and operation. CPAs will also need to design
appropriate tests, such as validation, inspection of system
documentation, and inquiry of the vendor, to determine that
PINs are encrypted immediately and compliantly. This section
also addresses the secure handling and destruction of sensitive
information and the prevention of unauthorized PIN observation
(commonly known as “shoulder surfing”). This
section should also prompt CPAs to inquire about the forms
in which PINs are stored within the POS or ATM systems.
PINs must never exist in clear or humanly recognizable form
when outside the required secure hardware, referred to as
tamper-resistant security modules (TRSM).
4.2 deals with general security controls applying to the
management of TRSMs. CPAs will also need to refer to vendor
websites and documentation to determine if the device meets
ANSI/network specifications for tamper resistance, a characteristic
that causes the ATM or PIN pad to cease functioning or to
“zeroize” the PIN and cryptographic keys if
physical access is attempted. CPAs will also need to understand
controls over the inventory of encryption keys, POS devices,
ATMs, and documents accessed during each stage of the life
4.3 focuses on general cryptographic key management and
controls. This section prompts CPAs to walk through how
the retailer manages encryption keys (used to encrypt PINs
and other encryption keys). CPAs will need to understand
how encryption keys are created and entered into the POS
and ATM devices and related host systems. An ideal step
would be to catalog each type of encryption key in use by
function, location, and device type. Once this information
is assembled, it may be feasible to sort the data in their
encrypted forms (known as cryptograms) to identify duplicate
and weak (easily guessed) values.
4.4, “Optional Key Management Procedures,” leads
the CPA to evaluate other control objectives that represent
industry best practices, whereas the previous three sections’
control objectives specifically cite mandated statements
from X9.8 and X9.24. Although this section is labeled “optional,”
most EFT networks require it to be completed.
TG-3 and PCI use superlative terms such as “all”
or “any,” steps should be taken within the engagement
letter to limit a CPA’s liability. Using consulting
or attest/agreed-upon procedures can address this issue.
executed under the AICPA standards for agreed-upon procedures
should follow the following guidelines:
CPAs should carefully structure the engagement letter
to carefully define the out-of-scope area and to report
The engagement letter should itemize the procedures to
CPAs should indicate that the procedures have been signed
off on by the client and the EFT network or card association,
and that no other representations will be made regarding
the sufficiency of the procedures relating to the report
or any other purpose.
The report should indicate that the CPA confirmed, reviewed,
observed, or discussed relevant matters. No other opinion
or conclusion should be expressed except those pertaining
to the procedures agreed upon by the client and the network.
CPAs should get a signed management representation letter
as to the client’s assertion of “in-full compliance”
or “not-in-full compliance” with the EFT network
operating rules specifying compliance with TG-3 control
The client, not the CPA, should sign any representation
or certification letters sent to the network.
cash-based payments lose market share to debit cards, competition
for providing TG-3/PCI services will increase. Non-CPAs
have the ability to compete with CPAs, but do not have to
adhere to professional sampling, reporting, and field standards.
CPAs are already well schooled in the disciplines that add
value through a more reliable, comparable work product.
Also, TG-3 and PCI reviews help position CPAs for providing
consulting services relating to identity theft and electronic
loss prevention. CPAs can position these services as promoting
consumer safety and economic development, and thereby enhance
the CPA’s image as a guardian of the public interest.
interested in entering this market should consider the following
Carefully evaluate the advantages and disadvantages of
structuring the engagement as advisory, attest, or consultative.
Prepare specific engagement letters outlining the CPA’s
and management’s responsibilities. Management must
remain responsible for the assertions and the sufficiency
Anticipate and price the documentation and reporting requirements.
Identify businesses that accept transactions from credit
and debit card associations.
training costs, and determine if staff have the skill
sets to perform the engagement.
Review card association requirements.
can communicate this service to new and existing clients
Discuss the client’s information technology environment—how
the business processes and stores information related
Suggest ways in which clients can fulfill their responsibility
to card associations and card processors.
Most important, differentiate the CPA from the non-CPA
by emphasizing the value of rigorous sampling, fieldwork,
and reporting standards, and the CPA’s ability to
view risks on an enterprise-wide basis.
Sussman, CPA, CISA, CISSP, CBA, is vice president
of risk and fraud solutions at NYCE Corporation.
Joel Lanz, CPA, leads a CPA practice focusing
on technology risk management and is chair of the NYSSCPA’s
Technology Assurance Committee.
Darlene Kargel, CPA, is a principal at DeLap
White Caldwell & Croy, LLP, Lake Oswego, Ore., with a
focus on PIN security and cryptographic key management compliance
for the retail banking industry.