TG-3 (TR-39) PIN Security Certification

More information



ControlCase offers a number of Information Security (IS) consulting services focused on security, integrity, availability and confidentiality of sensitive data. Our clients include large and small financial institutions, Merchants, POS Key Loading Facilities, Credit Card issuers etc..

We offer the following services:

  • Perform diagnostic reviews of financial services operations focused on PIN based debit/ATM transactions in preparation of TG-3 (TR-39) PIN Security and PCI PIN Compliance audits.
  • Provide remediation plans and corrective actions following TG-3/TR-39 PIN Security and/or PCI PIN Compliance audits. This may include writing "Key Management & PIN Security Policies and Procedures", train the relevant teams in following proper procedures and implement required controls, based on ANSI standards and industry best practices.
  • Develop general enterprise policies and procedures; i.e. "Security Policies and Practices" based on ISO 27001 (formerly known as ISO 17799 or BS 7799) standard
  • Assist with developing security controls within financial transaction processing environments that would offer data confidentiality, authenticity, integrity and non-repudiation in all the processing and exchanges involved.
  • Provide assistance in implementing various cryptographic algorithms such as DES/3DES, Public key algorithms such as RSA or Elliptic curve Cryptography (ECC), or a combination of, as needed for different applications.
  • Evaluate proper implementations of Public Key Infrastructure (PKI) based operations, e.g. Digital Certificate Authority operations and ecommerce services. Provide gap analysis and guidance on issues and improvements.


ControlCase performs a variety of Information Technology (IT) audits for Banks, Point of Sale operations, Merchants, Encryption Service organizations (ESOs), Independent Service Organizations (ISOs), Key Loading/Injection Facilities, Credit Card services and so on, as follows:

  • TG-3 (recently renamed as TR-39) audit of ATM operations in banks and credit unions, per requirements by Star, NYCE and Pulse EFT networks of all their members.
  • TG-3/TR-39 audit of debit POS transactions for Merchants per requirements by Star, NYCE and Pulse EFT networks. Subsections of TG-3/TR-39 audit that apply to ISO, ESO and KLD facilities, as required by the members of EFT networks.
  • PCI PIN Security Audits (aka Visa and MasterCard's PIN Security audits) of PIN debit transactions for financial institutions, merchants, and vendors.
  • General enterprise data security audits per ISO 27001 (formerly known as BS 7799) audit guideline.
  • ACH audit of all financial institutions who are either RDFI or OFDI or both, per NACHA's guidelines.