In light of the recent Target and Neiman Marcus credit card data breaches, there has been an increased discussion on the responsibility of data breaches — and rightfully so. The Target breach alone resulted in the theft of over 40 million debit and credit cards, encrypted PIN data and much more personal data.
The financial responsibility for credit union members fell on the credit unions themselves. With credit unions limited in what control they have over retailers, I thought to myself, “It is important for credit unions to know their responsibilities in what they can control.”
First, it is important to know a little about the debit and credit cards. The magnetic strip on the back contains data which is not encrypted. Therefore; names, primary account numbers and expiration dates are among the information residing “in the clear.” This is why card skimmers are very popular with criminals.
So what can you do to protect what you can control?
Protect PIN Numbers at ATMs and in Server Rooms
At this time, without EMV (PIN and chip), the only data that is encrypted is the four digit PIN. PINs are what stand between a criminal on one side of the ATM and the members’ cash on the other end. If your credit union owns, operates, or sponsors ATM’s, and is a member of CO-OP, Pulse, STAR and/or NYCE networks, it is imperative for the credit union to ensure a TR-39 PIN audit is conducted. The credit union should check with their network(s) to ensure they comply with security requirements that are set forth within the network’s PIN and key management security guidelines. The audits are required every even-numbered year and can be leveraged to ensure proper security is in place at ATMs and within your server room to prevent a compromise of members’ PINs.
Although not all credit unions are required to submit a TR-39 PIN audit, as part of due diligence, the credit union should ensure that one was completed by their third party processor and that all false findings were addressed.
Perform ATM Physical Reviews
Another popular method of attack to compromise debit / credit card numbers and PINs is ATM skimming. A criminal will place a card skimming device which will read and record the magnetic strip. They will also affix a false attachment, such as a brochure holder or mirror, to the ATM concealing a pin-hole camera. These devices are often detectable to those who are familiar with the ATMs. As a protective measure, credit unions should physically inspect the ATMs for skimming devices and pin-hole cameras on a regular basis. Documentation of the review should also be retained.
Educate Your Members
As part of your member education program, make sure to include education about skimmers, safe ATM usage and PIN security.
Stay diligent; and always trust, but verify!
This guest blog post was written by Idrees Rafiq, Jr., AVP IT Consulting at Credit Union Resources, Inc, one of SIGNiX's partners.