TRAINING DETAILS

Core “TR39 Pin Security and Key Management” Training (3 Days)

Pre-Requisite: None
Day 1 Agenda

  • Introduction to historic data encryption algorithms
  • Emergence of modern encryption algorithms; e.g. DES, 3DES and Public Key Cryptography
  • Application of DES, 3DES and Public Key algorithms to retail PIN debit operations
  • Present various key management schemes used in ATM and POS PIN debit transactions
  • Overview of encryption Keys used in ATM transactions
  • Overview of encryption Keys used in POS transactions
  • Logical structure of data flow in transactions originating from ATM and POS Terminals
  • Logical structure and transaction data flow an acquirer (i.e. Financial institution or Merchant) and EFT networks
  • Review of X9.8 standard on Retail Banking PIN Management
  • Review X9.24 standard on Retail Banking Key Management
  • Overview of PIN required controls
  • Overview of compliance and management of cryptographic devices; i.e. ATMs, PEDs and Host Security Modules, throughout their lifecycle
  • Risks and threats in compromise of the keys used to protect ATM/POS transactions
  • Class Exercise
  • Questions-Answers

Day 2 Agenda

  • Management of encryption Keys throughout their entire lifecycle, covering:
    • Key Generation,
    • Key Distribution,
    • Key Usage,
    • Key Loading,
    • Key Storage, and
    • Key Destruction.
  • Roles and Responsibilities of Key Management team (principles of Dual Custody and Split Knowledge) as used in Key Management
  • Management of cryptographic devices used in ATM/POS environments, throughout their entire lifecycle.
  • Written procedures and logs
  • Review of all the controls in section 4 of the TR-39 PIN Security & Key Management audit guideline
  • Class Exercise
  • Questions-Answers

Day 3 Agenda

  • Present use of asymmetric (Public-Private Key) cryptography; i.e. RSA and ECC and Diffie-Helman in PIN debit transactions (not overly technical)
  • Implementation of Public-Private Key infrastructure (PKI) in ATMs/POS for ‘Remote Key Loading’.
  • Use of digital certificates and/or signatures used to provide for integrity and authenticity of Keys transferred to facilitate remote Key loading.
  • Review all the controls in section 5 of the TR-39 PIN Security & Key Management audit guideline
  • Questions-Answers
  • Optional:  Network CTGA Exam  (Please note this exam is mandatory for auditors performing TR39 audits for Pulse and STAR EFT network members)

Please Note: The exam is issued by and will be submitted to the networks for grading. It may take the network Grader up to 4 weeks to announce the results.

Refresher “TR39 Pin Security and Key Management” Training (1.5 days)

Pre-Requisite: Core TR39 Training Course
Day 1 Agenda

  • Review management of encryption Keys throughout their entire lifecycle, covering:
    • Key Generation,
    • Key Distribution,
    • Key Usage,
    • Key Loading,
    • Key Storage, and
    • Key Destruction.
  • Roles and Responsibilities of Key Management team (principles of Dual Custody and Split Knowledge) as used in Key Management
  • Management of cryptographic devices used in ATM/POS environments, throughout their entire lifecycle.
  • Written procedures and logs
  • Review of all the controls in section 4 of the TR-39 PIN Security & Key Management audit guideline
  • Class Exercise
  • Questions-Answers

Day 2 Agenda

  • Review use of asymmetric (Public-Private Key) cryptography; i.e. RSA and ECC and Diffie-
  • Helman in PIN debit transactions (not overly technical)
  • Review implementation of Public-Private Key infrastructure (PKI) in ATMs/POS for ‘Remote Key Loading’.
  • Use of digital certificates and/or signatures to provide for authenticity and integrity of Keys used to remotely load the initial Keys
  • Review all the controls in section 5 of the TR-39 PIN Security and Key Management audit guideline
  • Questions-Answers

Optional:  Network CTGA Exam (Please note, if you have taken this exam in the past and have received your CTGA certificate there is no need to take it again.)

PCI SSC PIN Security and Key Management, version 2.0 Standard Technical set (3 Days)

Pre-Requisite: None
Please note: The standard technical set is relevant to processors and acquirers of PIN debit transactions who are members of Visa network.

Day 1 Agenda

  • Review use of data encryption in PIN debit transactions
    • Discuss various implementations of data encryption (using symmetric; i.e. DES or AES)
    • Discuss use of encryption Keys and written details regarding each key
    • Discuss lifecycle of encryption Keys
    • Written procedures and logs
  • Detailed review of the following topics:
  • PIN security requirements
    • Cryptographic device management (Host Security Module or HSMs)
    • POI device management (PinPad or PED)
    • Team/Personnel management
    • Physical controls
    • Logical controls
    • Procedural controls
    • Logs
  • Class Exercise
  • Questions-Answers

Day 2 Agenda

  • Covering the PCI PIN review controls #1 through #16, addressing all of the following topics:
    • Functional compliance
    • Device compliance
    • Procedural requirements
    • Physical controls
    • Personnel controls
    • Logs & other types of evidence of compliance (electronic, manual)
  • Cover various fieldwork for each control and how to evaluate or prove compliance.
  • Class Exercise
  • Questions-Answers

Day 3 Agenda

  • Covering the PCI PIN review controls #17 through #33, addressing all of the following topics:
    • Functional compliance
    • Device compliance
    • Procedural requirements
    • Physical controls
    • Personnel controls
    • Logs & other types of evidence of compliance (electronic, manual)
  • Cover various fieldwork for each control and how to evaluate or prove compliance.
  • Class Exercise
  • Questions-Answers

PCI SSC PIN Security: Normative Annex A Training (1 day)

Prerequisite recommendation: Core 3 day technical PCI PIN training or relevant industry experience with PKI.
Please note: This topic is most relevant to designers/vendors/implementers of devices; e.g. PEDs, that support remote key loading.

Agenda

  • Discuss general design and implementation of asymmetric cryptography in remote loading of
  • DES Keys into PinPads (POS or ATMs)
    • Use of RSA, ECC and Diffie-Helman algorithms (not overly technical).
    • Role of Certificate Authorities in providing “Authentication of Public Keys”
    • Role of Digital Signatures in providing “Integrity and Authentication messages containing
  • Discuss the structural and operational setup of a Certification Authority (CA)
  • Certificate issuance process
  • Management of CA related devices; i.e. HSMs and users’ access to CA HSMs
  • Logs of CA activities
  • Detailed review of the following topics:
    • Review of all requirements listed in Section A1
    • Review of all requirements listed in Section A2
  • Class Exercise
  • Questions-Answers

PCI SSC PIN Security: Normative Annex B Training (1.5 days)

Prerequisite: None.
Please note: The section is relevant to third party agents and service providers who perform onsite (not remote) key related services; i.e. Key Loading Facilities or KLFs (aka ESOs).

Day 1 Agenda

  • Present the general cryptographic key management schemes to be used by a Key injection facility covering:
    • DUKPT (the most common scheme)
    • Master-Session Key
    • Fixed Key
  • Present cryptographic device compliance, covering the following:
    • Compliance of Key loading devices (KLDs)
    • Compliance of Pin Entry Devices (aka PEDs or PinPads) being loaded with Keys
    • Inventory management requirements
    • Lifecycle management of all devices (KLDs and PEDs)
  • Present the general structural requirements of a compliant Key injection facility covering the following:
    • Physical security controls; i.e. Alarms, Locks, Cameras, etc
    • Physical structure of the “Secured Key Loading” site
    • Management of alarms, locks and other monitoring controls
    • Team/Personnel management
  • Present the requirements for the personnel involved in various key activities, covering the following:
  • Designation of team members and granting them access rights to handle cryptographic
    • Revocation of access rights for team members involved with cryptographic keys
    • Management of alarms, locks and other monitoring controls
    • Team/Personnel management
  • Discuss the specific requirements for all Key and device related Logs
  • Class Exercise
  • Questions-Answers

Day 2 Agenda

  • Review and discuss the intent of all of the controls in the Annex B.
  • Questions-Answers

REGISTRATION

Registration inquiries about the courses are to be done by directly emailing Azie@eSmartSolutions.org. Registration needs to be done at least 4 weeks in advance of the course date either by filling in the “Registration Form” and emailing it to us or just sending an email to register for a course.

CTGA Exam

The two EFT networks of PULSE and STAR require all auditors who perform audits of their processing members to take and pass the CTGA exam.   This exam is created and graded by the networks’ grader. Auditors who take this exam and receive a passing grade, will receive the CTGA (Certified Technical Guideline #3 Auditor) certificate from the two networks. Please note this is a 4 hour long exam andit is closed book.

ON-SITE Trainings

On-site training sessions are offered for those who prefer different dates than the published schedules or prefer private onsite sessions for their team. If interested in that option, please contact us and we will provide you with the information you need to schedule an onsite training.

FEES

Fee for the full 3 day “Core” TR-39 Training course is $1400. Please note that this fee is just for the training. For those who wish to take the “CTGA” certification exam as well, there is an additional fee of $300.

Fee for the 1.5 day “Refresher” TR-39 Training course is $700. Please note that for those who wish to take the certification exam, there is an additional fee of $300.
Fee for just taking the TR-39 “Certification exam” (CTGA) by itself is $450.
Fee for the 3 Day “PCI SSC PIN Security & Key Management Audit Review” course is $1400.
Fee for the 1 Day “PCI SSC PIN Security & Key Management, Normative Annex A” is $500.
Fee for the 1.5 Day “PCI SSC PIN Security & Key Management, Normative Annex B” is $800.

PAYMENT for each course can be made with either a company or personal check or with a credit card. The payment is due at the time of registration and at least 4 weeks prior to the start date of the training session.

CANCELLATION and REFUND Policy cancellation up to 3 weeks in advance of the scheduled course will result in full refund or credit to attend another training. Cancellation less than 3 weeks and no later than one week before the training will result in half of the training fee to be deducted or full credit given to attend another training. Any cancellation with less than 1 week’s notice will result in the entire fee to be forfeited or full credit will be given to attend another training.

Training Schedules