-When customer-selected PINs and the PIN selection are communicated to the issuer through a paper document, the document should not contain the cardholder's account number. --The PIN should never be capable of being retrieved or displayed on a terminal anywhere. --If terminals are used in an issuer's system to enter or change a customer-selected PIN, the transaction should require the use of a currently assigned or previously selected PIN. If the current PIN is unknown, only a limited number of issuer personnel should be allowed to authorize a to be entered or changed and such an employee's identity shall be part of the record of the transaction. --All file maintainance to PINs stored in data bases should be only allowed under a password security system and passwords should be changed frequently. Further, operating system logs should be scanned by computer programs to disclose any attempts to subvert the PIN security system. Usage Guidelines The PIN should be entered only by the cardholder and only in an environment that deters casual observation of the entry. The PIN should never be transmitted in unencrypted form. --PIN systems should record the number of unsuccessful PIN entries and should restrict access to a customer's account after a relatively small number (not to exceed six) of unsuccessful entries. Control and Security Guidelines --Systems should be designed, tested, and controlled so as to preclude retrieval of stored PINs in any form. --Programs, program modules, program subroutines, and other software containing formulas, algorithms, or data used to generate, calculate, generate, calculate, or encrypt the PIN must be subject to the highest category of security. Printed or microfilm listings of such programs must be controlled and stored with limited and controlled access. For most retail EFT transactions, the plastic card is Procurement The first step is the procurement of plastic cards and Embossing/ Storage Mailing Disposition not available, financial institutions may wish to make Once the decision has been made to purchase cards, If the embossing or encoding or both is to be performed Card storage procedures for blank cards and for cards The mailing area where cards are stuffed into envelopes is another sensitive area. The use of batch controls is one method to ensure that all the cards initially disbursed from the storage area end up either in the mail area or are properly disposed of. The return of any cards through the mail should be separately handled and should not be under the control of mail room personnel. Another method is to use a control sequence number on The ACH concept originated in 1968 with the establishment of the "Special Committee on Paperless Entries" (SCOPE) by the Los Angeles and San Francisco clearing house associations. Later, the ABA established the committee on "Monetary and Payments Systems" (MAPS) to determine the feasibility of using the ACH concept reduce the volume of paper checks in the clearing process. In 1974 the National Automated Clearing House Association (NACHA) was formed to promote ACHS and establish operating standards and procedures. There are now 38 ACHS in operation. The Federal Reserve System owns and operates 37 ACH facilities. Financial institutions in New York operate their own (NYACH) but use Federal Reserve facilities to deliver and settle their transactions. ACH credit transfers or electronic deposits can be initiated by corporations, government agencies and consumers. A payer instructs his or her financial institution to credit the account of a payee at his or her financial institution on a specific date. These instructions go to automated clearing houses for delivery of funds to the receiving institution. Examples of such transactions include payroll, social security and dividend pay ments. ACH debit transfers or electronic checks can be initiated by consumers, financial institutions and corporations. Payers and payees make prior arrangements to debit the payee's account and credit the payer's account at their respective financial institutions, usually on a periodic basis. Examples of debit transfers include repetitive loan or insurance payments. In conjunction with this type of funds transfer service is a relatively new service known as check truncation or safekeeping. This is the practice of not returning checks to the depository institution on which they were drawn. Instead, information on the checks is electronically captured and transmitted to the drawee institution for processing. The depository institution of first deposit is the usual point of truncation. At present, ACH membership is comprised of approximately ATMs are electromechanical machines that are used directly by financial institution customers to deposit, withdraw and transfer funds, as well as to make payments and account balance inquiries. These machines are unattended by financial institution personnel, are usually operable 24 hours a day and can be situated in a myriad of locations. Most ATMs are activated by inserting a plastic card and entering a corresponding PIN. Regardless of the type of transaction effected a customer receipt and a record of the transaction should be generated. Both the customer record and the financial institution transaction journal should indicate the date, time and location of each transaction made. Each ATM transaction should also be assigned a sequence number so that an adequate audit trail is formed. Depending on the overall computer system and the type of machine purchased, ATMs can operate in either on-line or off-line modes. . On-line ATMs are directly connected to the financial institution's central computer by dedicated (leased) lines. On-line equipment offers the |