-When customer-selected PINs and the PIN selection are communicated to the issuer through a paper document, the document should not contain the cardholder's account number.

--The PIN should never be capable of being retrieved or displayed on a terminal anywhere.

--If terminals are used in an issuer's system to enter or change a customer-selected PIN, the transaction should require the use of a currently assigned or previously selected PIN. If the current PIN is unknown, only a limited number of issuer personnel should be allowed to authorize a

to be entered or changed and such an employee's identity shall be part of the record of the transaction.

--All file maintainance to PINs stored in data bases should be only allowed under a password security system and passwords should be changed frequently. Further, operating system logs should be scanned by computer programs to disclose any attempts to subvert the PIN security system.

Usage Guidelines

The PIN should be entered only by the cardholder and only in an environment that deters casual observation of the entry.

The PIN should never be transmitted in unencrypted form.

--PIN systems should record the number of unsuccessful PIN entries and should restrict access to a customer's account after a relatively small number (not to exceed six) of unsuccessful entries.

Control and Security Guidelines

--Systems should be designed, tested, and controlled so as to preclude retrieval of stored PINs in any form.

--Programs, program modules, program subroutines, and other software containing formulas, algorithms, or data used to generate, calculate, generate, calculate, or encrypt the PIN must be subject to the highest category of security. Printed or microfilm listings of such programs must be controlled and stored with limited and controlled access.

For most retail EFT transactions, the plastic card is
the major vehicle for the initiation of funds transfers.
Card procurement, storage, embossing, encoding, mailing
or distribution, and disposition of unissued, spoiled
and returned cards are all items which financial insti-
tutions must address. The investigation of fradulent
card usage and of lost or stolen cards must also be
provided for as well as the adequate staffing of all
positions involved in card production so that adequate
separation of duties is possible. The overall physical
security of the site should be considered together with
special emphasis toward storage, embossing, and encoding.

Procurement The first step is the procurement of plastic cards and
is normally done through a card manufacturer. A written
agreement between the card manufacturer and the financial
institution must detail control procedures to be followed
and methods of resolution if problems occur with either
the cards or with manufacturer personnel. Financial
institutions should acquire the latest third party audit
report of the manufacturer to ensure a generally control-
led atmosphere does exist. If a third party review is

Embossing/
Encoding

Storage

Mailing Disposition

not available, financial institutions may wish to make
visits to the manufacturer either alone or in conjunc-
tion with other users. An investigation should also be
conducted concerning the security devices used by the
manufacturer in encoding the magnetic inform. tion on the
card. Card counterfeiters can copy
copy insecure encoding
by means known as skimming and buffer recording. Other
types of encoding techniques using secure card proper-
ties, for example, would be less susceptible to being
easily duplicated since heat and
pressure sensitive
features would negate any efforts to duplicate the
card.

Once the decision has been made to purchase cards,
management must decide if either the embossing or en-
coding or both will be done off premise. If it is to
be done by an outside vendor, similar precautions as
detailed for card manufacturers should be considered,
including a written agreement and a review of control
procedures in effect. The cards
cards produced will be a
finished or near finished product and losses from theft
or dishonesty can be most critical.

If the embossing or encoding or both is to be performed
on premise, the equipment should be maintained in an
extremely secure area which is lockable. No card inven-
tories should e maintained in the immediate vicinity
unless properl secured and accounted for by personnel
not involved i the embossing or encoding process.
is very important that all cards passing through this
area be accounted for, including spoiled cards. Separ-
ation and rotation of duties should be practiced as
much as practical and occasional supervisory reviews
should be done on a spot check basis.

Card storage procedures for blank cards and for cards
in process should be documented in writing. Dual con-
trol should be practiced in most instances and only a
limited working supply of blank cards and cards ia
process of being embossed/encoded should be allowed out
of the dual control atmosphere. Adequate interim зtorage
and accounting must exist for all cards not under dual
control.

The mailing area where cards are stuffed into envelopes is another sensitive area. The use of batch controls is one method to ensure that all the cards initially disbursed from the storage area end up either in the mail area or are properly disposed of. The return of any cards through the mail should be separately handled and should not be under the control of mail room personnel. Another method is to use a control sequence number on

The ACH concept originated in 1968 with the establishment of the "Special Committee on Paperless Entries" (SCOPE) by the Los Angeles and San Francisco clearing house associations. Later, the ABA established the committee on "Monetary and Payments Systems" (MAPS) to determine the feasibility of using the ACH concept reduce the volume of paper checks in the clearing process. In 1974 the National Automated Clearing House Association (NACHA) was formed to promote ACHS and establish operating standards and procedures. There are now 38 ACHS in operation. The Federal Reserve System owns and operates 37 ACH facilities. Financial institutions in New York operate their own (NYACH) but use Federal Reserve facilities to deliver and settle their transactions.

ACH credit transfers or electronic deposits can be initiated by corporations, government agencies and consumers. A payer instructs his or her financial institution to credit the account of a payee at his or her financial institution on a specific date. These instructions go to automated clearing houses for delivery of funds to the receiving institution. Examples of such transactions include payroll, social security and dividend pay

ments.

ACH debit transfers or electronic checks can be initiated

by consumers, financial institutions and corporations. Payers and payees make prior arrangements to debit the payee's account and credit the payer's account at their

respective financial institutions, usually on a periodic basis. Examples of debit transfers include repetitive loan or insurance payments.

In conjunction with this type of funds transfer service is a relatively new service known as check truncation or safekeeping. This is the practice of not returning checks to the depository institution on which they were drawn. Instead, information on the checks is electronically captured and transmitted to the drawee institution for processing. The depository institution of first deposit is the usual point of truncation.

At present, ACH membership is comprised of approximately
13,000 financial institutions and 9,000 private corpora-
tions initiating over 15 million items per month. Use
of the ACH network diminishes float while the velocity
with which checks clear increases. This requires insti-
tutions to provide more timely information to
and themselves in order to manage funds. The informa-
tion about a transaction has to match the speed of the
transaction in order to be an effective EFT system.
The Treasury Department and the Federal Reserve System
establish rules for all federal payments. A Uniform
operating circular describing rules and procedures con-
cerning ACH transaction processing can be c tained from
the Federal Reserve Banks.

ATMs are electromechanical machines that are used directly by financial institution customers to deposit, withdraw and transfer funds, as well as to make payments and account balance inquiries. These machines are unattended by financial institution personnel, are usually operable 24 hours a day and can be situated in a myriad of locations.

Most ATMs are activated by inserting a plastic card and entering a corresponding PIN. Regardless of the type of transaction effected a customer receipt and a record of the transaction should be generated. Both the customer record and the financial institution transaction journal should indicate the date, time and location of each transaction made. Each ATM transaction should also be assigned a sequence number so that an adequate audit

trail is formed.

Depending on the overall computer system and the type of machine purchased, ATMs can operate in either on-line or off-line modes. . On-line ATMs are directly connected to the financial institution's central computer by dedicated (leased) lines. On-line equipment offers the