Visa Announces 2009 PIN Security and Key Management Training Series

Three-day Visa PIN Security Auditor’s Workshop
Visa is offering a series of one-day Key Management Trainings as well as a three-day Visa PIN Security Compliance Validation Training that will provide up-to-date information on the secure management of cryptographic keys used in ATMs, Point-of-Sale (POS) PIN pads, Encrypting PIN Pads and hardware security modules. These sessions are for staff involved in the management or operation of devices that accept PINs and for personnel who need practical knowledge about the elements of Data Encryption Standard (DES) cryptography and the management of secret encryption keys. In addition to the material covered in the one-day Key Management Training, the three-day PIN Security Compliance Validation Training offers an in-depth review of the Payment Card Industry (“PCI”) PIN Security Requirements, providing internal and external assessors with the tools necessary to complete a PCI PIN security compliance review. Payment system participants that focus on the issuer side of key management are also encouraged to attend either of these training opportunities to gain a better understanding of proper key management.

Visa One-Day Key Management Training

Throughout 2009, Visa’s one-day Key Management Trainings will be held on February 10, April 15 and October 7. These Visa Key Management Trainings will review proper key management techniques for Triple Data Encryption Standard (TDES) cryptography. Visa clients and their agents – including merchants, Independent Sales Organizations (ISOs), processors, Third-Party Agents (TPS) and Encryption and Support Organizations (ESOs) – are encouraged to enroll personnel involved with the management, deployment and / or operation of ATMs or POS PIN-Entry devices (PEDs) that accept cardholder PINs. This training is also encouraged for staff requiring practical knowledge of the elements of DES cryptography, approved key management methodologies and the secure management of secret encryption keys, as well as information security specialists responsible for ensuring compliance with the PCI PIN Security Requirements. Visa will provide updates to the PCI PED testing program, Visa’s global TDES mandates and new PCI Unattended Payment Terminal and PCI Hardware Security Module Requirements.

Training Topics

The one-day Key Management Training covers the following topics:

• Visa’s Global PIN Security and Key Management program
• TDES requirements – hardware versus usage
• Triple DES versus single DES
• PCI PED testing program and Visa requirements
• Trust model for PIN-based transactions
• Key management methodologies
• Evolving threat environment
• Cryptographic key life cycle
• Operational best practices
• Compliance measurement techniques
• Remote key distribution (asymmetric / manual)

Visa One-Day Key Management Training Dates and Locations:

REGISTRATION FORM

Visa PIN Security Compliance Validation Training
The three-day Visa PIN Security Compliance Validation Training will be held May 19 - 21, 2009 in Miami, Florida. This training will include the same topics covered in the one-day Key Management Training, as well as information on current and future threats and an in-depth review of the 32 PCI PIIN Security Requirements. This training also covers the PCI requirements for Remote Key Establishment and Distribution using the asymmetric techniques described in the PCI PIN Security Normative Annex A.

During this course, teams will complete an in-depth case study, enabling participants to put the information to immediate practical use. Discussions among team members will add further value to this interactive seminar.

Training Topics

In addition to the topics covered in the one-day Key Management Training, the three-day Visa PIN Security Compliance Validation Training will include:

• Current and future threats
• Detailed review of each of the 32 PCI PIN Security Requirements
• Overcoming barriers to compliance
• Case studies
• Methods for remote key distribution using asymmetric keys

Three-Day Visa PIN Security Compliance Validation Training Dates and Location:

REGISTRATION FORM

PLUS Education Requirements for Clients and Agents

Clients are reminded that PLUS ISOs, ESOs, TPAs and staff from sponsoring financial institutions are required to attend a Visa Key Management Training at least once every three years. These training requirements were initially announce in March 2004; sponsoring PLUS acquirers are reminded that the first three-year cycle ended on April 20, 2007. All Plus agents registered after March 1, 2004, will have three years from the date of registering with Visa to complete this mandatory PLUS training requirement.

These training requirements were enacted to ensure that PLUS acquires and their agents have the necessary skills to properly safeguard PIN data. Acquirers are encouraged to share these training requirements with their PLUS agents to ensure their ongoing compliance. For more information on this requirement, please refer to the article “New Educational Requirements for PLUS ATM Network Third-Party Agents and Sponsors,” published in the March 2004 Visa Business Review.

One-Day Key Management Workshop to Be Held at ATMIA Conference

To help acquirers and agents comply with PLUS educational requirements, Visa will again be holding a one-day Visa Key Management Workshop session in conjunction with the 2009 ATM Industry Association (ATMIA) Conference in Nashville, Tennessee. The Visa Key Management Workshop will be held on Tuesday, February 10, 2009, with the ATMIA Conference beginning on Wednesday, February 11, 2009. Acquirers and agents are urged to take advantage of this convenient training opportunity by registering early with Visa.

How to Register

To register to attend either the one-day Key Management Training or the three-day Visa PIN Security Compliance Validation Training, please complete and return the attached registration form. For faster processing, fax the registration form to (650) 432-2548. Early registration is encouraged, as enrollment is limited. A waiting list will be maintained once the maximum class size is reached.

Confirmation of enrollment will be sent prior to the seminar date. We recommend that you do not make any nonrefundable travel arrangements until your Training enrollment has been confirmed.

The cost to attend the one-day Visa Key Management Training is $595 per person. The cost to attend the three-day PIN Security Compliance Validation Training is $1,785.

Continuing Professional Education Credit

Completion of either course entitles participants to obtain Continuing Professional Education (“CPE”) credit. In accordance with the standards of the National Registry for CPE Sponsors, CPE credits are granted based on a 50-minute hour. Completion of the one-day Visa Key Management Training entitles participants to obtain eight CPE credits. Completion of the three-day Visa PIN Security Compliance Validation Training entitles participants to obtain 24 CPE credits.

Visa is registered with the National Association of State Boards of Accountancy (“NASBA”) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be addressed to the National Registry of CPE Sponsors, 150 Fourth Avenue North, Suite 700, Nashville, TN, 37219-2417. Web site: www.nasba.org. National Registry Sponsor #107970. Sponsored by: Visa Inc., P.O. Box 8999, San Francisco, California 94128-8999.

For more information, please visit http://www.visa.com/pinsecurity. Questions about this bulletin may be directed to pinusa@visa.com.

REGISTRATION FORM