An evaluation of an organization's PIN and key management provides a gap analysis and recommendations to the organization for purposes of remediation.  TG-3 evaluations are valuable to determine an organization readiness for the actual TG-3 assessment. 

For further information about TG-3 assessments, see our Compliance Services.

An evaluation of an organization's policy and practices for protecting cardholder data and sensitive authentication data per the PCI standards provides a gap analysis and recommendations to the organization for purposes of remediation.  PCI evaluations are valuable to determine an organization's readiness for the actual PCI assessment. 

For further information about PCI assessments, see our Compliance Services.

The term "biometrics" is derived from the Greek words “bio” (life) and “metrics” (to measure), are the “something you are” authentication factor including diverse technologies such as fingerprints, iris image, facial recognitions, and voice identification.  While some biometrics such as fingerprints are known by their use of law enforcement since 1890s arguably children’s palm prints were used for identification in the 14th century.  However the ability to electronically capture, process and match biometric data in real time has only been feasible since the 1990s. 

ISO standards, X9 American National Standards define management and security requirements for using and protecting biometric information, including:

• X9.84 Biometric Information Management and Security
• ISO 19092 Financial Services – Biometrics – Security Framework  

There are also numerous ISO, ANSI and NIST standards defining specific biometric technology algorithms, interfaces and architectures.  Biometric technology provides three basic applications.

• Enrollment is the process to capture the user’s biometric data and register the information into the authentication system. 
• Authentication is the “one-to-one” process to validate a user’s claimed identity against a specific biometric record.
• Identification is the “one-to-many” process to determine a user’s identity against a database of biometric records.

Choosing the appropriate biometric technology, product and system integrator are all complicated issues.  Designing, developing and deploying the biometric life cycle within a business application are another set of complex problems.  Securely managing biometric information during enrollment, authentication and identification processes can be a daunting challenge.

Public Key Infrastructure (PKI) is a security architecture based on asymmetric and symmetric cryptographic solutions.  Conventionally a PKI is viewed to be one or more Certification Authorities (CA) issuing public key certificates used for digital signatures or key management applications.  However a rudimentary PKI may only be a single server using an outsourced SSL certificate whereas a complex PKI may include a root CA, subordinate CA, end-users, and PKI enabled applications. 

ISO standards, X9 American National Standards and accounting standards define management and security requirements for operating a PKI, including:

• X9.57 Public Key Cryptography for the Financial Services Industry: Certificate Management
• X9.24 Retail Financial Services Symmetric Key Management – Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys
• X9.79 PKI Practices and Policy Framework
• ISO 15782 Certificate Management For Financial Services – Part 1: Public Key Certificate

Public Key Certificates

• ISO 21188 PKI Practices and Policy Framework
• Webtrust for CA

Webtrust for CA is an American Institute of Certified Public Accounts (AICPA) and Canadian Institute of Chartered Accounts (CICA) standard based on the PKI control objectives in X9.79 and ISO 21188.  These standards are the mandatory criteria for Microsoft Corporation® and the Statement for Accounting Standards (SAS) No. 70 Service Organizations audits for CA state licensing. 

There are also numerous ISO, X9 and NIST standards defining asymmetric and symmetric cryptographic algorithms, parameters, and key management procedures.