Image Image Image Image Image Image Image Image Image

TR-39 & PCI SSC PIN Security & Key Management Compliance Training

Accommodations Course Brochure CLASS SCHEDULE REGISTER

CPE Logo 3 - Copy

Meet Your Instructors

Darlene M. Kargel

Darlene Kargel is a CPA and auditor for Delap with over 40 years of accounting and computer application experience. Ms. Kargel has performed Network Security Compliance Reviews since 1992 for ATM and POS transactions. Clients include banks, processors, merchant processors, certificate authorities and key injection facilities in the USA and internationally.

Ms. Kargel is vice chairperson of the ANSI X9F6 Working Group and a US Expert to ISO TC68 SC2 WG13, and holds the following certifications: CPA, CITP, CGMA, CTGA.


David Buchanan

David Buchanan has over 10 years of extensive experience in information technology (IT) systems across multiple industries, including healthcare, banking, and retail payments. David leads Delap’s PCI DSS and SOC reporting practices, providing domestic and international clients with information security services including risk assessments, internal control reviews, network security analysis, and information security consutling.

Mr. Buchanan holds the following certifications: CPA, QSA, CEH, CCNA * Security, CTGA, PCIP, AWS-ASA.

Other Services:

  • ANSI TR-39 and PCI PIN Security Consulting and Training
  • Network required ANSI TR-39 and PCI PIN (v2.0) Security Compliance Reviews
  • PCI DSS Assessments
  • Symmetric and PKI Consulting for Retail Banking Industry
  • SSAE 16
  • IT Security Audits and Consulting
  • Network Vulnerability and Penetration Testing

TR-39: Core Class

This instructor lead, 4-day training course is designed to provide both internal and external auditors with the necessary tools to complete the NYCE Payments Network, LLC, PULSE ®, and STAR® Network compliance reviews.

4-Day Core Class (CPE 32 credits)

Level- Basic: no prerequisites or additional preparation required

4-Day Core Course Contents:

Day One:

  • Processor and Auditor Responsibilities
  • Compliance Review Objectives
  • Network Respondent Forms
  • Symmetric Key Management Introduction
  • Key Names and Hierarchy
  • Cryptogram Notation
  • Diagram of PIN Transaction Flow
  • PIN Translation
  • Characteristics of TRSMs
  • Group Project

Day Two:

  • Cardholder Authentication Methods
  • PIN Block Formats
  • Exclusive-or
  • Introduction to Symmetric Key Life Cycle, Including:
  • Key Check Values
  • Single-Length vs. Double-Length Keys
  • Single DES vs. Triple DES
  • Approved Key Methodologies
  • Asymmetric Keys for Distributing Symmetric Keys – high level
  • Group Project

Day Three:

  • Review and obtain and Understanding of Each Control Objective in ANSI X9-TR-39 Current Version, Section 4
  • Techniques for Measuring Compliance
  • Group Project

Day Four:

  • Compliance Review Field Work Activities
  • General Key Management Documentation
  • Reporting the Findings


A passing grade is required for all auditors performing a TR-39 review at the processor level, for PULSE and STAR participants only. Auditors receiving a passing grade will also receive the CTGA designation. Examination criteria and relevant information will be provided through each network’s normal communication methods. Exam time allowance is 4 hours (8:00 AM to 12:00 PM). Delap will offer 3 opportunities in 2016 to sit for the exam.

Once you have passed the exam, there is no need to retake it, but you will need to take a refresher class every 24 months.

Note: Please allow the network 5-8 weeks to provide exam results.

‘Refresher’ Classes

A refresher class is required every 24 months. We offer group live refresher classes described below:

3-Day Symmetric Key Review and Updates, ANSI/ISO/Network Updates, Introduction to EMV, E2E, and Payment Tokenization Class (CPE 24 credits)

Level – Intermediate: prerequisites – 4-Day core class; 2-Day Asymmetric Class.

Day One:

  • Updates on relevant ANSI standards and network operating rules
  • Review and obtain an understanding of each control objective in the ANSI X9/TR-39 2009, Section 4
  • Group Projects:
    • Analysis of reports/application to TR-39 Section 4
    • Analysis of various work papers/application to TR-39 Section 4

Day Two:

  • Chip Card Technology
    • Concepts of contact chip cards for ATM and POS
    • Introduction to EMV Specifications documents
    • On line and off line PIN transactions
    • Tokenization for payment and storage of PAN data
    • Card emulation (CE) and associated emerging payment forms
    • PAN and sensitive data security
    • Key management
  • E2E (End-To-End Encryption)/P2PE (Point-To-Point Encryption)
    • Concepts of Encrypting Sensitive Data for Transport and Storage
    • Update on the ANSI Standard X9.119
    • Sensitive Data Security
    • Key Management
    • Group Projects
      • Lab
      • Diagram EMV transactions

Day Three:

  • Payment Tokenization
    • Card Emulation (CE)
    • Host Card Emulation – Device
    • Host Card Emulation – Cloud
    • Registration and Transaction Flow
    • Group Project


2-Day Asymmetric; Remote Key Class (CPE 16 credits*):

Level – Intermediate: prerequisite – 4-Day core class, no additional preparation required.

Day One:

  • Concepts of Public Key Infrastructure (PKI)
  • Remote symmetric key distribution using asymmetric methods described in ANSI X9.24, part 2 for:
    • ATM key loading
    • POS key loading
    • HSM key loading
    • ‘Proxy Host’ solutions

Day Two:

  • Obtain an understanding of each control objective in the ANSI TR-39 current version, Section 5

Class Times – All Classes, unless noted otherwise:

  • Daily: 8:00 AM to 4:30 PM
    • Break times: Morning and afternoon; 10 minutes each
    • Lunch: Daily- 11:30 AM to 12:30 PM (1 hour)

To View the complete TR-39 & PCI SSC Compliance Course Brochure Click here:
(Course Brochure pdf)

These Courses have been approved by NYCE Payments Network, LLC, PULSE ®, and STAR® Network for auditors to complete the ANSI X9/TR-39-2009 Compliance Review.