Letter 27: Electronic Funds Transfer System, Night Depositories and PIN Number Security
This Office has received a number of inquiries regarding the circumstances under which a bank may establish a night depository or bag drop facility in conjunction with an electronic funds transfer system terminal. Any bank wishing to offer such a service at an EFTS terminal must receive specific approval for that particular feature from this Office. In order to receive approval the following criteria must be met:
1. The depository must be accessible through the use of a card issued as part of a customer bank communications terminal system which has received approval to operate in Wisconsin.
2. Cards encoded for access to this feature must be available through any bank participating in the system which wished to offer that service to its customers.
3. Any customer accessing this feature must be able to complete an electronic deposit to the customer's bank and receive a receipt for the deposit.
4. User fees and the procedure for handling the deposit must receive prior approval from this Office. The operation of a depository facility which does not meet these criteria does not qualify for exemption from the limitations on branching otherwise available to approved EFT system participants.
PIN NUMBER SECURITY
PIN number security is essential if unauthorized access to EFT systems is to be held to a minimum. Banks should review their EFT operating procedures to make certain that:
1. A customer is never asked to write out his or her PIN number to complete any transaction. Where a PIN number is necessary to complete a transaction at an attended terminal, it should be entered directly into the system by the customer using a PIN pad.
2. PIN numbers should never be stored in the clear in a manner readily accessible to bank personnel. Random assignment of PIN numbers and the assignment of a new number in the case of a lost card is preferred. Card issuers who maintain the ability to retrieve PIN numbers are to establish dual control of access to the numbers and review procedures to make certain that PIN numbers are not transferred telephonically between bank personnel. Without these procedures there is not assurance that the PIN number is known only to the customer. A lack of security in this area will make it more difficult to assure that any person making a withdrawal is actually the customer or a person authorized to act on the customer's behalf rather than an employee of the card issuer who has somehow managed to obtain the customer's card and PIN number.
Bkg. Ltr. #27, September 28, 1978, Commissioner Mildenberg