We have a stock of ATM cards and PINs in sealed envelopes. They are associated with an account when a customer opens a new account. They are useless until they are associated with an account. We store the cards and PINs in the vault. FFIEC says that PINs and cards should be under the control of different people. Well, what's the down side? What could happen if we leave them in the vault where the same person could get both the card and the PIN? It makes it easier to service the new customer. These cards and PINs aren't active any way.

What do we really have to do? What regs should apply in this situation?

Thanks,
RJ

Regulation E could apply.

Let's paint a scenario in which a single employee with access to both a card and its PIN gets his hands on a card-cloning device. He makes up one or more card copies, and depends on a customer's failure to change a bank-assigned PIN.

As soon as one of the cards that he copies is issued, he uses the clone (assuming the PIN hasn't changed) to steal from the customer (of course the bank eats this under Regulation E). And if the card happens to be a signature-debit card too, it could work even without the PIN.

Hummm. OK. But the PINs are in sealed envelopes. The employee doctors that up too?

Just playing devils advocate.

RJ