By: Sally M. Graham

Sally M. Graham — Sun, 16 Sep 2012 20:55:56 +0000

The most important point is to always manage the encryption keys in dual control with unique keys per ATM and unique keys per transaction. If the ATM is serviced by outside vendors, there must be two separate vendor entities that each have half of the key if the key needs to be injected into the ATM. Contracts with ATM servicing vendors must have a provision for penalties if the vendor compromises the key. Remember that vendors that inject the key into the ATM also have the ability to capture and record all ATM traffic. The ATM captures track 2 card data in the clear and the only data element that is encrypted in the transaction is the PIN. The track 2 data contains the card number, expiration date, type of card and all security codes such as CVV, PVV and Pin Offset that validate the card. If this card is a debit/credit card, then the fraudster has all the information to create that card from the track 2 data and use the card as a credit card where the card is present. There has been talk about encrypting the entire ATM message as it travels though the networks, but it is considered too slow. Also, a way to inject keys into ATMs using smart cards would improve ATM security immensely and would lower the cost of vendor support because only one vendor would be needed for ATM key injection.

A financial institution should keep a separate fraud database that can track fraud back to the point of compromise and group compromised cards together. This will help law enforcement and should lead to reissue of the compromised cards so the customers are forced to create a new PIN to minimize loses. Financial institutions should also use neural networks or statistical modeling to identify changes in customer patterns or transaction patterns that match known fraud patterns to minimize fraud losses.

Comments on: Feedback requested from PCI community on best practices to help prevent card data compromise at ATMs

By: Sally M. Graham