The PCI SSC is seeking feedback from Participating Organizations (POs) on draft ATM security guidelines. The draft information supplement provides best practices to mitigate the effect of attacks to ATMs aimed at stealing PIN and account data, a direct response to stakeholder feedback for guidance on ATM security.
Participating Organizations have until November 13, 2012 to review and comment on the ATM Security Guidelines Information Supplement, which is slated for final publication later this year.
PIN and account data present in ATMs has become a growing target for criminals who use this stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. Purchases with PIN at the point of sale and purchases without PIN in card-not-present environments are also other avenues of fraudulent card activity.
PCI Standards currently address ATM PIN pads, but not the ATM as a whole. In the absence of a global industry standard for securing ATMs, the Council has developed a set of compromise-prevention best practices based on existing standards from a number of industries, including IT, security, payment card and ATM that stakeholders can leverage in their ATM security efforts.
The draft ATM Security Guidelines Information Supplement provides an introduction to ATM security and outlines best practices that address the software, hardware and device components of the ATM. The intent is for the final document to guide ATM manufacturers, hardware and software integrators, and deployers of ATMs in the secure development, deployment and maintenance of ATMs.
We rely on industry feedback to develop PCI Standards and resources, said Bob Russo, general manager, PCI Security Standards Council. By sharing an early version of the guidelines with the PCI community, we re aiming to ensure these best practices reflect the key challenges and areas of concerns when it comes to addressing ATM security. Specifically, we encourage ATM manufacturers and software vendors to provide their input, as experts in the space and as those will be applying these guidelines in their everyday business.
.
Brian Pennington 
16/09/2012 at 9:55 pm
The most important point is to always manage the encryption keys in dual control with unique keys per ATM and unique keys per transaction. If the ATM is serviced by outside vendors, there must be two separate vendor entities that each have half of the key if the key needs to be injected into the ATM. Contracts with ATM servicing vendors must have a provision for penalties if the vendor compromises the key. Remember that vendors that inject the key into the ATM also have the ability to capture and record all ATM traffic. The ATM captures track 2 card data in the clear and the only data element that is encrypted in the transaction is the PIN. The track 2 data contains the card number, expiration date, type of card and all security codes such as CVV, PVV and Pin Offset that validate the card. If this card is a debit/credit card, then the fraudster has all the information to create that card from the track 2 data and use the card as a credit card where the card is present. There has been talk about encrypting the entire ATM message as it travels though the networks, but it is considered too slow. Also, a way to inject keys into ATMs using smart cards would improve ATM security immensely and would lower the cost of vendor support because only one vendor would be needed for ATM key injection.
A financial institution should keep a separate fraud database that can track fraud back to the point of compromise and group compromised cards together. This will help law enforcement and should lead to reissue of the compromised cards so the customers are forced to create a new PIN to minimize loses. Financial institutions should also use neural networks or statistical modeling to identify changes in customer patterns or transaction patterns that match known fraud patterns to minimize fraud losses.
LikeLike