Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

ATM

PCI SSC releases its Best practices to help prevent card data compromise at ATMs

The PCI SSC has released their latest supplement, the ATM Security Guidelines Information Supplement. 

The guidelines were developed to provide guidance to ATM manufacturers on how to prevent credit cards from being compromised. 

The ATM Industry Association’s (ATMIA) 2012 ATM Global fraud survey reveals that skimming remains the leading global threat to ATMs because criminals use stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. 

Also see Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals  

Skimming and other types of attacks on ATMs continue to be top of mind for our constituents,” said Bob Russo, general manager, PCI Security Standards Council. “There are already some excellent resources out there that help with various pieces of ATM security. What this guidance does is pull together these different best practices into one comprehensive set, which is what our stakeholders have been asking for.

The guidance document provides an introduction to ATM security and outlines best practices around the following key areas and objectives:

  • Integration of hardware components to avert magnetic-stripe and other account data compromise and PIN stealing
  • Security of basic software to avert magnetic-stripe skimming and PIN stealing
  • Device management/operation to ensure adequate management of: ATM during manufacturing, ATM in storage of deployed ATM estates and ATM’s individual security configuration
  • ATM application management to address security aspects of the ATM application.

ATM manufacturers, hardware and software integrators, and deployers of ATMs can use this guidance to aid in the secure development, deployment and maintenance of ATMs. As with all PCI guidance documents the ATM Security Guidelines Information Supplement does not replace or supersede the PCI Standards, nor is it to be used as a set of security requirements for the formal certification of ATMs. The PTS POI security requirements provide for the testing and approval of encrypting PIN pads and secure readers used in ATMS for handling PIN and account data, and organizations should continue to use this standard to address these components of ATM security.

For a link to the full document please use my PCI Resources page here.

.

PCI SSC’s insights on mobile, encryption and payment security following the North American community meeting

After the sixth annual North American Community Meeting in Orlando, Florida which was attended by over 1,000 stakeholders representing 460 organizations from 17 countries to discuss the PCI SSC summaries the key discussion topics as: –

  • Feedback on the standards in preparation for the release of the next version of the PCI DSS and PA-DSS in 2013
  • New guidance on secure mobile payment acceptance application development
  • Updates to the Council’s Point-to-Point Encryption (P2PE) program
  • Newly released guidelines for ATM security
  • The Council’s new training programs and professional qualifications
  • Updates from PCI Special Interest Groups on cloud, eCommerce and risk assessment

“The Community Meetings play an important part in bringing together PCI stakeholders to discuss the latest payment card security efforts, and we’re encouraged to see the continued growth of interest and participation in this initiative,” said Bob Russo, general manager, PCI Security Standards Council. “Gaining the feedback from our Participating Organizations is absolutely vital for us to develop new guidance on key topics such as mobile payment acceptance and ATM security, as well as in the on-going improvement of the PCI Standards. The input and discussion at this year’s meetings are especially important as we look to introduce the next version of the PCI Standards in 2013.”

“It is important for us to meet face-to-face with our stakeholders, not only to update them on the most recent developments, but also to have one-on-one interactions and personal conversations on the issues that matter most to them,” said Jeremy King, European director, PCI Security Standards Council. “We look forward to seeing more of our global counterparts in Dublin for the European Community Meeting on October 22-24, 2012.”

See you in Dublin next month.

Feedback requested from PCI community on best practices to help prevent card data compromise at ATMs

The PCI SSC is seeking feedback from Participating Organizations (POs) on draft ATM security guidelines. The draft information supplement provides best practices to mitigate the effect of attacks to ATMs aimed at stealing PIN and account data, a direct response to stakeholder feedback for guidance on ATM security.

Participating Organizations have until November 13, 2012 to review and comment on the ATM Security Guidelines Information Supplement, which is slated for final publication later this year.

PIN and account data present in ATMs has become a growing target for criminals who use this stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. Purchases with PIN at the point of sale and purchases without PIN in card-not-present environments are also other avenues of fraudulent card activity.

PCI Standards currently address ATM PIN pads, but not the ATM as a whole. In the absence of a global industry standard for securing ATMs, the Council has developed a set of compromise-prevention best practices based on existing standards from a number of industries, including IT, security, payment card and ATM that stakeholders can leverage in their ATM security efforts.

The draft ATM Security Guidelines Information Supplement provides an introduction to ATM security and outlines best practices that address the software, hardware and device components of the ATM. The intent is for the final document to guide ATM manufacturers, hardware and software integrators, and deployers of ATMs in the secure development, deployment and maintenance of ATMs.

We rely on industry feedback to develop PCI Standards and resources, said Bob Russo, general manager, PCI Security Standards Council. By sharing an early version of the guidelines with the PCI community, we re aiming to ensure these best practices reflect the key challenges and areas of concerns when it comes to addressing ATM security. Specifically, we encourage ATM manufacturers and software vendors to provide their input, as experts in the space and as those will be applying these guidelines in their everyday business.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: