The PCI SSC has released their latest supplement, the ATM Security Guidelines Information Supplement.
The guidelines were developed to provide guidance to ATM manufacturers on how to prevent credit cards from being compromised.
The ATM Industry Association’s (ATMIA) 2012 ATM Global fraud survey reveals that skimming remains the leading global threat to ATMs because criminals use stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals.
Skimming and other types of attacks on ATMs continue to be top of mind for our constituents,” said Bob Russo, general manager, PCI Security Standards Council. “There are already some excellent resources out there that help with various pieces of ATM security. What this guidance does is pull together these different best practices into one comprehensive set, which is what our stakeholders have been asking for.
The guidance document provides an introduction to ATM security and outlines best practices around the following key areas and objectives:
- Integration of hardware components to avert magnetic-stripe and other account data compromise and PIN stealing
- Security of basic software to avert magnetic-stripe skimming and PIN stealing
- Device management/operation to ensure adequate management of: ATM during manufacturing, ATM in storage of deployed ATM estates and ATM’s individual security configuration
- ATM application management to address security aspects of the ATM application.
ATM manufacturers, hardware and software integrators, and deployers of ATMs can use this guidance to aid in the secure development, deployment and maintenance of ATMs. As with all PCI guidance documents the ATM Security Guidelines Information Supplement does not replace or supersede the PCI Standards, nor is it to be used as a set of security requirements for the formal certification of ATMs. The PTS POI security requirements provide for the testing and approval of encrypting PIN pads and secure readers used in ATMS for handling PIN and account data, and organizations should continue to use this standard to address these components of ATM security.
For a link to the full document please use my PCI Resources page here.