New ATM Security Guidance ExpectedFraud Experts React to Draft Guidance from PCI Council
The Payment Card Industry Security Standards Council plans to issue best-practice guidance for ATM security by year's end. The move is a positive step toward helping ATM deployers as they fight to thwart losses linked to skimming and other ATM-related attacks, card fraud experts say.
But to be most effective, the guidance must include recommendations for improving ATM network security, says Julie McNelley, a banking fraud analyst at financial-services consultancy Aite.
"As ATMs have moved away from the green [static] screens and have a more sophisticated capability set, the network communications have also gotten progressively more complex," McNelley says. "Network security is just as important to secure the ATM channel, but, unfortunately, it's often overlooked, particularly by smaller FIs [financial institutions]."
As a result of that increased complexity, ATM vendors and manufacturers in recent years have built businesses around ATM-management and maintenance outsourcing, McNelley says. Outsourcing enables smaller banks and credit unions to hand over much of their ATM security worries to third parties that specialize in addressing complexities inherent in a Windows operating system environment.
But outsourcing can only go so far, McNelley says.
"The guidance should also include some of the more rudimentary best practices, such as having periodic physical inspections of the ATM and best practices for [encrypting] key updates," she adds. These are factors the ATM deployers themselves must control and oversee, she notes.
Expected Guidance Highlights
To address growing concerns about ATM-related security risks, the council has issued a guidance draft that is now being reviewed by member organizations. The draft includes a list of compromise-prevention measures, based on existing standards gathered from other industries such as IT, security, payment card and ATM. It also includes an introduction to ATM security and outlines best practices for software, hardware and ATM device components.
The review and comment period closes Nov. 13, at which time the council will begin compiling the feedback it's received. The council expects to issue the final version of the ATM Security Guidelines Information Supplement by the end of the year.
So, similar to the guidance just issued for mobile payments security, any best practices issued for ATM security in the ATM Security Guidelines Information Supplement would have to be enforced by separate entities like the card brands or processing networks.
The PCI Council's primary concern is PIN pad security, Russo and Leach say. But the intent is for the final document to be a guide ATM manufacturers, hardware and software integrators, and deployers can follow to ensure they have secure environments for ATM development, deployment and maintenance.
"Most people are doing a lot of this stuff already," Russo says. "It's a matter of doing them consistently and maintaining them on a regular basis."
The draft, which is only accessible to participating members of the council through a secure portal on the council's website, includes information about mitigating risks posed by attacks that aim to steal PIN and account data, which often results when card numbers are compromised via skimming.
Russo says initiatives such as those spearheaded by MasterCard and Visa to move the global payments infrastructure toward chip and PIN technology that complies with the Europay, MasterCard, Visa standard will help reduce losses linked to skimming. But EMV is not a cure-all for card fraud at the ATM, he says.
"This document is focusing on securing various components of the ATM," Russo says. "A lot of risks will be mitigated by EMV, but in a card-not-present environment, EMV is not going to really address the fraud risks. ... EMV is just one piece of the puzzle that is needed to protect card data."
What Experts Say
Skimming is not the only type of attack that's waged against ATMs. According to FICO, which monitors card fraud through the FICO Card Alert Service, SQL injections, common malware attacks waged locally or through remote access portals, and unsecured Internet connections also have led to ATM compromises.
David Albertazzi, an Aite analyst who focuses on retail banking, says now that most ATMs rely on TCP/IP connectivity, rather than dial-up telephone connections, they are vulnerable to the same attacks as other bank networks. "A combination of fraud prevention tools is important in order to mitigate fraud at the ATM," Albertazzi says. "Network fraud prevention tools, device monitoring to combat skimming, as well as transaction monitoring play a key role."
The Windows environment compounds concerns, says John Buzzard, who monitors card fraud for the card alert service.
Buzzard says many of the ATM security issues the PCI Council aims to address with its guidance have been around a while. Windows-based terminals are vulnerable to the same types of attacks PCs have faced for years. "This project is reminiscent of a FICO white paper entitled "PIN Security and Key Management to Prevent Data Breaches" that we released in 2009," he says.
Gathering input from numerous industry sources is a good idea, Buzzard says. "The arbiters of security best practices tend to be the people who work in the field every day. There are so many talented people out there with significant points of view to share, so I hope this initiative is a huge success."
Will guidance be effective at improving ATM security? That depends on how well ATM deployers adopt and implement its recommendations. Other industry groups, such as the ATM Industry Association, also have issued libraries of best practices and security recommendations.
David Tente, who serves as executive director of U.S. operations and membership for ATMIA, says the association has issued best practices that address numerous aspects of ATM security for several years. But additional input is always welcome, he adds.
"ATMIA certainly supports efforts by standards organizations, like PCI, to add to the best practices guidelines available for the ATM industry," Tente says. "Security of all types surrounding the ATM is obviously a crucial concern."
Randy Vanderhoof, executive director of the global Smart Card Alliance, says any best-practice guidance issued by the PCI Council about PIN security, whether linked to the ATM or point of sale, will benefit the entire payments chain.
"Everyone is aware that fraud will migrate to the least secure channels of the payments market as the cards, terminals and networks tighten their security," Vanderhoof says. "Having an opportunity to provide input into new guidelines to improve security at the ATM gives the ATM industry time to look closely at their market for common security practices that can be designed into current and future ATM systems."