PCI Security Council drafts ATM guidelines

Source: PCI Security Council

At its North America Community Meeting today the PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), announced it is openly seeking feedback from Participating Organizations on draft ATM security guidelines.

The draft information supplement provides best practices to mitigate the effect of attacks to ATMs aimed at stealing PIN and account data, a direct response to stakeholder feedback for guidance on ATM security. Participating Organizations have until November 13, 2012 to review and comment on the ATM Security Guidelines Information Supplement, which is slated for final publication later this year.

PIN and account data present in ATMs has become a growing target for criminals who use this stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. Purchases with PIN at the point of sale and purchases without PIN in card-not-present environments are also other avenues of fraudulent card activity.

PCI Standards currently address ATM PIN pads, but not the ATM as a whole. In the absence of a global industry standard for securing ATMs, the Council has developed a set of compromise-prevention best practices based on existing standards from a number of industries, including IT, security, payment card and ATM that stakeholders can leverage in their ATM security efforts.

The draft ATM Security Guidelines Information Supplement provides an introduction to ATM security and outlines best practices that address the software, hardware and device components of the ATM. The intent is for the final document to guide ATM manufacturers, hardware and software integrators, and deployers of ATMs in the secure development, deployment and maintenance of ATMs.

As a benefit of involvement in the PCI community, Participating Organizations have the opportunity to provide feedback in the development of PCI Standards and resources. To ensure this resource meets stakeholder needs, the Council is requesting Participating Organizations (POs) to review and provide comments on the draft guidelines over the next 60 days via the PO portal.

"We rely on industry feedback to develop PCI Standards and resources," said Bob Russo, general manager, PCI Security Standards Council. "By sharing an early version of the guidelines with the PCI community, we're aiming to ensure these best practices reflect the key challenges and areas of concerns when it comes to addressing ATM security. Specifically, we encourage ATM manufacturers and software vendors to provide their input, as experts in the space and as those will be applying these guidelines in their everyday business."

The draft guidelines will also be discussed with Participating Organizations and assessors at the PCI Community Meeting in Dublin, Ireland on October 22-24.

Comments: (0)