ATMIA releases best practices for POS security

ATMIA releases best practices for POS security
Tags: ATM Industry Association (ATMIA), Associations / Conferences, Bank / Credit Union, Components, Debit / Credit, Distributors / ISO / IAD, North America, Other, Prepaid / Stored Value / Gift Card, Security, Transaction Processing
July 4, 2007

LONDON - The ATM Industry Association's Debit Council says it is renewing its push for better security best practices at POS terminals, as criminals continue to compromise cardholder information by targeting out-of-date or improperly configured POS hardware and software.

According to Fair Isaac, more than 90 percent of card and PIN compromises in 2006 took place either inside outdated POS terminals or through improperly configured POS software coupled with poor key management practices.

"All parties in the electronic payments value chain must be vigilant in the protection of our customers' data," said Mike Urban, a member of the Debit Council and Fair Isaac's senior director of fraud solutions. "The compromise of cardholder data is one of the biggest security risks retailers face. States (in the United States) are moving forward with legislation placing liability on merchants who are not appropriately safeguarding cardholder information."

An estimated 20 million POS devices are installed worldwide. The automation of credit and debit card transactions at the point of sale has been growing since the early 1980s.

In response to growing fraud trends, ATMIA has published Best Practices for Protecting the Point of Sale Lifecycle. According to ATMIA, the best-practices manual includes collaboration from both the ATM and POS industries - and represents the first time the two industries have worked together to produce security best practices for the entire POS lifecycle. The lifecycle model defines and addresses eight phases: cardholder security, compliance to existing industry standards, secure deployment of devices, physical security, PIN and encryption security, software security and security during the final de-commissioning process.

"The beauty of the lifecycle model is that it helps security practitioners to identify possible security vulnerabilities throughout the life of each POS device," said Mike Lee, ATMIA's chief executive and founder of ATMIA's Global ATM Security Alliance.

This manual is intended for retailers, POS processors, encryption service organizations, auditors, and security personnel and managers who have responsibility for securing POS installations and for meeting network and PCI requirements.

ATMIA expects to host a Debit Council meeting during its ATM Security in the Americas 2007 conference, which runs from Sept. 11 through Sept. 13, in Las Vegas.

For more information, contact Mike Lee.