Article
ATM ISOs work through PCI maze
ISOs argue the rules are cloudy and complex.
July 1, 2008 by Tracy Kitten — Editor, AMC
Gary Wollenhaupt is a regular contributor to ATM Marketplace. To submit a comment about this story, please contact theeditor.
News of the Citibank ATM-server hack, which allegedly gave fraudsters access to numerous PINs and millions in cash, has led to renewed discussions about ATM-processing and software security.
A list of approved assessors is available on PCI's Web site |
Encrypting transactions, preventing card skimming, and ensuring that independent ATM ownership can be traced and tracked have been top-of-mind for ATM deployers for the last 24 months.
And the compliance and quality-assurance belt continues to tighten.
Just as deployers come down from the high of the Triple-DES scramble, they're faced with the seemingly daunting task of complying with a new set of security guidelines compiled under the umbrella of the Payment Card Industry Data Security Standard.
The Payment Card Industry Data Security Standard, commonly referred to as PCI DSS, is the overarching standard used by the five major credit-card companies — Visa Inc., MasterCard Worldwide, Discover Financial Services, American Express and JCB. The standard is designed to ensure consumers' account and card information is protected and guarded after they conduct transactions across payment channels, including the POS and ATM.
The standard got a lot of attention in late 2006, when news of the TJX Companies Inc. breach made headlines throughout the world.
TJX Companies, based in Framingham, Mass., is the parent of well-known retailers T.J. Maxx and Marshalls. The breach, reportedly the result of outdated, non-PCI compliant POS software, led to the compromise of millions of customer accounts, and called into question the effectiveness of the card industry's effort to push PCI DSS compliance throughout the retail community.
Now the standard is likely to get renewed attention, experts say, since the recent Citibank compromise involves an ATM server, not a POS system.
But the problem, some say, is that enforcement of the standard hasn't always been very standard, and it's not always clear what body is responsible for enforcing compliance.
ISOs and the security fold
For independent sales organizations, compliance is overseen by sponsoring financial institutions, says John Del Guidice, chief executive of ThoughtKey Inc., a security assessor and consultant that specializes in PCI.
Since ISOs are considered by Visa, for instance, as "third-party agents," PCI DSS-compliance audits are conducted by sponsoring FIs and then provided to the card networks, he says.
To process transactions on Visa's Plus network, "agents" are required to attend PIN-security training every three years — part of an enhanced Plus PIN security program implemented by Visa. And ATM processors, as agents, also must comply with the same requirement.
The standard applies to all merchants and service providers that store, process or transmit cardholder data.
"Basically, that includes any entity that supports transactions with cards of the brands involved with the PCI Security Standards Council," said Chris A. Mark, president and one of the founders of The Aegenis Group Inc., a security consulting firm.
Where the compliance process gets murky, however, is in how "agents" are defined, since compliance levels for all agents are not equal.
The PCI council categorizes agents based on the number of transactions they conduct per year, and different degrees of validation are stipulated for different agents.
Those with the highest transaction volumes must be audited by third-parties called "qualified security assessors."
But agents that fall below the high-transaction-volume rating are allowed to complete self-assessments.
That sort of auditing breakdown, some say, has led to a lot of gaps in the PCI DSS-compliance system, making enforcement shoddy at best.
| ||||||||||||||||||||||
But the enforcement hasn't been so lax where one might think.
In fact, some industry insiders say independent processors and deployers are getting drilled more diligently than their larger, FI, counterparts. And because sponsoring FIs are charged with overseeing the auditing process, they could be holding others more accountable than they hold themselves.
Marilyn Kilcrease, the president of Temecula, Calif.-based Creative Card Solutions LLC, a company that assists FIs and ISOs with compliance issues, says the industry should brace itself for more scrutiny, since the card companies "have to be concerned about where there's greater financial risk."
And the card companies are likely to focus more attention on smaller, independent players.
"They will ask themselves, ‘Does an ISO have the capital resources to withstand a major breach?" she said. "Probably not. So that's where they are putting their attention."
If an ISO inadvertently downloads card data as a transaction is being processed to its own system, then the data could be vulnerable if the ISO is not PCI complaint, Kilcrease says.
"If an ISO has that information, they should delete it because that keeps them from being a target," said Kendall Harsch, vice president with Meta Payment Systems, a sponsoring bank for ISOs in the United States.
That's something ISOs know, says ThoughtKey's Del Guidice, but may need help complying with.
And while smaller industry players, such as ISOs, may feel as if they're under sharper scrutiny, Del Guidice says it's all part of the card brands' mission to improve security throughout the industry.
"The associations are raising the level of compliance in the industry overall," he said. "All of us are trying to make it more secure for the cardholders."
Trends / StatisticsOtherNorth AmericaBanking Executive SummaryDistributors / ISO / IADTransaction ProcessingRetail / Off-PremisesEFT NetworksBank / Credit UnionSoftwareSecurity
Related Media
SecurityPresented ByDiebold Nixdorf
Presented ByDiebold Nixdorf
