CONTINUE TO SITE »
or wait 15 seconds

Article

New ATM security regs PIN it on the pad

In the past, ATM vendors didn't pay much attention to the PIN pad. That's all changed, however, due to increased concerns over PIN security and the approaching deadlines to make ATMs capable of running Triple DES encryption.

June 5, 2003

The ATM PIN pad has been a perennial also-ran in the peripheral popularity contest.

Vendors have tinkered with screens to entice users, making them larger and adding color and touch capabilities. They've modified dispensers and card readers, both to cut their costs and to adapt to industry trends such as merchant cash replenishment in the retail ATM world.

With the PIN pad, however, the prevailing sentiment seemed to be "who cares?"

Turns out everyone does in 2003, thanks to increased concerns over PIN security and the approaching deadlines to make all ATMs capable of running Triple DES encryption.

Moving the module

A key change for the industry was positioning the TRSM, the tamper resistant security module where encryption occurs, directly behind the PIN pad. Until recently, the module was usually located in the ATM vault and connected to the PIN pad via a cable.

MasterCard, which has led the move toward Triple DES, requires ATMs to be capable of processing Triple DES "at the point of interaction." The industry widely interpreted this terminology to mean the PIN pad. (See related storyTriple DES dare you)

At roughly the same time the industry was grappling with MasterCard's Triple DES specifications and deadlines, an Eastern European crime ring was able to obtain PIN data from placing electronic devices inside of ATMs. (See related storySkim scam man)

Beth Lynn, senior vice president for theStarnetwork, said the case served as a wake-up call to the industry. "No one in the industry ever thought the bad guys would get inside the ATM," she said.

"In the past, the ATM itself was considered a TRSM," agreed Dean Stewart,Diebold'sdirector of product development. "Now the industry is getting used to the idea that access is not quite as limited as it used to be. The keypad is a logical point of entry."

A pad by any other name

Most vendors call the new keypad/TRSM combination an EPP (encrypting PIN pad).

Tritoncalled its PIN pad a SPED (secure PIN entry device) but changed it to EPP earlier this year to avoid confusion, said Bill Jackson, the manufacturer's chief technology officer. Mike Hudson,Tidel'sexecutive vice president, said Tidel's PIN pad is a TREPP (tamper resistant encrypting PIN pad).

Self destructive tendencies

Another change was ensuring that the module would destroy encryption keys or other PIN data stored within it if anyone tried to tamper with it.

Two sets of standards created by working committees ofANSI (American National Standards Institute)andISO (International Standards Organization)specify the requirements for a TRSM. The standards are similar though not identical, said Lynn, a member of the committee that created the ANSI standard.

According to the ANSI standard, a TRSM must have "physical characteristics that inhibit the determination of any secret data, including past, present or future (encryption) keys." The TRSM also must "make tampering difficult or improbable."

Standards created by bodies like ANSI and ISO are helpful, but their language allows room for multiple interpretations, said Sean McCarthy,NCR'sproduct manager for ATM security. Vendors must determine the "spirit of the standard," he said.

"Where there is ambiguity, it's best to move to a higher level rather than a lower level when it comes to security," McCarthy said. "It shouldn't be about just meeting the minimum requirements."

An EPP's ability to support remote management of encryption keys is important, McCarthy said. ANSI is currently developing a recommended standard for key distribution. Most networks seem poised to mandate more frequent key changes, and to step up their enforcement of existing rules that call for unique keys for each ATM. (See related storyKeeping the keys unique)

Ask and receive

Star's deadline for Triple DES compliance is two years away, with a "drop dead" date of June 30, 2005 for all ATMs to run Triple DES. However, the network in February sent members a letter asking them to obtain proof from vendors that their ATMs were equipped with EPPs that met regulatory requirements -- or could be upgraded to do so.

While Star formerly obtained this information from vendors on behalf of its members, the network is "no longer in a position to take on that role," Lynn said.

The question of which older terminals can be upgraded may vary, depending on the specific configurations of machines, she said. "We can't just go to (a vendor) and get a list. There are too many different variables."

Star wants its members to take a proactive view of fraud prevention, Lynn said. "If your exposure to fraud increases significantly, you have to consider whether you want to wait" to upgrade ATMs.

Diebold welcomed Star's move, Stewart said. "It's good for customers to know what they are buying. I think (the letter) is forcing them to raise their awareness."

Coming to a consensus

An EPP on all ATMs is one of the fraud prevention recommendations put forth by the ATM Integrity Task Force, a group of industry representatives organized by theElectronic Funds Transfer Association (EFTA).

Tidel's Hudson, chairman of the task force, said that a list of fraud prevention guidelines has been submitted to EFTA's executive board, which will review them during its June 11 meeting. If the board approves, the EFTA will distribute the recommendations to its 600 members.

(See related storyATM industry mobilizes for fraud fight)

Like Lynn, Hudson said that the existing installed base of ATMs will present the biggest challenge for vendors and deployers. "Everybody is shipping units with some form of EPP now, but the majority of legacy machines do not meet the new and more strict interpretation of a TRSM."

As with all of the Task Force's recommendations, Hudson said there has been much discussion over how the cost of EPPs -- particularly upgrades -- will impact the ATM business. Task Force members agree that the industry needs to ensure that no single group bears too much expense.

"If we're all burdened more or less equally, nobody will suffer significant damage," he said. "Without the confidence of cardholders, we've all got a big problem."

Hudson said he has been heartened by the industry's cooperative attitude to date when it comes to fraud prevention efforts.

"We've gotten folks together from the different disciplines, and we've made a conscious effort to work together," he said. "We've been cognizant of the fact that decisions made by one discipline impact the others, and I think there's been an unprecedented level of concern there."


Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'