CONTINUE TO SITE »
or wait 15 seconds

Article

PCI DSS in Latin America: How to choose middleware

Deployers of multi-vendor POS and ATM devices have a lot to consider for compliance.  

September 6, 2011

The following is an excerpt from "PCI DSS Compliance for ATM Networks in Latin America," a white paper available for free download after registration.

As electronic payments in Latin America continue to grow, it’s important for Latin American ATM deployers to choose middleware that applies PCI DSS specifications. With an increase in bankcard cardholders, comes a higher risk of card data theft.

The growth of the middle class in Latin America has contributed to the rise in electronic payments, according to Alpharetta, Ga.-based financial consultant firm Speer & Associates, which estimates that electronic payments in the region will double in the next decade.

PCI DSS requires entities to protect credit card data in all forms to prevent its theft or fraudulent use, and outlines what data can be stored and what cannot.

To improve the conformity and functionality of their networks, self-service fleet providers often use middleware that manages the exchange of information between self-service machines and network monitors.

This middleware can also facilitate a simplified PCI DSS compliance effort, provided that the software itself has been designed to take into account the protocols for transmission and storage of sensitive information.

Having dealt with the problem of data security in the developed world for decades, the bankcard industry has wasted no time pressing Latin American financial institutions to adopt its Payment Card Industry Data Security Standard and, by July 2012, its Payment Application Data Security Standard.

Ensuring PCI DSS compliance is more difficult for multivendor deployers who have a variety of machines and types of data to keep secure. Providers should have software that covers a range of self-service applications and enforces security standards.

Middleware functions to consider

Peripheral connectivity. The strength of any middleware program lies in its ability to control ATM peripherals regardless of machine vendor or operating platform. However, for PCI DSS compliance, trace data from peripheral operations must be modified so as not to include critical data.

Data exchange with devices — especially card readers and PIN pads — must be configured so that no trace data is printed or stored.

EMV card interface. To maintain PCI DSS compliance with respect to EMV cards, the middleware provider should either activate a kernel trace for the transaction that does not list sensitive data or generate a transaction log to trace these transactions.

In the latter case, the deployer must take additional measures either to ensure that this information is encrypted to PCI DSS standards or to prevent unauthorized access to the file.

Application development. Ideally, a middleware suite will provide a flexible and robust framework to allow development of new applications to meet a fleet deployer’s specific support needs.

Inherently, this framework would be PCI DSS compliant since the components that make up the application development software do not themselves write or store sensitive information.

Network monitoring. By nature, a monitoring program must maintain access to journals, files and traces, and these must be recoverable for examination or review. In compliance with PCI DSS, this information must be encrypted and stored in a secure manner that prevents unauthorized access.

Some ATMs may feature existing drivers that can be adapted to PCI DSS. If this is not the case, the fleet deployer should work with a middleware developer who can devise a solution for safely encrypting and storing information on the deployer’s server.

Marketing functionality. Multivendor deployers have the opportunity to speak to varied audiences. But to create effective campaigns for self-service, a deployer may need to store primary account number information.

Although the deployer collects and stores such information, it is important to limit access to the PANs to authorized users only. If trace information is to be created for this transaction, the deployer must also take steps to protect this information.

Finally, the deployer should be prepared to implement additional security measures to ensure proper interaction of applications, such as preventing malicious blocking actions and controlling information entrance and exit points.

For more information on this topic, please visit our software research center.

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf

Software
Top 10 ATM software solutions
Software
Examining the past, present and future of XFS
Commentary
ATM features: 5 to include
Special Report
2024/25 ATM & Self-Service Software Trends
Presented by KAL ATM Software GmbH
Recent Posts
ParaScript intros verification solution for checks
Nymeo Federal Credit Union wins recognition as 1 of the best workplaces in Maryland
SEC accuses former ATM businessman Daryl Heller of funneling $185M from investors
Fifth Third named as top veteran friendly employer
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'