Article
Who's swimming naked?
If you're an IAD, here are four ways to ensure that you won't be exposed when the tide rolls out on EMV.
April 4, 2014
by Daryl Cornell, CEOTriton Systems
"It's only when the tide goes out that you learn who's been swimming naked," goes the famous quote by Warren Buffett. For U.S. ISOs, the tide is already heading out. If Canada's experience with EMV implementation is any indication, we're about to find out which ISOs might be lacking clothes. Here's how to tell if you are exposed:
Your priority is to tackle Windows XP ATM upgrades before moving to EMV upgrades on CE machines
Current estimates are that 95 percent of all global FI ATMs still run on Windows XP. This equates to more than 200,000 XP-driven ATMs in the U.S. alone that must migrate to Windows 7 or be replaced.
Presumably, these ATMs will be upgraded to EMV at the same time, resulting in well over 200,000 service calls to FI ATMs, while banks or ISOs pay vendors for hardware and software and Microsoft for ongoing support.
Large banks have begun their upgrade campaigns, meaning that ISOs already are engaged in a war for a finite pool of field service resources. It is likely that by the time ISOs' XP ATMs are upgraded to Windows 7, the liability shift will have occurred, leaving many of the 200,000-plus CE machines of ISOs — you guessed it — naked.
Your processor says they would never shut off one of your ATMs that hasn't been upgraded for EMV
Of course processors are not yet prepared to threaten ISO customers, risking a loss of business in a highly competitive market.
The processors we've spoken with plan to withhold interchange, surcharge and even settlement funds to pay for fraud claims for non-EMV ISOs. What's not clear is whether the strategy of withholding settlement funds from an ISO is even legal.
As we saw in Canada, processors find it far easier to turn off risky non-EMV terminals than to face a protracted customer battle. How many of your non-EMV ATMs are at risk of being shut-off by your processor only 30 months from now?
You believe ISO liability is limited to the cash in a single breached ATM
Unfortunately this misconception is one of the most dangerous assumptions an ISO can make.
Card skimming at an ATM is rarely undertaken with the goal of emptying a single machine. Card numbers and PINs are used to churn out large numbers of bogus cards that are used by global "casher" networks to empty customer accounts using geographically dispersed ATMs.
It is the total subsequent fraud that the ISO will be responsible for should a non-EMV ATM be compromised. In Canada this translated into several six-figure fraud claims paid by ISOs, one of whom was more than 90 percent EMV-compliant — well on the way to full compliance.
Unfortunately the concept of subsequent fraud might well test the depth of many US ISOs' pockets.
Your hardware vendor's solution to EMV implementation is "buy a new machine"
ATM hardware purchase decisions have long tails. In the absence of any enforced upgrade requirements, U.S. ATMs have been kept in service for 10, 15, even 20 years.
All ATM vendors have product support philosophies. Some manufacturers have built their business around extending the life and expanding the capabilities of their installed products.
Other manufacturers with "support lite" models offer customers limited EMV upgrade options, pushing customers to purchase new ATMs for EMV. Vendor support decisions — combined with the age of your fleet — will determine whether you'll be able to upgrade your ATM for $600 to $800, or whether you'll be forced into wholesale replacement of ATMs at $2,000 or more per terminal.
Following a long stretch of relative calm in the U.S., the ATM ISO business is about to get very interesting. If any of the above shoes fit, beware the waning tide!
This article has been republished from the Triton blog, atmAToM, with kind permission from Triton.
photo: paxson woelber
Included In This Story
Triton Systems
Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost
