News
Compliance is focus of ATMIA Summit
A presentation of awards by the ATM Industry Association at last week's Summit in San Diego gave the industry a chance to feel good about itself. ATM fraud, Triple DES and other issues on the agenda gave it a cause for concern.
November 21, 2002
Based upon the introduction of Michael Lee, the international director of the ATM Industry Association, it wasn't hard to guess the recipient of the first-ever Lyle Elias Lifetime Achievement Award, presented by ATMIA at last week's Summit in San Diego.
"I've never heard anyone say anything bad about him," said Lee of the honoree, a key distinction in an industry in which airing dirty laundry is practically de rigueur.
So it was no surprise when Triton Systems founder Ernest Burdette, known for a good heart as well as a good head for business, was called to the podium.
With his trademark graciousness, Burdette acknowledged the contributions of others while accepting the award, which Lee said was named after two-term ATMIA president Lyle Elias because of Elias' "unmistakable human touch" as well as his ability to think outside of the box.
"This award is not about the single accomplishment of any individual. My company is where it is, and this industry is where it is, because of a team effort," Burdette said.
Other honorees included a Latin American transaction processor, South African bank and a Scotland Yard police officer, highlighting the increasingly international flavor of ATMIA. NCR was the single biggest winner, with two awards and two runner-up mentions. (See related story ATMIA recognizes outstanding achievements, elects new board members at Summit)
While the awards gave the industry a chance to feel good about itself, Triple DES, fraud and other issues on the two-day agenda gave it a cause for concern. Compliance with network mandates designed to improve ATM security was a recurring theme.
Here is some of what this editor saw and heard:
Ask ATMIA: Ellen Stebbins, VP of First American Payment Systems, after sitting in on a User's Group on ATM Standards, said that ATMIA hoped to work with manufacturers, ISOs, sponsor banks, transaction processors, networks and others to create a database with useful information such as banking regulations for each state and how to successfully complete a Visa audit.
Shuffling the deck: In the early days of card fraud, said Susan Zawodniak, executive director of the NYCEnetwork, thieves armed with skimming devices usually obtained card data and PINs at a single "point of compromise" (often a point-of-sale terminal), then used a single "deck" of counterfeit cards at a single ATM. It was fairly easy to spot a pattern, Zawodniak said, because of frequent PIN errors and balance inquiries (as thieves tried to determine how much money was available).
Today, more sophisticated criminals obtain data at multiple devices, including ATMs, then "shuffle" card decks before hitting multiple ATM and POS locations. They use a variety of internal and external skimming devices and have more familiarity with the business, including knowledge of banks' daily withdrawal limits. "It's harder to find and attack these targets," Zawodniak said.
Changing modus operandi: Zawodniak said one of the newest scams targets mostly branch ATMs rather than the retail ATMs where card data was compromised in a recent high-profile New York case. (See related story Skim scam man) A palm computer/swipe card reader device is affixed to the front of the ATM, covering the real screen and reader. Because card data is obtained while an ATM's transaction capability is disabled, Zawodniak said, it's difficult to identify patterns.
"It's almost as if (the thieves) have been sitting in on our meetings and listening to us discuss the problem. We think they're targeting mostly non-bank ATMs, and they start hitting bank machines," Zawodniak said.
Network news: Zawodniak predicted that all networks will require more from the financial institutions that sponsor ISOs into networks, specifically higher equity capital requirements and more due diligence on ISOs, including regular audits and records on all ATM servicers. Networks may also require registration of companies that provide key management programs and make transaction processors liable if they bring un-sponsored ATMs live on a network, she said.
Future shock: Possible future fraud targets, Zawodniak said, include almost any device with a card reader: vending machines, slot machines, jukeboxes and fast food drive-up payment terminals.
Know your enemy: Todd Clark, the EVP of Core Data Resources, in an address before the awards dinner, said, "Some of you in this room consider networks and banks the threat. But the Russian mafia (and other organized crime groups), they are the threat, and we have to work together to defeat them."
While you're at it, know your customer: Discussing the need for compliance in the retail ATM business, Clark said, "The people in this room can run their ATM businesses better, faster and cheaper than financial institutions, but they have a responsibility to do it right."
 |
Pi Systems says its 3DES Fix will make all STP- BTP- and CTP-based ATMs -- including Diebold's 900 series and NCR's 5000 series -- capable of running Triple DES encryption. |
Insurance for all: Mark Coons, president and CEO of American Special Risk, which oversees an insurance program for ATMIA members, said his company hopes to develop a program better suited to financial institutions and large ISOs, including policies that would minimize any losses from fraud.
Triple DES twist: Kelly Horton, Pi Systems' VP of sales and marketing, said his company's 3 DES Fix, an "intelligent" PIN pad that costs $3,200, will make all STP- BTP- and CTP-based ATMs -- including Diebold's 900 series and NCR's 5000 series -- capable of running Triple DES encryption. Horton explained that, with his company's device, the PIN pad does not always send a signal through the internal processor and out the modem to a network for authorization.
"The best way to explain it is, we have a triangle of communication between the PIN pad, the control module and the internal ATM processor," Horton said. "Some information is bypassed, some is 'faked' and the information that makes the ATM run is sent through. At no time, is the PIN in single DES or clear text."
Triple DES dates: Stoddard Lambertson, PIN security program manager for Visa U.S.A.'s Corporate Risk Division, said Visa did its first global study on PIN security in 1993, issued its first PIN requirements in 1995 and just revised them this year -- including a new requirement for Triple DES. The Visa dates: all newly-deployed ATMs, including replacement devices, must support Triple DES by Jan. 1, 2003. Unlike MasterCard -- which has a "drop dead" date of April 1, 2005 -- Visa has not yet set deadlines for full Triple DES encryption but plans to do so in early 2003.
Testing, testing: While Visa has approved an independent lab for testing point-of-sale PIN pads for Triple DES compliance (InfoGard Laboratories in San Luis Obispo, Calif.), it has not yet done so for ATMs or for hardware security modules. Lambertson said a recommendation has been made to the Visa International Board to add ATMs to the program. The board meets in February.
Trust me: The independent lab is needed, Lambertson said, because Visa currently relies solely on manufacturers' self-certifications. That process has shortcomings, he said.
The top 100: Lambertson said there are just over 100 participants in Visa's PIN Security Program, including member banks, processors, switches, merchants, ISOs and ESOs (Encryption Service Organizations). The "top 100" are subject to regular Visa audits. For those not directly connected to Visa, sponsors must guarantee their compliance. (See related stories New requirements cause information overload for some ISOs and Visa: New ISO risk standards will help prevent fraud).
"We use a tiered approach. We don't request 20,000 audits," Lambertson said. "But as these top 100 improve, we'll bring more entities into the program." The country's top 10 ISOs were recently added to the program, Lambertson said.
 |
De La Rue's John Miller presents the 10,000th MiniMech cash dispenser to Ernest Burdette of Triton, one of De La Rue's best customers. |
New dispensing dynasty?: John Miller, commercial manager of De La Rue's OEM division, said his company may expand usage of its Quikfill Cash Can, an open-tray cassette designed specifically for the merchant cash replenishment model, to dispensers other than its single-cassette MiniMech. The MiniMech has been wildly successful, as evidenced by Miller's presentation of the 10,000th dispenser to Burdette of Triton, one of De La Rue's best customers.
Phoning it in: Robert Moffa, director of sales and marketing for Ernest Communications, Inc. (ECI), said his company, a Competitive Local Exchange Carrier with phone service in 23 states, can offer up to 20 percent savings on local dial service for ATM operators. ECI currently provides its services for 75,000 lines, including payphones and POS devices, and would like to add ATMs to the mix, Moffa said.
There is no cost to convert phone lines, Moffa said. "(The operator) doesn't have to pay anything. Why wouldn't you do it?"
Software, with love: More than 100 Russian banks utilize transaction processing software provided by Moscow-based Compass Plus, which recently established a U.S. office in Las Vegas. Its biggest client is the Ukraine's Privat, which has 1,800 branches, 600 ATMs and 3 million cardholders.
Business development director Igor Bakhtin said his company wants to take on ACI Worldwideand its BASE24 software and convince more small financial institutions to switch to in-house processing platforms. Bakhtin, who has been following the success of companies like Mosaic Software, said Compass software can run on a Unix or Linux platform in addition to Microsoft's Windows.
Like a tank: Jeff Munford, president of Florida.-based ISO Electronic Cash Systems, said one of his favorite ATMs is the Fast Cash manufactured by WRG Services. Acknowledging that the industrial-looking Fast Cash won't win any beauty contests, Munford said he doesn't care. "I haven't hired a service technician in five years," he said, opening the back of the machine to show it has fewer than a dozen parts. A merchant can fix just about any problem on a Fast Cash, Munford said.
Building buzz: The CashWorksPayPort point-of-sale terminal, used in conjunction with an ATM to offer check cashing, was a prominent feature in both the Tidel and Triton booths. It is one of three applications included as part of Triton's Waves program, which kicks off next month. (See related stories Advanced apps gain momentum at NACS and All about the apps at NACS Show 2000)
Check cashing and then some: In the Financial Technologies, Inc. (FTI) booth, FTI's Tommy Glenn was showing off his own POS terminal called FTI Sales Manager, which will offer CashWorks and six other applications, including prepaid phone top-ups, money transfer and merchant credit/debit card processing. Glenn expects all seven applications to be available by the end of 2003's first quarter.
The terminal will allow merchants to accept cash for transactions such as money transfers -- not yet an option on most ATMs. Glenn predicted it will be a big win in locations that want an ATM on the premises but don't have the transaction volumes to support it. "They'll be able to afford the ATM if they offer some of these other transactions," he said.
 |
A Lipman Nurit 5060 like this one is currently being used in the New York City area to dispense phone cards. Lipman plans to launch a stored value card pilot in the next month. |
Bandwidth breakthrough: David Bryan, CEO of C3 Technologies, said his company uses bandwidth it purchases from FM radio stations to deliver advertising content to 15-inch toppers that can be bolted to the top of an ATM. Bryan, who had a topper on a machine in the Lipman booth, said he hopes to create a program in which his company would provide toppers free of charge to ATM deployers.
C3 would earn revenue by charging advertisers to manage their campaigns. Bryan believes there is an opportunity with companies that are offering new services, such as money transfer and prepaid phone top-ups, on ATMs. "They need to let consumers know these services are available. What better place to do it than an ATM?" he said. Companies selling products that can't be advertised on radio/TV, such as cigarettes and alcohol, are also prime candidates for advertising on ATM toppers, Bryan said.
Pick a card: LipmanATM sales manager David Lipkin said his company is launching a stored value card pilot in four weeks. Lipman has already experienced good results offering phone cards at five machines in the New York City area. The Nurit 6050 ATM uses a special card hopper rather than a cassette. Lipman is ahead of other ATM manufacturers in terms of card dispensing and other non-traditional ATM transactions -- which are processed as POS transactions -- because of its familiarity with the POS world, Lipkin said.
Included In This Story
ATM Industry Association (ATMIA)
The ATM Industry Association, founded in 1997, is a global non-profit trade association with over 10,500 members in 65 countries. The membership base covers the full range of this worldwide industry comprising over 2.2 million installed ATMs.
Triton Systems
Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost
Related Media
Subscribe
Get the latest news and resources from ATM Marketplace.
Recent Posts
