CONTINUE TO SITE »
or wait 15 seconds

News

Don't fear the audit

Those who have undergone audits -- more common now as networks and sponsor banks keep a closer eye on ISOs' activities -- say they create more paperwork but can be an educational process for all involved.

January 14, 2004

Most independent ATM deployers prefer to spend their time selling and servicing ATMs, not shuffling paper.

Yet paperwork is more of a priority now that EFT networks are stepping up their oversight of the financial institutions that sponsor ISOs into networks as well as the ISOs themselves.

Documentation of PIN security procedures and basic information such as machine locations is crucial, said Liz Nutting, network sponsorship manager for Palm Desert National Bank (PDNB), a California financial institution that sponsors some 60 ISOs into networks such as Star, NYCE and Pulse.

"Most people are following the proper procedures. It's just a matter of writing down what they are doing," Nutting said. "A competent secretary helps."

Being prepared for an audit -- even if one never occurs -- is "just good business practice," Nutting said. "In the event the network decides to come in for an audit, it makes it a heck of a lot easier if you have all of the appropriate paperwork in place."

Visa has been conducting PIN security audits with large ISOs over the past year as part of its efforts to improve PIN security. Previously, only financial institutions were subject to such audits.

Surviving the site review

Marty Ambuehl, president of ATM Express Inc., a Billings, Mont., ISO with some 6,000 machines under contract, estimated that it took about 80 hours to compile the company's PIN security procedures before its Visa audit last May. ATM Express' sponsor bank, Pueblo Bank & Trust, assisted in the effort, he said.

ATM Express was given 45 days to prepare for the audit, Ambuehl said, which included answering a 35-item questionnaire. "Immediately after we got the notification from Visa, we called (Pueblo) and went over the PIN review form with them."

Portions of the questionnaire concerning key management can be confusing to ISOs, who may not understand that some questions may not apply to them if they utilize third-party transaction processors and/or encryption service organizations (ESO), said Steve Shirley, Pueblo's senior vice president of operations.

ISOs should answer "not applicable" in those cases, he said.

Ambuehl agreed, noting that his processing knowledge gained as a former five-year employee of a financial institution helped him with certain questions. "I can see where they could be very confusing or intimidating to some people," he said.

Visa's day-and-a-half visit to ATM Express helped the company improve its PIN security, said Ambuehl. "We finally got some questions answered."

ATM Express made several changes to its key storage policies following the audit. "Some of the logs we were keeping created possible breaches of security," Ambuehl said. "We found out your best bet is to shred keys you've used right away rather than keeping them for any length of time."

Visa "doesn't expect you to be compliant on every item on (the questionnaire) the first time around," said Ambuehl. "But if you answer 'no' to a question, they want you to have a reason and a plan. If you have a plan, you're OK. Visa is there to help us, not to kill us."

PDNB's Nutting said it's better to admit uncertainty than to offer an incorrect or misleading answer to an auditor.  "There's nothing wrong with saying 'I'll get back to you.'"

It's also wise to offer only as much information as necessary, she said. "You don't want an offhanded comment to open up a whole new area for them to question."

Visa gave results and suggestions for improvement to Pueblo about a month after the audit; Pueblo then shared the information with ATM Express. This procedure makes sense, Ambuehl said. "You're not going to get any trust unless you know that problems are being dealt with by the people who are most directly at risk."

Now a word from our sponsors...

Sponsor banks now conduct annual audits of their ISOs to ensure that the ISOs are in compliance with network operating rules and regulations.

Sponsors typically require ISOs to provide names of principals and key staff members; a current business financial statement, with a balance sheet and profit-and-loss statement; a current business tax return with all schedules; current personal financial statements and current personal tax returns for all principals; and notification of network renewals.

While some ISOs initially resisted the idea of supplying such extensive financials, PDNB's Nutting said, "It's one of the ways we make sure a business is serious and profitable. With risk involved and financial issues at stake, we have to be able to vouch for these companies."

Sponsors must also be aware of all ATM locations, with the make/model of each machine, the hardware/software/firmware versions and any special capabilities. Sponsors also want to know which companies actually process the transactions.

"We need to be able to say 'it's 10 o'clock, do you know where your ATM is,'" Nutting said, noting that information should be updated whenever changes are made rather than just annually during audits.

Both Visa and Star require sponsors to update this information quarterly, she said.

ISOs also must have documented terminal management and key management procedures. Terminal management includes the purchasing, installation, inventory control, inspection and deactivation of machines. Key management includes key generation, loading and destruction as well as component transport and storage.

Key management is a special challenge for many ISOs, said Shirley. "You're asking people whose primary expertise is and has been sales to become cryptographers."

Pueblo has not encountered any "close the door type issues" during the audits it has conducted in the past year, Shirley said. "Everybody's learned something every time we've done one. It's a good way to discover 'best of breed' practices."

Pueblo tries to be as sensitive as possible to an ISO's day-to-day activities while conducting audits and offering follow-up suggestions, Shirley said. "We don't want to create an impact so severe that they can't get their business done."

Network news

Networks also now conduct either annual or bi-annual reviews of sponsor banks to ensure that they are monitoring the activities of their ISOs. NYCEin September completed its first on-site reviews of its six ATM ISO sponsors and is now preparing for its 2004 audits, said Bruce Sussman, the network's vice president of internal audit.

Sponsor audits incorporate PIN security, "know your customer" provisions and ATM inventory management, Sussman said. NYCE hired consulting firm DeLap White Caldwell & Croy to help design its audit and conduct field reviews of the sponsors. 

Darlene Kargel, a CPA with the firm who visited NYCE's sponsors, said, "The sponsor banks know the network regulations and operating rules. The purpose of the audits is to ensure that these are being enforced and pushed down to the ISOs."

Because most sponsors are "in the infancy" of developing due diligence programs, there is room for improvement, Kargel said. "They are very eager to learn. NYCE's philosophy is to educate, not just to measure compliance."

"With these new standards, no one expects perfection immediately," Sussman said. "But we do expect a good faith effort at compliance. We found that the sponsor community is engaging resources and spending money to make sure that risk in these areas is being measured and monitored."

Sponsors should feel free to "ask questions proactively rather than waiting for the audit," Sussman said. "We'd rather prevent a problem now than cure one later."

Sussman also encouraged sponsors to consider participating in the standards committees of the American National Standards Institute (ANSI), which recommend PIN security policies and procedures that are often adopted by Visa and other networks.

"It's an opportunity to hear directly from the standards setters and to benefit from the evolving thought processes concerning PIN security," he said.

PDNB's Nutting encourages both sponsor banks and ISOs not to think of audits as a test that can be "flunked" but rather as a dose of preventative medicine. "They provide an opportunity to measure the overall health of your system, prescribe remedies for minor ailments and get an early diagnosis of a potentially serious illness," she said.

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
AML Software sues Athena Bitcoin, adding to existing legal woes
European banks embrace stablecoins
Rat breaks into Indian ATM, consumes cash
Dutch resident arrested in Thailand for alleged ATM theft
Albany, Georgia police on lookout for ATM theft suspect


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'