CONTINUE TO SITE »
or wait 15 seconds

News

PED testing process not perfect, but improving

With the deadline for vendors to have ATM PIN pads tested at Visa-approved facilities less than three weeks away, MasterCard and Visa have announced plans to align future testing efforts.

August 1, 2004

Several vendors are still working to meet the ATM industry's latest network requirement, with the deadline for doing so less than three weeks away.

Last August, Visa International announced that its members would be required to ensure that the PEDs (PIN entry devices, or PIN pads) on newly-purchased ATMs had been approved by one of three independent, Visa-designated laboratories -- InfoGard in California, T-Systems in Germany and TNO in the Netherlands. The deadline for compliance: July 1, 2004.

According to Visa, the labs have approved EPPs (encrypting PIN pads) manufactured by NCR, Triton, Thales (which produces keypads used on Wincor Nixdorf ATMs) and Sagem (which produces keypads used by Diebold, ATM Exchange and other companies). A list of approved products is posted on the Visa Web site, which is updated as vendors receive approval.

Visa said it hopes that other vendors currently involved in the testing process will earn approval by July 1. It has not yet decided whether to provide waivers or extensions for the requirement.

The testing process

Hansup Kwon, chief executive of Tranax Technologies, said Tranax has gone through "several iterations" of development with InfoGard after initiating the testing process in January. Its EPP design has not yet been approved, but he hopes it will be by the deadline.

"Achieving 80 percent of the requirements was easy, but achieving the last 20 percent is requiring 80 percent of our resources," he said.

Kwon believes that Visa's PIN security requirements, which Visa said it first published in 1997, were "not specific enough." During the testing process, Kwon said InfoGard presented possible attack scenarios, several of which "have a remote chance of happening in the real world" and were not specified by Visa in its requirements.

Bill Jackson, Triton's chief technical officer, agreed that some of the attack scenarios "would have been easier to address if we had been aware of them up front."

The keypad used in Triton's RL5000 and FT5000 has earned approval after testing by T-Systems. Jackson said he expects the keypad used in the 9100 and 9700 product lines to be approved later this month. Triton also hopes to gain approval for its 9600 line, but Jackson said it is not as high a priority as the other models because it is no longer in production.

T-Systems provided its preliminary report three or four weeks after Triton first submitted its keypad design. The lab does not make specific recommendations for solutions, largely because of non-disclosure agreements it signs with all vendors, Jackson said. "They don't inadvertently want to share information they've obtained from one of your competitors."

The lab does answer questions to help vendors determine appropriate solutions, Jackson added.

Jackson is worried that PED testing may cause some deployers to delay the upgrades that will bring their ATMs into compliance for Triple DES, which may make it more difficult to meet MasterCard's Triple DES sunset date of April 1, 2005. Visa has not yet announced a Triple DES compliance deadline for the United States.

"We've been encouraging people for years now to not delay and buy Triple DES upgrade kits, but now we're telling them to wait so they can get the upgrade kits with the approved EPP," he said.

Getting on the same page

Ideally, Jackson would like to see regional and national EFT networks comparing notes and coming up with more consistent security requirements. "Some follow Visa rules and some don't. It could become a real burden if we have to make multiple versions of our EPP available," he said.

Ernest Chapman, a product manager for Diebold, which has earned approval for the EPP used in its ix, Opteva and CSP 400 models, agreed that more common standards would be beneficial. "As a manufacturer, we're going to meet the industry standards, but it would be helpful if the different regulatory bodies could get together as much as possible on their requirements."

Chapman said that Diebold has used the same EPP hardware recently approved by the T-Systems lab in its ATMs for several years. Only some firmware updates were required to bring it into compliance with the Visa standards.

At least one other major network player, MasterCard, plans to create a testing process that closely parallels Visa's. The two companies in late April announced that they had aligned their PED testing requirements for point-of-sale devices, with the aligned program slated to replace their current programs on Oct. 1, 2004.

Together, the companies developed aligned requirements that "look to be slightly more stringent than the current Visa requirements," according to the Visa Web site. MasterCard also agreed to grandfather and accept all POS PEDs previously approved by Visa before that date.

John Schettino, vice president of Security and Risk Services for MasterCard International, said the two companies intend to introduce a similarly aligned program for ATMs by early 2005.

The aim is to "simplify the overall process for our members," Schettino said. "Our intent is to make the testing process as easy as possible. Our goal is to have one process, one test, one result and one certification where possible."

"The fact that Visa and MasterCard are getting on the same page will answer at least some of the previously unanswered questions ATM owners of all sizes have about compliance," said Dave Parlin, president of the ATM Exchange, whose 3DES Plus product is currently being tested at the T-Systems lab. The EPP used for 3DES Plus, which is manufactured by Sagem, has already been approved.

In addition to testing with T-Systems, Parlin said ATM Exchange is in the midst of certification efforts for 3DES Plus with several networks and processors. "The type of testing we are doing and completing with the card associations and regional EFT processors proves that these organizations truly have security and customer savings at the forefront of their thinking," he said.

Spreading the word

One thing that all industry players agree is important is communication efforts, not only among networks and vendors but extending to ATM owners and ultimately consumers.

"There must be some way to get the word out there," said Tranax's Kwon. "If we don't try to tell the merchants that own ATMs that this is about PIN security, they're just going to think the ISO is trying to get more money out of them."

Communication is "the one item that is critical to making this work," said Diebold's Chapman. "It's important we do all we can to improve communication with everyone involved in the ATM supply chain."

Included In This Story

Triton Systems

Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost

Request Info
Learn More
Diebold Nixdorf

As a global technology leader and innovative services provider, Diebold Nixdorf delivers the solutions that enable financial institutions to improve efficiencies, protect assets and better serve consumers.

Request Info
Learn More

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'