News

Visa adds testing requirement for ATM PEDs

A year after it began requiring PEDs used on point-of-sale terminals to be tested at an independent Visa-approved laboratory, Visa is introducing a similar requirement for ATMs.

August 1, 2004

In April of 2002, after several problems involving point-of-sale terminals with non-compliant PEDs (PIN entry devices), Visa International began requiring PEDs used on POS terminals to be tested at an independent Visa-approved laboratory.

If the PEDs passed muster, they were added to a list of compliant devices on Visa's Web site.

Since then, three labs have approved 43 devices from 17 manufacturers.

ATM PEDs, however, were not subject to the testing requirement. That will change next year when Visa begins asking its members to purchase only ATMs with PEDs that have undergone testing at a Visa-approved lab.

The requirement was extended to ATM PEDs largely because of a high-profile case in which a Russian crime ring installed skimming devices inside of ATMs and obtained cardholders' PINs before they were encrypted, said Stephen Rush, a former Visa employee and current PIN security consultant to Visa. (See related story Skim scam man)

"Those machines should have been purchased with EPPs (encrypting PIN pads) and weren't," said Rush, president of the Guthrie Group (GuthrieGroupOR@aol.com). "They weren't secure."

Noting that it was "senseless not to include ATMs in the first place," Rush said, "I could kiss those guys (involved in that case)."

Testing, testing

The testing is meant to confirm that devices comply with a list of PIN security requirements introduced by Visa in 1995. The ultimate goal is to ensure that PINs are well protected during electronic transactions.

Before testing, "self-assessment questionnaires" filled out by manufacturers at Visa's request served as the only confirmation that PEDs met these requirements.

The ATM rule applies to both Visa's financial institution members and their agents (typically ISOs sponsored into Visa's Plus network by banks). Acquirers who do not comply with the new requirement will be held liable for any fraud-related losses incurred due to a non-compliant PED, according to Visa.

According to Visa's Web site, "Effective July 1, 2004, all newly deployed ATM, EPP and cash dispensing PED models (i.e., newly purchased devices from the original equipment manufacturer; not previously acquired devices being installed for the first time) must be evaluated by a Visa-recognized laboratory and approved by Visa."

The TDES factor

However, since all ATMs -- both new and legacy -- must support the use of Triple DES, the requirement will effectively apply to most machines in the field.

One of the areas that will be included in testing is a PED's Triple DES capability. Visa's deadline for all newly deployed and replacement ATMs to support Triple DES was Jan. 1, 2003.

According to Visa's Web site, "replacement devices" implies that anytime an existing PED is removed from service and replaced with another PED, the replacement PED should be Visa approved.

"Specifically, anytime that there exists an opportunity to deploy a PED, that PED should be a Visa approved model," according to the site. "Visa encourages approved PEDs be deployed and used whenever possible, understanding that there exists certain and rare circumstances where this may not be practical."

Visa recently suggested that all ATMs should run Triple DES encryption by July 1, 2007 -- more than two years after MasterCard's date of April 1, 2005.

MasterCardhas no similar testing requirement for its Cirrus ATM network. MasterCard did not respond to questions about how PEDs are approved today and whether any changes in its approval procedures are planned.

Visa expects that manufacturers of EPPs will have their products evaluated by a laboratory in order to gain an approval from Visa as an OEM-approved EPP before the devices are purchased by their customers, the ATM manufacturers. (See related story New ATM security regs PIN it on the pad)

After a manufacturer installs and configures an approved OEM EPP into its ATM, the laboratory will likely only need to test the portion of the EPP that was not previously evaluated -- probably the software used by the manufacturer to integrate the EPP into the ATM's display.

According to Visa's Web site, the testing process can take as little as a month -- assuming that there are no significant technical, communications or submission problems between the manufacturer and the laboratory.

Once Visa receives an evaluation report from the laboratory, an approval letter can be issued and the approval posted online within a week. However, Visa allows itself up to 30 days for the approval to be granted in order to accommodate any discrepancies that needed to be resolved.

The approval is good for three years, according to Visa. The manufacturer must notify Visa if the PED model is updated or discontinued.  An updated PED may need to be re-evaluated  to ensure that it conforms with Visa's security requirements.

The cost, which an industry source said typically ranges from $15,000 to $20,000, is picked up by the vendors.

Time and numbers

ATM deployers and vendors alike largely seem to welcome Visa's new requirement.

Neil Clark, vice president of sales and marketing for ATM Express, Inc., a Montana-based ISO with more than 6,000 machines under contract, said his company -- which recently underwent a Visa PIN security audit -- wants to ensure that machines upgraded to support Triple DES will meet all of Visa's other requirements.

"We want to go to Triple DES as fast as we can, but we've been hesitating a little bit because we had heard (Visa) was going to introduce the testing," he said. "We don't want to put machines out there and not know for sure whether the upgrades are good or not. When we spend the money and time (doing upgrades), we don't want to find out we'll have to go back out later."

The Visa approval should help many financial institutions and other deployers who have "limited cryptographic resources," said Rush, the PIN security consultant.

"They don't generally ask about PIN security when they talk to their sales rep," he said. "They want to know how much power it takes, how much money it'll hold and if there will be any downtime."

Rob Evans, director of industry marketing for NCR'sFinancial Solutions, applauded Visa's move. "They want to take more responsibility for seeing that their rules are followed," he said.

An executive with another ATM manufacturer, who asked not to be named, expressed concern because Visa has not yet released its specific requirements for ATM PEDs.

"By the time they do, the manufacturers will take a while to digest and determine if (EPPs) are OK or not. Those that are not will have big challenges on their hands, if the requirements for ATMs are similar to those for POS PEDs," he said. "We have examined other manufacturers' devices and know they are not even close to passing the POS requirements. But until the ATM requirements are published, we don't know how we and everyone else stand."

Even with his concerns, however, the unnamed executive believes the requirement will benefit the industry. "As with UL (Underwriter's Laboratory) requirements, everyone will be tested to the same standards," he said.

NCR's Evans downplayed concerns over the lack of specific ATM standards.

"I don't think you have to be clairvoyant," he said, noting that Visa's standards typically closely mirror those created by ANSI (the American National Standards Institute). "If you adhere to ANSI and ISO (International Standards Organization), you'll be fine."

A bigger concern, Evans said, is the number of Visa-approved labs -- currently only three, with one in California, one in Germany and another in the Netherlands. NCR, with a manufacturing facility in Dundee, Scotland, has an advantage that many others do not, he said. "I think they'll need to add more labs, and do it as soon as they can."

Jason Kuhn, general manager of WRG Services, which manufactures the Fast Cash and Vision 100 ATMs, said that Visa's July 2004 date is "pretty unrealistic," considering the limited number of labs.

"We've been talking to InfoGard (in California) about testing for months now, and they're not ready to begin testing for ATMs," he said. "The vendors can operate only as fast as Visa allows us to."

Visa is reportedly evaluating several labs, including facilities in Canada, Singapore and Australia. "It is probably safe to conclude that we will have at least three more labs added before the end of the year," said Leon Fell from Visa International Risk. "The purpose of the additional labs is more as a convenience to vendors in recognition of time zones. Throughput has not been an issue for POS, which is much more prevalent than ATMs."

"What it boils down to," said Kuhn, "is that if we don't all take steps to protect the cardholders' confidence, then we're all out of a job."