Wednesday, September 19, 2012
"There are a number of standards from a variety of industries, including IT, security, payment card and ATM that address various components of ATM security," said Bob Russo, General Manager of the PCI SSC. "The industry, and what we're seeing in terms of fraud, is now driving the need for a global standard in this area. These guidelines build upon these other standards to provide targeted information for preventing the compromise of cardholder account and PIN data at ATMs."
The council produced a draft document entitled ATM Security Guidelines Information Supplement designed to be an introduction to ATM security and an outline for best practices concerning ATM software, hardware and device components. The draft is available to PCI SSC member organizations on the council's website.
Businesses have until Nov. 13, 2012, to review and comment on the draft document. Subsequently, the council will produce a final document to guide ATM manufacturers, hardware and software integrators, and deployers of ATMs on how to securely develop, deploy and maintain ATMs.
Rick Heroux, President of security consultancy CSR, attended the PCI SSC North American Community Meeting held Sept. 12 to 14, 2012, in Orlando, Fla. He said attendees learned of a sophisticated ATM fraud scheme in the U.K. called a "pre-play" attack.
Fraudsters exploited an apparent flaw in how Europay/MasterCard/Visa (EMV) security algorithms are generated for chip and PIN transactions. A random algorithm is supposed to be generated for each transaction. But in some cases, future algorithmic number sequences generated by ATMs can be predicted because a majority of the number sequence is repeated.
In two-pronged attacks, ATMs in the U.K. were hacked into and software embedded into them that steals chip and PIN information, Heroux said. Fraudsters then computed future authorization codes based on that information and drained accounts, he added. Researchers at Cambridge University uncovered the pre-play scheme and published their findings in Chip and Skim; cloning EMV cards with the prep-play attack, available at www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf .
Heroux believes this recently uncovered fraud scheme gave impetus to the PCI SSC to develop the ATM security supplement. "And what their concern is that the PA DSS [Payment Application Data Security Standard] and the [PIN Transaction Security DSS] are aimed more at the PIN pad and computer software – internal software – than they are at this highly specialized ATM software," Heroux said. "What I believe the PCI SSC is doing is trying to get ahead of the curve. They're getting proactive."
MasterCard Worldwide reported Sept. 10, 2012, that it will require ATMs in the United States to be EMV-compliant by October 2016. ATM providers that do not make the deadline face a liability shift that could render them liable for fraud losses, MasterCard said.
"As other markets have migrated to EMV, we have seen fraud shift to the least secure channel," said Mike Weitzman, Group Executive, U.S. Markets, MasterCard. "By establishing this liability shift, we're advancing efforts to prevent and reduce fraud."
But, as evidenced by the pre-play scheme, EMV is not a silver bullet. "EMV is a great tool for face-to-face transactions, but just one piece of protecting data," Russo said. "Remember, security is about people, process and technology. To protect cardholder data across all channels, including card-not-present, and throughout the transaction, EMV should be used in conjunction with the PCI standards."
Russo encourages merchant service providers to learn how the PCI DSS and EMV work together by accessing PCI DSS Applicability in an EMV Environment – A Guidance Document, available at www.pcisecuritystandards.org/documents/pci_dss_emv.pdf . 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
