The Green Sheet Online Edition
July 23, 2007 • Issue 07:07:02
PCI standards weigh on ATMs
The push for implementing new data security standards in the payments space is gaining momentum as the industry begins to fully understand the complexity of the task ahead.
The PCI Security Standards Council is an independent industry-standards body that provides management of the Payment Card Industry (PCI) Data Security Standard. PCI comprises a common set of industry tools and
measurements designed to help ensure the safe handling of sensitive information.
The five largest payment-card brands – American Express Co., Discover Financial Services LLC, JCB International Credit Card Co. Ltd., MasterCard Worldwide and Visa U.S.A. – formed the council in 2005. Fines and other punitive measures from card companies, as well as the danger of a security breach, provide incentives to bring an organization into compliance.
But industry observers caution that the council's 12 data-security requirements should be kept in perspective.
"PCI will affect the point-of-sale side and merchants far more than ATM or kiosk operators," said Lyle Elias, Founding Director of the ATM Industry Association and Chairman of ATMIA's Debit Council.
ATM and kiosk operators already complying with other security mandates, such as Triple DES and PIN-entry-device (PED) security standards, most likely won't be caught between conflicting requirements. Other relevant standards, such as those that govern PIN and PED, also are expected to be wholly adopted into PCI without
"There was already uniform agreement across the industry; it will be a matter of the PCI Standards Council adopting them," said Eduardo Perez, Vice President of Payment System Risk for Visa U.S.A. "Like any other standards that would be adopted, they would evolve, and participants would be involved in the evolution."
Ultimately, the basic goals of the various security standards boil down to the same idea.
"The intent is to ensure that the systems are not storing card data or sensitive information about account holders in a way that could be accessed by third parties without authorization," Elias said.
Elias said most new ATMs that meet PIN security standards – storing only the last four digits of an account number – also comply with PCI rules. But software used behind the scenes in some ISO-operated devices may still store more account data than the standards allow.
Beginning Jan. 1, 2008, all new ATMs must have a PCI-certified encrypting PIN pad. Any machine already installed with a valid Visa PED certification will not be affected.
However, new machines will have to meet additional requirements for PCI compliance, such as a tamper-responsive design for the pad, along with additional security features in the firmware.
"In the ATM business, most of the changes have already happened, although there are some legacy machines still out there," Elias said.
The kiosk community, however, faces more scrutiny and greater obstacles than ATMs, which have already undergone security upgrades through the adoption of earlier standards.
"Stand-alone kiosks are a focus, and we want to make sure that those who operate those kiosks use compliant applications and take appropriate measures to protect cardholder data that may be retained by those kiosks, and that includes everything from parking kiosks to airline kiosks to iPod machines," Perez said.
For kiosks, applications will have to be validated against payment-application best practices. For instance, some kiosk applications have been found to store trapped data, use default passwords and may have other vulnerabilities.
Older machines may store data and conduct batch transactions via dial-up, for example.
"We're reaching out to kiosk operators to make sure they're taking proper measures to protect that data," Perez said.
Like ATMs, payment-accepting kiosks have integrated PIN pads that meet PIN-security requirements, easing the burden of PCI compliance.
To shift responsibility for compliance, major retailers are looking for ways to have a financial institution directly provide the POS payment operations through ownership of the card swipe device. That would make PCI-compliance issues irrelevant to the retailer.
"I see a trend for merchants to outsource their POS systems; after all, it's not a profit center for them," Elias said.
Compliance versus security
With all the PCI hoopla, there's no guarantee that data will be totally secure, even if a company is deemed to be in compliance with the standards.
Shifting threats, hardware and software upgrades, and personnel turnover can dramatically alter a company's security status, even though the company may have recently passed an audit.
The company would technically be compliant, even though many aspects of its security structure have changed. For instance, it's been reported that TJX Companies Inc. was not in compliance at the time of its well-known security breach. But what does that really mean?
"It means a lot less than it sounds like," said Evan Schuman, Editor of StorefrontBacktalk.com, a retail technology blog.
"It's not clear in what way they were not compliant; and even if they were, all that means is on a particular day and time an audit was conducted and they were compliant. It doesn't mean they were compliant an hour later." Schuman said that like any audit, a PCI-compliance audit is merely a snapshot of a situation at a given time.
"Certification doesn't mean you'd be in compliance if you had another audit a day later," he said. "One issue is how long a compliance audit is good for."
At this point, however, the PCI system is the best option for bringing together best practices in the industry, observers say.
"I've stopped asking retailers if they're compliant, because if they're honest, they really don't know," Schuman said.However, the security track record for companies that have implemented the standards is good.
"So far we've not seen a PCI or PIN-security-compliant entity be the subject of a compromise," Perez said.
"We believe there are a number of compromise events that have been prevented because entities do comply with PCI DSS and PIN security standards, but the last compromise we prevented doesn't tend to make the media."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.