GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Bring the 'ATM-O-Matic' to a retailer near you



APEX awards: The Green Sheet's lucky seven

Welcome aboard GSTravelAdvice

Meet the new, nimble Hypercom


GS Advisory Board:
Value-adds: Recipe for success? Part II

PCI standards weigh on ATMs

Gary Wollenhaupt

Industry Leader

Gerry Wagner –
Discovering new opportunities


Merchant cash advance companies on the offensive

Patti Murphy
The Takoma Group

A pandemic is sweeping POS terminals: Are you ready?

Biff Matthews
CardWare International


Street SmartsSM:
Lust for the lodging market

Dee Karawadra
Impact PaySystem

Data security sells

Aaron Bills
3Delta Systems

The all-time dirtiest processor tricks

Adam Atlas
Attorney at Law

Are you business-suicidal?

Paul E. Donihue
Advanced Merchant Services Inc.

PCI: Eye to eye with federal law

Ross Federgreen

Out-of-sight Outlook tricks

Joel and Rachael Rydbeck
Nubrek Inc.

Company Profile

Gravity Payments

New Products

Ringing in a smart idea

IPS Express- Mobile Payments
Payment Data Systems Inc.

Where oh where are your consumers?

First Atlantic Commerce

Outsource the chargeback confusion

ChargebackAudit LLC
Chargeback Dispute Management System


If the shoe fits, bear it


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

July 23, 2007  •  Issue 07:07:02

previous next

PCI standards weigh on ATMs

By Gary Wollenhaupt

The push for implementing new data security standards in the payments space is gaining momentum as the industry begins to fully understand the complexity of the task ahead.

The PCI Security Standards Council is an independent industry-standards body that provides management of the Payment Card Industry (PCI) Data Security Standard. PCI comprises a common set of industry tools and measurements designed to help ensure the safe handling of sensitive information.

The five largest payment-card brands – American Express Co., Discover Financial Services LLC, JCB International Credit Card Co. Ltd., MasterCard Worldwide and Visa U.S.A. – formed the council in 2005. Fines and other punitive measures from card companies, as well as the danger of a security breach, provide incentives to bring an organization into compliance.

But industry observers caution that the council's 12 data-security requirements should be kept in perspective.

"PCI will affect the point-of-sale side and merchants far more than ATM or kiosk operators," said Lyle Elias, Founding Director of the ATM Industry Association and Chairman of ATMIA's Debit Council.

ATM and kiosk operators already complying with other security mandates, such as Triple DES and PIN-entry-device (PED) security standards, most likely won't be caught between conflicting requirements. Other relevant standards, such as those that govern PIN and PED, also are expected to be wholly adopted into PCI without major changes.

"There was already uniform agreement across the industry; it will be a matter of the PCI Standards Council adopting them," said Eduardo Perez, Vice President of Payment System Risk for Visa U.S.A. "Like any other standards that would be adopted, they would evolve, and participants would be involved in the evolution."

Ultimately, the basic goals of the various security standards boil down to the same idea.

"The intent is to ensure that the systems are not storing card data or sensitive information about account holders in a way that could be accessed by third parties without authorization," Elias said.


Elias said most new ATMs that meet PIN security standards – storing only the last four digits of an account number – also comply with PCI rules. But software used behind the scenes in some ISO-operated devices may still store more account data than the standards allow.

Beginning Jan. 1, 2008, all new ATMs must have a PCI-certified encrypting PIN pad. Any machine already installed with a valid Visa PED certification will not be affected.

However, new machines will have to meet additional requirements for PCI compliance, such as a tamper-responsive design for the pad, along with additional security features in the firmware.

"In the ATM business, most of the changes have already happened, although there are some legacy machines still out there," Elias said.


The kiosk community, however, faces more scrutiny and greater obstacles than ATMs, which have already undergone security upgrades through the adoption of earlier standards.

"Stand-alone kiosks are a focus, and we want to make sure that those who operate those kiosks use compliant applications and take appropriate measures to protect cardholder data that may be retained by those kiosks, and that includes everything from parking kiosks to airline kiosks to iPod machines," Perez said.

For kiosks, applications will have to be validated against payment-application best practices. For instance, some kiosk applications have been found to store trapped data, use default passwords and may have other vulnerabilities.

Older machines may store data and conduct batch transactions via dial-up, for example.

"We're reaching out to kiosk operators to make sure they're taking proper measures to protect that data," Perez said.

Like ATMs, payment-accepting kiosks have integrated PIN pads that meet PIN-security requirements, easing the burden of PCI compliance.

To shift responsibility for compliance, major retailers are looking for ways to have a financial institution directly provide the POS payment operations through ownership of the card swipe device. That would make PCI-compliance issues irrelevant to the retailer.

"I see a trend for merchants to outsource their POS systems; after all, it's not a profit center for them," Elias said.

Compliance versus security

With all the PCI hoopla, there's no guarantee that data will be totally secure, even if a company is deemed to be in compliance with the standards.

Shifting threats, hardware and software upgrades, and personnel turnover can dramatically alter a company's security status, even though the company may have recently passed an audit.

The company would technically be compliant, even though many aspects of its security structure have changed. For instance, it's been reported that TJX Companies Inc. was not in compliance at the time of its well-known security breach. But what does that really mean?

"It means a lot less than it sounds like," said Evan Schuman, Editor of, a retail technology blog.

"It's not clear in what way they were not compliant; and even if they were, all that means is on a particular day and time an audit was conducted and they were compliant. It doesn't mean they were compliant an hour later." Schuman said that like any audit, a PCI-compliance audit is merely a snapshot of a situation at a given time.

"Certification doesn't mean you'd be in compliance if you had another audit a day later," he said. "One issue is how long a compliance audit is good for."

At this point, however, the PCI system is the best option for bringing together best practices in the industry, observers say.

"I've stopped asking retailers if they're compliant, because if they're honest, they really don't know," Schuman said.However, the security track record for companies that have implemented the standards is good.

"So far we've not seen a PCI or PIN-security-compliant entity be the subject of a compromise," Perez said.

"We believe there are a number of compromise events that have been prevented because entities do comply with PCI DSS and PIN security standards, but the last compromise we prevented doesn't tend to make the media."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios