GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Banks underserve the underbanked - AFS providers step in

Patti Murphy
ProScribes Inc.


Industry Update

EMV push could force operators to nix pay-at-the-pump

GoPago on merchant acquisition roll

Busy month for the SCA

PCI SSC turns attention to ATM security


What's in a positioning concept?

Research Rundown

Signs of optimism in small business sector

Selling Prepaid

Prepaid in brief

Passbook affirms bar code payments

How to reach Hispanics with prepaid


Revolution underway in merchant underwriting

Brandes Elitch
CrossCheck Inc.

Get ready for 21st century shopping

Rick Berry
ABC Mobile Pay Inc.


Street SmartsSM:
The song and dance of reputation building

Jeff Fortney
Clearent LLC

Avoid the price pitfall, sell on fairness

Steve Norell
US Merchant Services Inc.

Legal disputes: Head them off at the pass

Adam Atlas
Attorney at Law

New Products

Military grade mobile device

Juno T41
BlueStar Inc.

Digital loyalty has a spot



Own it, solve it, move on


10 Years ago in The Green Sheet


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

October 08, 2012  •  Issue 12:10:01

previous next

PCI SSC turns attention to ATM security

The governing body of the Payment Card Industry (PCI) Data Security Standard and related application and device security standards for global electronic payments is reaching out to the ATM industry for feedback on an ATM security guidelines supplement to be published by the end of 2012. As ATM fraud accelerates with increasingly sophisticated PIN-stealing schemes, industrywide ATM security best practices are needed, according to the PCI Security Standards Council (PCI SSC).

"There are a number of standards from a variety of industries, including IT, security, payment card and ATM that address various components of ATM security," said Bob Russo, General Manager of the PCI SSC. "The industry, and what we're seeing in terms of fraud, is now driving the need for a global standard in this area. These guidelines build upon these other standards to provide targeted information for preventing the compromise of cardholder account and PIN data at ATMs."

The council produced a draft document entitled ATM Security Guidelines Information Supplement designed to be an introduction to ATM security and an outline for best practices concerning ATM software, hardware and device components.

The draft is available to PCI SSC member organizations on the council's website. Businesses have until Nov. 13, 2012, to review and comment on the draft document. Subsequently, the council will produce a final document to guide ATM manufacturers, hardware and software integrators, and deployers of ATMs on how to securely develop, deploy and maintain ATMs.

The 'pre-play' attack

Rick Heroux, President of security consultancy CSR, attended the PCI SSC North American Community Meeting held Sept. 12 to 14, 2012, in Orlando, Fla. He said attendees learned of a sophisticated ATM fraud scheme in the U.K. called a "pre-play" attack.

Fraudsters exploited an apparent flaw in how Europay/MasterCard/Visa (EMV) security algorithms are generated for chip and PIN transactions. A random algorithm is supposed to be generated for each transaction. But in some cases, future algorithmic number sequences generated by ATMs can be predicted because a majority of the number sequence is repeated.

In two-pronged attacks, ATMs in the U.K. were hacked into and software embedded into them that steals chip and PIN information, Heroux said. Fraudsters then computed future authorization codes based on that information and drained accounts, he added. Researchers at Cambridge University uncovered the pre-play scheme and published their findings in Chip and Skim; cloning EMV cards with the prep-play attack, available at

Heroux believes this recently uncovered fraud scheme gave impetus to the PCI SSC to develop the ATM security supplement. "And what their concern is that the PA DSS [Payment Application Data Security Standard] and the [PIN Transaction Security DSS] are aimed more at the PIN pad and computer software - internal software - than they are at this highly specialized ATM software," Heroux said. "What I believe the PCI SSC is doing is trying to get ahead of the curve. They're getting proactive."


MasterCard Worldwide reported Sept. 10, 2012, that it will require ATMs in the United States to be EMV-compliant by October 2016. ATM providers that do not make the deadline face a liability shift that could render them liable for fraud losses, MasterCard said.

"As other markets have migrated to EMV, we have seen fraud shift to the least secure channel," said Mike Weitzman, Group Executive, U.S. Markets, MasterCard. "By establishing this liability shift, we're advancing efforts to prevent and reduce fraud."

But, as evidenced by the pre-play scheme, EMV is not a silver bullet. "EMV is a great tool for face-to-face transactions, but just one piece of protecting data," Russo said. "Remember, security is about people, process and technology. To protect cardholder data across all channels, including card-not-present, and throughout the transaction, EMV should be used in conjunction with the PCI standards."

To learn about how the PCI DSS and EMV work together, access PCI DSS Applicability in an EMV Environment - A Guidance Document, which is available at

For additional news stories, please visit and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios