The Green Sheet Online Edition
April 11, 2016 • Issue 16:04:01
ATM industry's high-tech second act
Modern, updated ATMs are proving that even the most traditional, purpose-built appliances can have a second act. A September 2015 study by Statistic Brain Research Institute found 3 million active ATMs worldwide, with 425,000 in the United States. Applications and technologies designed to leverage their massive installed base have placed ATMs at the forefront of mobile and omnichannel commerce initiatives.
Following is a look at the industry's collective journey, from its origins and challenges to its greatest opportunities.
Approximately 46 percent of ATMs in the United States are operated by banks, according to a study by the ATM Industry Association. These financial institutions participate in an extended national network, using reciprocal agreements to enable their customers to withdraw cash from conveniently located ATMs.
"ATMs emerged in the 1960s and '70s, out of a brave new world where 'self-service' and 'automation' were big buzzwords that appealed to a wide swath of people," wrote Linda Rodriguez McRobbie in a January 2015 article for Smithsonian Magazine. "Automating the teller process seemed like a very good idea, one that would satisfy the customers and the banking unions, and even give banks themselves a measure of control."
More than half of the 425,000 ATMs in the United States are owned and operated by independent ATM deployers (IADs), according to the National ATM Council (NAC); 68 percent are "off-premise," "retail" ATMs located apart from banks or credit unions. Two out of three U.S. ATMs are situated in areas that banks do not serve, providing underbanked populations with access to financial services.
Retail ATMs were introduced in the mid-1990s, a period known to industry insiders as the Wild, Wild West. "Surcharges were high, compliance was nonexistent and there were scam artists all over the place," said Wes Dunn, Vice President of Sales at Genmega Inc. "A regulatory framework gradually evolved between 1994 and 2000 as the industry became more corporate."
James Phillips, Vice President, Sales & Marketing at Triton ATMs & ATMGurus, added, "I joined Triton in 1997, at the height of the ATM land grab, when retail ATMs were being sold at tradeshows. Back then, a handshake and voided check was all it took to get someone set up in the business."
The industry matures
The ATM industry reached an inflection point in 2000, when compliance standards, such as Year 2000 (Y2K) and Triple Data Encryption Standard (3DES), and a range of value-added solutions, including stamp dispensing, top-up cards and money transfers, were introduced.
ATM trade associations, conferences and working groups have also helped move the industry forward, providing a range of member services and public platform for ideas and best practices:
ATMIA will celebrate its 50th anniversary in 2017. The independent, nonprofit trade association has chapters in the United States, Canada, Europe, Latin America, Asia-Pacific, Asia, Africa, India and the Middle East. "We're a global organization with a diversified membership of large and small ATM deployers," said David Tente, ATMIA U.S. Executive Director. "Cash has been around for thousands of years and remains a favorite method of payment for 40 percent of consumers, according to a recent study. We see a bright future for our members and industry."
Bruce Renard, Executive Director of the NAC, said, "ATMs are more than cash dispensing machines." NAC is a Washington, D.C.-based, not-for-profit trade association that represents the business interests of independent ISOs and ATM deployers (IADs). "In addition to providing consumers with a range of value-added products and services, ATMs are an essential outlet for cash and government benefits for the most vulnerable citizens," Renard noted.
Tente and Renard both serve on the EMV Migration Forum's ATM Working Committee, formed in 2013 to help U.S. ATM owners and deployers achieve EMV (Europay, MasterCard and Visa) compliance and best practices, according to the committee's membership charter.
Security mandates have impacted both ATM deployers and payments industry stakeholders in recent years. "Updating legacy hardware and meeting liability shift deadlines driven by MasterCard and Visa have been challenging for ISOs and IADs," said Nancy Gail Daniels, Executive Vice President and Chief Operating Officer at Nautilus Hyosung, a global technology company and ATM manufacturer headquartered in Seoul, Korea. "Excessive hardware costs and industry consolidation have intensified competition and eroded margins."
Following are regulatory and security mandates necessitating separate or combined upgrades to ATM hardware, software or firmware:
- Y2K: In January 2000, ATMs built before 1985 were not able to process the new millennium's date ranges. Software upgrades began to appear in 1998, in preparation for the Y2K conversion, and cost approximately $500 to $1,000 per device. Machines built in 1998 or later did not require upgrades.
- 3DES: In April 2002, the 3DES encryption standard used by MasterCard Worldwide and Visa Inc. became required on all new ATMs. Thousands of legacy ATMs required software and keypads upgrades to be 3DES compliant. Upgrade costs at the time were as low as $1,000 and as high as $35,000 per device, according to a 2003 report by Co-op Network.
Security Standard (PCI DSS) required new ATMs to have PCI-certified encrypting PIN pads. Machines equipped with valid Visa PIN entry devices were considered compliant. New machines needed to meet additional PCI requirements, such as a tamper-responsive design for the pad and enhanced security features in the firmware.
- ADA: In Sept. 15, 2010, the Americans with Disabilities Act Standards for Accessible Design was published in the Federal Register. To comply with the standards, ATMs needed to be "readily accessible to and usable by" people with disabilities. Device upgrades, which included voice-audio, height, reach, input, keypad, function key, display screen and braille requirements, needed to be completed by March 15, 2012.
- EMV: Oct. 1, 2016 is the EMV liability shift deadline set by MasterCard for ATMs; the Visa liability shift becomes effective on Oct. 1, 2017. Implementing EMV at the ATM, a white paper published by the ATM Working Committee of the EMV Migration Forum states that the liability shifts are not mandates. "ATM providers and acquirers are not being forced to migrate to EMV," the authors wrote. "However, the liability shift provides a very strong practical incentive to do so."
- Microsoft Windows: 2020 is the year when Microsoft will end support for Windows 7. "A significant portion of ATMs don't run Windows 7, and Microsoft's plan is to have everything on Windows 10," said ATMIA's Tente. "With support ending for Windows CE in the near term and Windows 7 in 2020, ATM deployers may shift allegiance from Microsoft's product roadmap to Android and Linux systems."
Budget for compliance
Despite high costs and rapid succession of various compliance and security mandates, ATM advocates have praised the industry's resilience and remain optimistic about its future. They recommend several strategies to protect and maintain the critical ATM infrastructure. One such strategy is to budget for compliance.
"I've lived through 3DES and PCI and ADA; it's not a conspiracy," said Wayne Vandekraak, Director of Business Development at OptConnect, a communications service provider based in Kaysville, Utah. "The role of government is to provide security to consumers so we can do business in a fair and trustworthy environment."
Private businesses will always be subject to government mandates involving hardware, software or firmware or all of the above, Vanderkraak noted. ATM owners and deployers need to budget for these events, by setting aside about $16 per unit per month to ensure that their ATMs will remain compliant. "If you don't have an allowance of $500 per device in some kind of reserve, then you're going to have problems," he said.
The digital infrastructure of ATM networks enables criminals to remotely access and exploit internal systems. In a recent attack, cybercriminals stole $45 million from ATMs in 27 countries. The 10-hour operation involved 40,500 ATM withdrawals in two events staged Dec. 22, 2012, and Feb. 19-20, 2013. Eight New York hackers seized $2.4 million from 2,904 ATMs and were subsequently indicted by the Department of Justice of the Eastern District of New York.
In its ruling the New York DOJ wrote, "Unlimited Operations" are marked by three key characteristics: (1) the surgical precision of the hackers carrying out the cyber attack, (2) the global nature of the cybercrime organization, and (3) the speed and coordination with which the organization executes its operations on the ground."
The industry needs to address both remote and local security. ThetaRay, headquartered in Tel Aviv, Israel, and with offices in New York City, uses a math-based, multidomain ATM solution to assess network data. "Connected ATMs have more at stake than financial and card security," said ThetaRay CEO Mark Gazit. "Centralized computing enables criminals to send commands to hardware and remotely open cash drawers."
Gazit advised ATM deployers to leverage data from smartphones and quick response (QR) codes to detect anomalies. "If I'm standing in front of an ATM and using a code from my smartphone to withdraw cash, the app can and should report GPS coordinates and local temperature from the phone," he said. "I could be accessing a New York ATM in winter while my phone is reporting tropical conditions. ATM deployers need to look at all data all the time."
When it comes to local security, skimming devices surreptitiously installed on ATMs can record mag stripe data from debit and credit cards. Global ATM skimming totaled $2 billion in 2014, accounting for 33 percent of all fraud incidents, according to Suzanne Cluckey, Editor at Networld Media Group LLC's ATM Marketplace website.
"Unfortunately, the migration to smart chip-enabled, EMV compliant smart cards has offered little relief from skimming exploits at the ATM," Cluckey wrote. "[The] magnetic stripe data that remains on EMV bankcards is still highly valuable to crime gangs whose operations reach into non-EMV markets such as the United States."
The PCI Security Standards Council recommends installing anti-skimming devices that meet at least one of the criteria specified in the council's ATM Security Guidelines. Criteria include the ability to prevent skimming devices from being installed, shutting down when such devices are detected, and interfering with magnetic card stripe reading by attached devices.
Consider a trade-in or subscription service
The popularity of cloud computing and managed services in general has made the concept of hardware as a service (HaaS) attractive to the payments and ATM industries, where innovative technologies and changing security requirements have shortened product lifecycles.
"ATMGurus.com services all ATMs, and as part of that service, we offer trade-in programs to our customers," Phillips said. "We give them trade-in value they can use for a new machine, and we sell good-as-new refurbished models, as well." These programs can help offset the costs of upgrading EMV readers and ADA keypads, he added.
Biff Matthews is CEO of Thirteen Inc., parent company of CardWare International Inc. and Infinity, a HaaS platform designed to make hardware and software future-proof. "We've watched not fully compliant products rushed to market and pushed on unwary merchants," he said. He also noted that Infinity resellers can set their own prices and bill customers directly or through Infinity; ancillary services such as signature capture, PIN debit and mobile devices can be added to existing contracts, and monthly subscription pricing will be adjusted accordingly.
"Failure to modernize electronic processing causes merchants to constantly waste money chasing technology plus exposing them to non-compliance fees and transaction fraud," Matthews added. "Registered end users receive new hardware along with updated software at no added expense."
For the past decade, a steady stream of value-added applications, such as top-up cards, bill payment services, and even gaming, have been tested on ATMs. Some efforts have been more successful than others. "It was difficult to get some value-added apps to stick, because they lacked the ubiquity of cash," Phillips stated. "We've all struggled with how to leverage this massive installed base of ATMs."
Genmega's Dunn urged caution when adding functionality to ATMs. "People won't wait behind anyone who is doing a complicated transaction," he said. "Some merchants have placed kiosks next to ATMs to create a financial service center."
Dunn recalled a high-risk car dealership where customers could purchase title insurance at a kiosk and come back and make payments every month. "It was a perfect mindset to have an auto insurance kiosk that, oh by the way, also dispenses cash," he said. "The key is having a clear purpose for the machine."
Next-gen technology road map
In his 2015 address to NAC members, Renard called for standard industry protocols to enable ATMs to support mobile applications and have a place in the digital payments ecosystem. Renard called near field communication (NFC), QR codes and smartphone applications the top three emerging technologies, with smartphones holding the most promise for near-term implementation.
"The phone application requires no hardware and works across an entire installed base," he said. "Sending a code to a phone that can be entered in an ATM is a good starting point; over time people will migrate to NFC. The smartphone adds another layer of security with its secure, encrypted communication."
ATM industry analysts agree that convenience and reliability are essential components of the global ATM network. In a presentation at the 2016 ATMIA conference, Daniels called easy access a common want across all consumer demographics. These include digital natives who are comfortable with technology, traditionalists who prefer people over technology and underbanked consumers who need access to services. They are all choosing ATM locations based less on bank relationships and more on convenience, she said.
"The ATM network is basically a utility; consumers rely on 100 percent availability," she added. "If an ATM is not working, they will simply go to another location."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.