ith the aim of improving transaction security, Visa and MasterCard have proposed changes to their PED (PIN entry device) testing requirements that they say will remove a fraud threat made possible by the way displays are controlled on ATMs.

"We want to ensure that the customer is never prompted to enter his PIN when the device is not in secure mode," said Brian Buckley, Senior Vice President of Visa's International Risk group.

Visa wants to move ATM vendors from a so-called "C" security classification to a "B" classification for their machines, Buckley said. The primary difference between the two classifications is a requirement for an ATM's EPP (encrypting PIN pad) to possess the ability to control screens that prompt consumers to enter PINs or other information. A new "B" requirement will likely become part of an aligned set of PED testing standards that Visa is currently developing with MasterCard, Buckley said. The companies hope to introduce the aligned standards in 2005 and begin requiring "B" classifications for ATMs in early 2006.

Vendors will have at least six months of lead time to comply with the "B" requirement after it is introduced, he added.

'Fundamental Change'

Some ATM vendors worry that it may be difficult, if not impossible, to comply with the proposed new requirements in the near future.

"What they are talking about is going to require a fundamental change in the way that traditional ATMs work," said Bill Jackson, Triton's Chief Technology Officer. "If moving from DES to Triple DES was a Level 1 in terms of difficulty, I'd put this at about a Level 10."

Bill Poletti, a Senior Technical Consultant for MasterCard, said during a late September presentation at ATMIA West that the proposed new requirement would not be as complex as the switch to Triple DES because it would not directly involve the host or intermediate switches.

Paul Watson, a Systems Manager at the Nebraska-based Networks EFT network, said that a classification change will create problems in a traditional "states and screens" ATM environment, where hosts control transaction screens.

With 3DESPlus, the only ATM-related product thus far to have received a "B" rather than a "C" certification from a Visa-approved testing facility, a service technician must visit a machine to manually run through all of the screens to verify whether ATM screens correspond to downloads from the host, Watson said.

Watson said the technician must enter information for each screen that lets the 3DESPlus' EPP know whether information must be encrypted or can travel to the host in the clear. If the EPP detects any change made by the host and not authorized by a technician, even something as innocuous as a different surcharge amount or a new language option, the EPP stops functioning.

"Any time we change a load, the bank is going to have to send a technician out there," he said. "That's going to affect ATM availability."

ATM Exchange, the Cincinnati-based company that manufactures the 3DESPlus and touts its "B" security rating in press releases and other promotional materials, declined to comment on the issue.

"The bankers only have Visa's word to go on," Watson said. "Visa is telling them this will make their ATMs more secure, but is not telling them what the ramifications and cost will be."

Moving Target

Sabrina Turner, Vice President of Pi Systems, manufacturer of the 3DES Fix ATM upgrade device, said Visa's proposed changes would effectively move fraud prevention from the transaction processor level to the service technician level, a seemingly counterintuitive move.

"They're trying to close one door on fraud, but they're going to open an even bigger door," she said.

Rob Evans, Director of Industry Marketing for NCR's Financial Services division, said the proposed requirements also would likely make it more difficult to remotely load encryption keys into EPPs, an ability that enables deployers to cost effectively comply with Visa's unique key per-ATM requirement.

"What they are talking about doing would take users from the ability to load keys to the need to inject keys," Evans said, entailing visits to machines by service technicians. Key management, he predicted, will be "the next trail of tears" for deployers.

ATMs were historically exempt from PIN security standards, Visa's Buckley said, because of "the perception that they were environmentally controlled." As more ATMs were deployed outside of bank branches, however, PIN security concerns grew.

Visa has already implemented a number of measures designed to address security concerns, including the introduction of a set of procedural policies called enhanced ISO risk standards in 2001. The standards require financial institutions sponsoring independent ATM deployers into Visa's Plus network to step up their due diligence of the ISOs.

Bringing Vendors on Board

Buckley said Visa is aware that the "application downloading and computer-driven nature of ATMs" may complicate the move to a "B" classification. Because of that, he said, "it is imperative that vendors be on board and engaged" in helping create a workable schedule for doing so.

"I don't think there has been a well developed enough conversation about the trade-off between cost and potential benefits of what they are proposing," agreed NCR's Evans, who also opined that Visa's proposed timeframe for introducing such a requirement "doesn't seem realistic."

While it would be possible for vendors to come up with a cost-effective solution that, for instance, would instruct ATM users to enter their PINs only when they see a green light on a PIN pad, said Triton's Jackson, that would require a consumer education campaign.

Despite the challenges, Visa intends to move forward with the "B" classification, Buckley said. Because of the potential of "tricking" machines into prompting consumers to enter PINs when an ATM's EPP is not in encrypting mode, the current "C"-rated devices are little better than "a brilliant, brilliant lock on an open door," he said.

Link to original: www.atmmarketplace.com/research.htm?article_id=21334&pavilion=4&step=story