alk with experts in the ATM world about security, and they'll quickly fire back an answer - one that includes a list of security measures every ATM deployer should take. Rob Evans, Director of Industry Marketing for Dayton, Ohio-based NCR Corp., touts a holistic approach - one that addresses everything from card skimming and trapping to remote monitoring and database security. At the forefront, Evans said, is card-skimming prevention. Card skimming remains the world's No. 1 ATM crime.To counter skimming, manufacturers like NCR, North Canton, Ohio-based Diebold Inc. and Germany's Wincor Nixdorf International are deploying ATMs that include features such as jitter.

Jitter varies the direction and speed at which cards are read. Other features NCR, Diebold and Wincor are selling include detection solutions that sense when changes are made to an ATM's fascia and notification software that alerts financial institutions (FIs) when anything has been placed on an ATM.

Some solutions detect changes using static-sensors. Others detect changes by sensing when a foreign metal or material (usually plastic or wood) has been attached to the ATM.

"We think you need to have all three (jitter, detection solutions and a notification feature)," Evans said. "We think that the best thing to do is make the ATM the least attractive target. And to that end, we think these three things working in concert make the most difference." But most FI deployers employ only one or two of those features. Regardless of the manufacturer, all of those preventative components or enhancements are relatively sophisticated, and expensive. And as deployers weigh out their security needs, some of those features just fall by the wayside.

In the November/December 2006 issue of Banking Strategies, published by Chicago-based Bank Administration Institute, freelancer Lauri Giesen reports that most FIs aren't as concerned about ATM-related fraud as they are about other types of fraud like identity theft and credit-card fraud. That's because, in the United States, ATM/debit card skimming remains low when compared to the rest of the world. In the United Kingdom, for instance, card skimming remains a big problem, despite the switch to chip and PIN. The deadline for EMV (Europay, MasterCard, Visa) compliance in the U.K. was January 2005. But because the cards continue to also use a magnetic stripe, they're susceptible to skimming. Last month, one English bank announced plans to invest nearly U.S. $7 million to fight ATM-skimming attacks. In the United States, losses from identity theft and credit-card fraud outweigh losses associated with ATM fraud, Giesen wrote. According to Boston-based Celent LLC, losses that can be directly linked to ATM fraud total between $55 million and $60 million annually. Comparatively, losses associated with identity theft total $624 million, and losses from credit-card fraud total $966 million. Most deployers are focusing on fundamental precautions, like ensuring ATMs are placed in safe, well-lit locations.In the FI space, some are investing more in ATM security than others.

Shelling out the bucks

At Charleston-based South Carolina Federal Credit Union, a 23-branch FI with a network of 60-plus ATMs and $1.3 billion in assets, ATM upgrades and big investments in security are slated for 2007 and 2008. Joe Grech, SCFCU's Chief Financial Officer, said the credit union plans to replace its 55 depository ATMs with Diebold's Windows-based Opteva line. The new line includes deposit-imaging technology. The credit union's estimated investment in hardware and software for the next two years is $1.5 million. "Some machines are 10 years old, some are five years old. So we run the gamut of Windows and OS/2," Grech said. "We just bought our first deposit-automation ATM, and we're scheduled to get two more before the end of the year. It decreases the time somebody is in front of that ATM, and we think that's a security precaution. It gets them in and out a little bit quicker." SCFCU's new Opteva line also includes mirrors, which allow ATM users to see what's going on behind them; sensors that detect when something has been attached; and privacy screens. But SCFCU is taking some basic approaches, too.

"We don't worry about security so much at some of our walk-up locations, which are located in places like hospitals," Grech said. "We take different precautions at our drive-up ATMs at the branch and at our remote ATMs, which are in supermarket parking lots and places like that."

Gainesville, Fla.-based Campus USA Credit Union isn't making any big investments in new ATM technology. Just coming down from the buzz of the bucks it shelled out for Triple DES (data encryption standard) compliance, Campus USA's Jerry Benton said widespread upgrades aren't a priority at the moment.

Campus USA, with $800 million in assets, has a network of 18 legacy Diebold terminals. Only five of those are off-premises ATMs. "Security is an ongoing concern," Benton said. "I think you're always going to be enhancing what you already have. I don't think a year goes by that we're not doing a little bit of something. But we've kept it pretty simple. We keep most of our ATM deployments at our center location.

"Our biggest concern is the security of the people using the ATM, so we focus on high traffic and basic lighting. And we only have those machines in university or hospital environments, where it's secure."

At the moment, the rising incidence of ram raids or blunt-force ATM attacks has garnered more attention from deployers, said John Clatworthy, Vice President of Sales and Marketing for Cash Connect, the ATM division of Delaware-based Wilmington Savings Fund Society Bank.

WSFS Bank has a network of approximately 310 ATMs and $3 billion in assets. About 280 of its machines are off-premises. "What we're seeing is a marke[d] increase in ATM theft at the off-premise ATM locations," Clatworthy said. "Over the course of the last five years, the number of thefts has grown substantially. It's nationwide, but you see it concentrated in certain areas." Beyond its own ATM network, Cash Connect provides vault-cash services to approximately 7,000 ATMs throughout the United States and Puerto Rico. Most are off-premises machines in retail locations.

Unless an FI has an ATM in a retail location, its network is immune to raid attacks. But, from a sponsorship and cash perspective, depending on whose cash fills the machine, ram raids could have a devastating effect on the FI, as well as the ISO and retailer. So ram raids have overshadowed card skimming in the minds of deployers, Clatworthy said.

"Insurance rates are starting to rise substantially - the deductibles are going up," he said. "The underwriters are realizing that there are more risks out there than before. But insurance is just one variable. When you look at that and then the cost-of-gas increases, the interest-rate environment, it all totals up to impacting the deployer's bottom-line profitability."

Hit where it counts

Mark Coons, President and Chief Executive of Charlotte, N.C.-based American Special Risk, an insurance company that administers a special ATM-insurance program through the ATM Industry Association, said American Special Risk insures about 70% of the country's off-premises machines - accounting for nearly $1.5 billion in vault cash per month. Coons said the threat of rising rates is forcing deployers to make changes, such as replacing their business-hour safes with Level 1 safes. (Level 1 safes are made with thicker, stronger metal than business-hour safes and are available for use at any time of the day.)

"We spend a tremendous amount of time on the risk-management side," he said. "To help our clients drive those costs down, we have to help them understand what their risks are. How do we control their exposures to ultimately cut their costs? Anyone can buy an insurance policy. But without the guidance, it's hard for them to know how to cut or reduce the threat."

Link to original article: www.atmmarketplace.com/article.php?id=8163