One of the biggest global problems and security breaches connected with the ATM is skimming.The ATM Industry Association (ATMIA) has published best practices for preventing skimming at ATMs, only one of a comprehensive library of security best practices for the association’s members.
Do you have the following best practices in place in your organization?
1. Supporting Chip and PIN technology as a global solution to skimming
2. Linking up to international industry initiatives combating skimming
3. Conducting a sensitively worded customer education campaign on skimming, including the absolute requirement for customers to shield their PIN entry on the ATM keypad with their spare hand during ATM transactions. Also include information about the ATM interface and any technologies they need to be aware of. In addition, cover existing best practices and reaffirm that customer and card data protection is paramount.
4. Incorporating additional security solutions to protect the card data and PINs.
5. Protecting where possible the magstripe with second layer of authentication such as using cell phone message confirmations of transactions.
6. Studying the adversary’s methods, devices and support technologies.
7. Using the international classification system in this manual.
8. Securing the path from the card reader to the security processor within the device, including the path from the Integrated Circuit Card reader (ICCR), as well as the magnetic strip card reader (MSR), in accordance with relevant PCI requirements.
9. Encouraging regular inspections of ATMs by cash machine owners for evidence of tampering and unusual attachments should be conducted.
10. Using intelligent fraud-detection systems to monitor for unusual spending patterns and identify fraud before it is discovered by the cardholder.
11. Supporting continued R & D in the areas of improved technologies for preventing skimming, including investigating enhanced EPPs, biometric replacements for PINs.
12. Adopting a multi-layered security approach to prevent skimming using all of the above.
Checklist of Recommendations
You may tick off the checklist items, one by one, to ensure you are implementing these anti- skimming best practices.
□ Link up to anti skimming industry initiatives globally as this is a global problem with clearly identifiable international fraud migration patterns.
□ Support chip and PIN as a global technology, but when the magstripe is in use, out-of-band authentication, using a cell phone or a biometric reader, can provide a second form of authentication that can be used to secure transactions at the ATM.
□ Anti-skimming solutions can be deployed to help detect and prevent the application and usage of card skimming devices and to offer greater PIN protection, such as PIN shields.
□ Conduct customer education campaigns on skimming and PIN protection.
□ Know your adversary and his weapons – study and apply the skimming classification system in this manual to create an international common language for skimming prevention AND study all the different types of skimming devices, both internal and external, remote and near, as well as all their supporting technologies.
□ Study PCI security standards, namely, PCI PTS, PCI PA DSS and PCI DSS, especially where relevant to prevention of skimming. In particular, secure the path from the card reader to the security processor within the device, including the path from the Integrated Circuit Card reader (ICCR), as well as the magnetic strip card reader (MSR).
□ Conduct regular inspections of ATMs by cash machine owners for evidence of tampering and unusual attachments.
□ Use intelligent fraud-detection systems to monitor unusual spending patterns and identify fraud before it is discovered by the cardholder.
□ Support continued R & D in the areas of improved technologies for preventing skimming, including investigating enhanced EPPs, biometric replacements for PINs, etc.
□ Adopt a multi-layered security approach to prevent skimming using all of the above.
What is ATMIA and what does it do for its members?
Our mission is to promote ATM convenience, growth and usage worldwide, to protect the ATM industry assets, interests, good name and public trust; and to provide education, best practices, political voice and networking opportunities for member organisations. ATMIA is also proud to say that National Payments Corporation of India (NPCI) is a Regional Sponsor of ATMIA.
GRCs in each chapter monitor regulatory developments and liaise with governing bodies to represent the voice of the ATM. Our Global GRC compares international trends in regulation and governance ATMIA teams up with multiple effective regulatory monitoring and government liaison agencies including EFTA, Good Relations and Stateside Associates. Industry committees include representation for sponsoring financial institutions, independent ATM deployers, vendors and on ATM security-related issues.
Future of Cash and Cash Council
• Videos on positive global role of cash posted on YouTube and social media
• Pro-cash presentations at industry events
• Cash Best Practices
ATMIA’s online training program for ATM operators will be available from early 2014 and will provide members with state of the art training programmes. ATMIA also offers global conferences, position papers, training modules, webinars, white papers, and business best practices.
ATM business best practices.
The association is proactive about educating members on current challenges and opportunities from the migration to a new Windows 7 & 8 operating system to trends towards standardization for greater security.
-Patrick Cunningham, Executive Director, ATMIA Africa, India and the Middle East
[email protected] +27 (0)825668999.