|ATM & Self-Service Terminal Security Strategies - Compliance|
|Written by Douglas Russell, <a href="http://www.dfrRiskManagement.com">DFR Risk Management</a>|
|Thursday, 14 January 2010 00:00|
PCI DSS (Payment Card Industry Data Security Standard) provides a clear and well-documented set of requirements with the primary objective of the protection of card data being processed and stored. Physical security requirements focused on the resistance to attacks against the safe or ATM security enclosure are well-covered by standards such as UL291 (Underwriters Laboratories) or the various CEN (European Committee for Standardization) standards.
For purchasers and deployers of equipment, certificated proof that the product being procured meets, at a minimum, an internationally recognized level of security, helps provide confidence in their investment. By specifying compliance with a minimum-standards requirement during the selection process for new equipment is a primary filter for what will and what will not be considered suitable to carry their brand name. Compliance with a particular standard is also often used as a deciding factor when considering the insurance costs for an asset.
Many standards are created and debated by a large group of experts, each of whom is a stakeholder whose own organization or discipline will be impacted in some way by the final details that are specified in the published standard. While this structure helps make sure that the broadest consideration is given to often conflicting needs, it does often create a time-lag between the desire to specify protection against a certain threat and final acceptance and publication of the standard.
The reality of criminality is that new attack techniques are constantly being invented and rapidly deployed to exploit weaknesses in the security of products and systems.
As this article was originally written, and subsequently updated, there is a wide array of physical and system attacks ongoing against ATMs, proving that the criminal fraternity pays little notice to the label attached to the machine confirming it meets the latest security standard. The same can be said for the much-publicised card data compromise attacks against major card processors, and the exploitation of data and personal information obtained from second-hand and decommissioned ATMs.
Does this mean that the industry is expending money, time and resources to create, design to, test against, purchase and certify compliance for no return?
What must not be overlooked is the number of criminal attacks that have failed, perhaps even at the concept stage, for the simple reason that the potential target was seen to be protected to the extent that the expected return was outweighed by the risk to the potential perpetrators.
There is, and always will be, an absolute need to have internationally approved minimum-security requirements in the shape of measurable and certifiable standards.
However, to increase confidence in the security of your assets, whether you are the supplier or the deployer, assessing current and emerging threats in the real world, in real time, must be a prioritised and ongoing process.
The above article is provided by DFR Risk Management, who provide consultancy services advising ATM and self-service terminal deployers, manufacturers as well as law enforcement agencies on how to manage ATM and self-service terminal fraud and security threats.
Written by Douglas Russell, DFR Risk Management
Cash Trapping / Transaction Reversal Fraud
Cash trapping remained the most popular type of ATM fraud in Europe during April. While consumers can be warned to be vigilant, if the trap is fitted inside the dispenser rather than on the external...
Card Trapping / Card Swapping / Leaving Transaction Live
Card trapping frequently accompanied by the use of cameras to record PIN entry was widely detected in April. Garda (police) in Ireland...
ATM Skimming / Skimming / EFTPOS Compromise
Police in the Philippines arrested a group of Malaysian nationals and recovered ATM skimming equipment. ATM skimming in the US continued at a significant level in April. In addition to making cash withdrawals, the purchase of prepaid ...
Ram Raid Attacks / Theft of ATM / Smash-and-Grab / Theft from ATM
A suspect in the US managed to dislodge an ATM but failed to lift it into his vehicle. In another US incident, a suspect removed an ATM with a skid loader but was easily apprehended following a 10 mph police pursuit. Police in Indonesia arrested four suspects and shot...
Quick Search Strings:
If your company supplies products, services and solutions relevant to ATM fraud and security, and you would like to explore the various advertising and marketing opportunities with ATMsecurity.com, please use the 'contact us form' to request further details:
The above digest is provided by DFR Risk Management, who provide consultancy services advising ATM and self-service terminal deployers and manufacturers, as well as law-enforcement agencies,onhow to manage ATM and self-service terminal fraud and security threats.
ATMsecurity.com is focused on ATM Fraud and ATM Security related issues, providing insight, intelligence and information via ATM security news, the ATM security knowledge centre, ATM monthly digest and ATM security articles.