PCI compliance & certification for Automated Teller Machines (ATMs) is an important element of today’s growing Payment Card Industry Data Security Standards (PCI DSS) mandates as these card acceptance devices are found literally everywhere today. Though they offer unprecedented levels of convenience for performing a wide variety of financial transactions, they also attract criminals, thieves, and other malicious individuals looking to circumvent security flaws found within them. While becoming PCI DSS compliant is a mandate for ATM’s – it’s also a best practice that every financial institution with such devices should be implementing, regardless of compliance – it’s therefore critically important to fully understand the initiatives needed for becoming PCI compliant for ATM’s, which consist of the following measures, courtesy of pcipolicyportal.com, the world’s leading provider of PCI policies and procedures and PCI policy templates & toolkits:
1. Understand Scope: Who owns the ATM? What banking & financial services does it interact with? What managed services providers are involved in configuring and updating the ATM software, such as the applications, and the underlying operating systems? These are just a few of the many questions that need to be answered prior to beginning any type of official assessment on such an environment. It’s therefore important to conduct a PCI DSS readiness assessment for any type of ATM environment. Some Qualified Security Assessors (QSA) – individuals responsible for certifying merchants and service providers with PCI DSS compliance – are also looking at ATM’s as merely an extension of services of an entity’s broader PCI DSS platform, thus including it in such an assessment instead of carving it out as a separate environment. There are circumstances where this is generally allowable, and then there are times when this is probably not the best avenue for compliance.
2. Defining “Maintenance” Services: While banks and other financial institutions have long outsourced many of the core maintenance services for ATM’s – most of them operational maintenance – who’s doing the necessary security upgrades and patch management functions for the underlying systems in scope? Sure, the likes of Diebold and other similar companies are often responsible for managing the surveillance equipment, while also performing necessary parts and labor functions, but you’ll need to clearly assess the I.T. aspect of PCI DSS compliance. Specifically, operating systems need to be updated, along with the underlying applications residing on the server, thus the importance of a well-thought out security and patch management program – one complete with established policies and procedures – is absolutely vital to the success of a PCI DSS assessment, but it’s also a best practice that should be performed.
3. The Value of an ATM PCI DSS Readiness Assessment: The complexities involved in PCI DSS compliance for ATMs is much higher than many traditional environments seen by PCI-QSA’s, therefore, understanding important scope considerations is absolutely vital, along with identifying critical gaps and weaknesses that exist within the entire ATM platform. There are many technical measures to assess for ATM PCI compliance, but don’t forget about evaluating the documentation aspects of PCI compliance – specifically – policies and procedures. These initiatives, and much more, are covered with NDB’s comprehensive readiness assessment.
4. The need for Critical Policy Documentation: One of the initiatives often overlooked by ATM providers – in truth, almost any company undertaking PCI DSS compliance – is the need for documentation. Specifically, a large amount of information security and operational policies and procedures are mandated throughout the 12 PCI Requirements, but developing them can be incredibly time-consuming and costly. The solution is downloading a set of customized PCI Policy Templates for the ATM industry, and pcipolicyportal.com has then available for instant download today. Additionally, you’ll also need to perform an annual risk assessment along with undertaking security awareness training for all in-scope employees; two critical initiatives that require a healthy dose of high-quality documentation for helping you be successful. Once again, pcipolicyportal.com provides both risk assessment materials and security awareness documents, available for instant download at pcipolicyportal.com.
5. Who’s in scope: One of the most demanding aspects of PCI DSS compliance is tracking all relevant third-party service providers that are technically in-scope for an organization’s annual PCI certification requirements. For ATM’s, often the financial institution is the entity undergoing compliance, but many other providers are also in play, such as the organization offering physical and software maintenance, the building provider for where the actual ATM resides, and more. You’ll want to avoid the much dreaded “scope creep” at all times, so proper planning at the beginning is absolutely vital for getting it right the first time. Proper planning essentially means developing all necessary policies and procedures for PCI DSS compliance, so talk to the experts at Materdei Consulting, LLC, and visit pcipolicyportal.com today.
PCI Compliance & Certification for ATMs | Overview and Best Practices
Contact PCI-QSA Charles Denyer at cdenyer@ndbcpa.com or call him at 214-298-8532 to discuss your PCI DSS needs. With years of experience and expertise in regulatory compliance – particularly within the financial services sector – Charles will help guide your organization through the entire PCI DSS process from beginning to end. From essential PCI DSS policies to readiness assessment initiatives – whatever your PCI DSS compliance needs – we’re ready and willing to help you today, so contact us now and let’s get started. And if you need PCI policies and procedures authored for your organization, we’re willing to assist, offering fixed-fee pricing on all of our services.
