top of page
Writer's pictureATM USA Team

PCI Compliance: Is your Financial Institution Prepared?

by Darren Smith | Originally published by CUInsight


As the financial landscape continues to evolve, banks and credit unions face many ongoing challenges, not the least of which is maintaining compliance at their ATMs. The latest mandates as stated by the Payment Card Industry Security Standards Council (PCI), are once again aimed at maintaining the safety of account holder data at self-service ATMs, ITMs, and kiosks that the community uses for financial transactions.


But what would really happen if your financial institution didn’t update ATM security? How can you meet PCI mandated requirements by the end of the year? And is there any end in sight to these ridiculously expensive upgrades?


Upcoming PCI Security Mandates

The current PCI mandate is for ATM PIN pads and data encryption, with a deadline of Dec. 31, 2024. These specific updates are designed to enhance the security of financial transactions and protect sensitive account holder information by updating the encryption level of the data being sent to the processor from the keypad.

 

Every ATM transaction processor must be able to accept the new TR31 Phase 3 key block encryptions before the end of the year. As a financial institution union, your task is a little bit harder. To be fully compliant, your ATMs must:


  1. Be Equipped with the Latest Encrypting Pin Pad (EPP) Upgrades: Terminals capable of being upgraded to the latest version of EPP must be updated by the end of 2024. ATMs not capable of being upgraded must be replaced.

  2. Communicate in TR31 Phase 3 Encryption: ATM software and firmware must be updated to use TR31 Phase 3 key blocks. This upgrade provides a higher level of security for personal identification numbers (PINs) and data infrastructure, making it more challenging for hackers to exploit weaknesses in the system.

 

These upgrades are crucial for credit unions and banks to maintain PCI compliance, pass ATM audits, and keep consumer information safer.


Non-Upgraded Machines: A Temporary Grace Period

While the deadline for upgrades is fast approaching, credit unions and banks can take some comfort in knowing that non-upgraded machines won’t go dark on January 1, 2025. U.S. processors are working diligently to meet PCI deadlines for accepting TR31 Phase 3 transactions. However, they recognize that not all machines will be upgraded in time.

 

At recent ATM industry conferences, including the ATM Industry Association (ATMIA) US Conference 2024 in February and the National ATM Council Conference (NAC2023) this past October, processors assured ATM operators and financial institutions there won't be an end-of-year crisis. They plan to continue accepting current encryptions alongside the new encryption type for the foreseeable future.

And, unlike EMV with its high-cost liability shift, the immediate monetary dangers are relatively low. The real concern for banks and credit unions with this upgrade is insurance, compliance and audits.

 

This distinction has several important implications:

  1. Member Access: Account holders will still be able to access their accounts through non-upgraded ATMs.

  2. Compliance Audits: Financial institutions with non-upgraded machines would not pass a PCI compliance security audit.

  3. Upgrade Necessity: Credit unions and banks that haven't already upgraded their ATMs should evaluate their machines and make the required changes promptly.

  4. Implementation Process: Upgrading ATMs involves hardware and software changes, testing, and certification. With proper planning and the right components, these changes can be implemented efficiently.

 

On the bright side, making these updates usually means you have the latest self-service technology, too. And up-to-date ATMs, ITMs, and Kiosks are more likely to offer the integrations and features your financial institution needs to meet self-service demands.


The Rapid Pace of ATM Upgrades

Over the past decade, the frequency of ATM upgrades has increased significantly. These costly changes have been digging into budgets about every two years – all to keep up with evolving standards and technologies. Here's a brief timeline of major updates:

 

  • 2004: PCI Data Security Standards (DSS) V1.0

  • 2006: PCI DSS v1.1

  • 2008: PCI DSS v1.2

  • 2009: PCI DSS v1.2.1

  • 2010: PCI DSS v2.0

  • 2012: Americans with Disabilities Act ATM compliance standards

  • 2013: PCI DSS v3.0

  • 2014: Windows 7

  • 2015: PCI DSS v3.1

  • 2016: PCI DSS v3.2.1

  • 2017: EMV liability shift

  • 2018: PCI DSS v3.2.1

  • 2020: Windows 10

  • 2022: PCI DSS v4.0 with PCI EPP keypad and software changes due January 1, 2025

 

This rapid pace of change presents significant challenges for credit unions in terms of costs, planning, and implementation.

 

Streamlining Compliance: The ATM Outsourcing Option

Given the frequency and complexity of ATM upgrades, many credit unions are exploring alternative solutions to manage their ATM fleets more efficiently. One such option is partnering with a reliable ATM outsourcing business. This approach offers several benefits:


  1. Cost Management: Outsourcing can help level out the costs associated with frequent upgrades and updates.

  2. Reduced Burden: The responsibility for compliance and updates shifts to the outsourcing partner, freeing up credit union resources.

  3. Expertise: ATM outsourcing companies specialize in maintaining compliance and can often implement changes more efficiently than in-house teams.

  4. Future-Proofing: With a dedicated partner managing ATM operations, credit unions can more easily adapt to future changes in technology and regulations.

 

As credit unions prepare for the upcoming PCI compliance upgrades, it's essential to take a proactive approach. While there may be a grace period for non-upgraded machines, achieving full compliance should remain a top priority. Credit unions should evaluate their current ATM fleet, plan for necessary upgrades, and consider the potential benefits of ATM outsourcing to streamline their compliance efforts.

 

By staying ahead of PCI compliance requirements, credit unions can ensure the security of their members' data, maintain trust in their institutions, and position themselves for success in an ever-evolving financial landscape. As the December 31, 2024, deadline approaches, now is the time for credit unions to take action and prepare for these critical security upgrades.

 

Ready to Future-Proof Your ATMs? Talk to About How an ATM Outsourcing Program Can Benefit Your Financial Institution.




Darren Smith, Vice President, ATM Management

darren@atmusa.com  • 919-534-3232 • Schedule a Meeting 


Craig Helmers, Vice President, ATM Management

22 views0 comments

Comments


bottom of page