Less than a week before a new ATM security requirement was to take effect, Visa decided to defer it.
Visa last August asked its members to ensure that PEDs (PIN entry devices, or keypads) on newly deployed ATMs had been tested and approved by Visa-designated laboratories. The new requirement was similar to one for point-of-sale PEDs that has been in place since April of 2002. The ATM requirement was to take effect on July 1.
According to Visa, the testing process will ensure that ATM PEDs meet general security requirements that were first published in 1997, with the ultimate goal of protecting PINs during electronic transactions. Before the new testing process was introduced, vendors provided "self attestation" that their PEDs met network requirements, Visa said.
In alignment
Visa extended its July 1 deadline last week, notifying members in a bulletin that the delay was necessary to develop a set of aligned testing guidelines and evaluation requirements with rival card association MasterCard.
The two companies similarly aligned their PED testing requirements for POS devices in April, with the aligned program scheduled to replace existing Visa and MasterCard POS PED testing programs in October.
According to the Visa bulletin, "a new compliance date will be established once development of aligned security requirements and testing procedures for ATMs has been completed."
The June 25 bulletin doesn't provide a specific deadline for compliance. However, John Schettino, vice president of Security and Risk Services for MasterCard International, said in an interview with ATMmarketplace earlier this month that the two companies intend to roll out the aligned ATM program by early 2005.
The aim is to "simplify the overall process for our members," Schettino said. "Our intent is to make the testing process as easy as possible. Our goal is to have one process, one test, one result and one certification where possible."
No slacking on security
The Visa bulletin stresses that, despite the extended deadline, members need to remain cognizant of PIN security.
It reads: "Visa members are still responsible for protecting all PINs entered into an ATM that they control or sponsor. Pending the alignment of security requirements and testing procedures for ATMs, members are strongly encouraged to continue deploying devices that meet Visa's PIN security requirements and adhering to the relevant industry standards and best practices."
The bulletin specifically recommends that members deploy ATMs that can support the use of Triple DES for PIN encryption, that use Visa-approved EPPs (Encrypting PIN pads) and that can support industry-approved key management practices.
Visa also "strongly encourages that all ATM PED vendors continue to submit their PEDs for testing" to the three Visa-approved laboratories.
A list of vendors that have earned approval for their PEDs, posted on the Visa Web site, currently includes Diebold, NCR, Triton, Thales (which produces keypads used on Wincor Nixdorf ATMs) and Sagem (which produces keypads used by Diebold, ATM Exchange and others). The list is updated as vendors receive approval.
It is not yet clear whether the current ATM PED approvals will be grandfathered under the aligned program. However, MasterCard has agreed to grandfather and accept all POS PEDs previously approved by Visa.
According to Visa, American Express, Diners Club, Discover and JCB have all expressed interest in aligned PIN security guidelines and testing procedures. "Going forward, the alignment will also include other domestic/regional payment organizations," according to an April 28 bulletin that addresses the aligned POS PED programs of MasterCard and Visa.
See related stories:
