ATM LIFECYCLE SECURITY MANUAL

International minimum security guidelines

Produced by the Global ATM Security Alliance

Table of Contents
Foreword
CHAPTER 1 : INTRODUCTION TO ATM LIFECYCLE SECURITY 1.1 CLARIFICATION OF ATM LIFECYCLE 1.2 PROTECTING THE ATM LIFECYCLE CHAPTER 2 : CARDHOLDER SECURITY 2.1 THE ROLE OF THE CARDHOLDER IN ATM SECURITY 2.2 THE WORLDS TOP TWENTY TIPS FOR ATM USE 2.3 ADDITIONAL TIPS FOR DIFFERENT TYPES OF ATMS 2.4 GENERAL TIPS 2.5 SUMMARY OF ATM SECURITY FOR CUSTOMERS CHAPTER 3 : ATM PHYSICAL SECURITY 3.1 ROLE OF PHYSICAL SECURITY 3.2 SCOPE OF PHYSICAL SECURITY REQUIREMENTS 3.3 RISK-ASSESSMENTS 3.4 COMMON ATM SECURITY CONSIDERATIONS 3.5 PHYSICAL SECURITY CONSIDERATIONS FOR STAND ALONE ATMS 3.6 PHYSICAL SECURITY CONSIDERATIONS FOR THRU-THE-WALL ATMS CHAPTER 4 : PIN & ENCRYPTION SECURITY 4.1 INTRODUCTION 4.2 PIN SECURITY RECOMMENDATIONS 4.3 KEY MANAGEMENT RECOMMENDATIONS 4.4 KEY MANAGEMENT REGIMES 4.5 CRYPTOGRAPHY BEST PRACTICE RECOMMENDATIONS CHAPTER 5 : DATA & TRANSACTIONAL SECURITY 5.1 INTRODUCTION 5.2 PRINCIPLES UNDERLYING INFORMATION SECURITY 5.3 INFORMATION SECURITY POLICY 5.4 SECURITY MANAGEMENT 5.5 MESSAGE SECURITY FOR ATM NETWORKS 5.6 DEFINITIONS OF SECURITY CLASSIFICATIONS OF DATA 5.7 ALLOCATION OF RESPONSIBILITIES FOR MESSAGE SECURITY 5.8 DATA CONFIDENTIALITY & INTEGRITY FOR ATM NETWORKS 5.9 PROCEDURE & REVIEW RECOMMENDATIONS CHAPTER 6 : ATM CYBER SECURITY 6.1 OUTLINING THE DRIVERS FOR ATM CYBER SECURITY 6.2 OPERATING SYSTEM SECURITY 6.3 ACCOUNT SECURITY 6.4 NETWORK SECURITY 6.5 DETECTION AND PREVENTION CHAPTER 7 : ATM CASH SECURITY 7.1 DEFINING THE SCOPE OF ATM CASH SECURITY 7.2 BASIC RECOMMENDATIONS 7.3 HOW CASH REPLENISHMENT FITS INTO THE CASH CYCLE 7.4 DEFINITION OF THE CHAIN OF RESPONSIBILITY IN THE ATM CASH CYCLE.

4
5-7 5 6 8-11 8 8 10 11 11 12-20 12 12 12 13 17 19 21-40 21 22 27 40 40 41-46 41 41 42 42 43 43 45 45 46 47-51 47 47 49 50 51 52-65 52 53 53 55

7.5 7.6 7.7 7.8 7.9

SAFE OPERATING PROCEDURES AUDIT TRAILS FOR THE ATM CASH CYCLE SECURING THE ATM ZONES BEST PRACTICES FOR ATM CASH REPLENISHMENT BEST PRACTICES FOR SECURING ATM SERVICING / MAINTENANCE

57 57 59 62 63

Acknowledgements Disclaimer

66 66

Foreword
This Best Practice Manual for ATM Lifecycle Security sets out to provide a high-level overview of the key elements of each phase of the ATM business lifecycle from cardholder security to cash security, and every kind of security in-between. The Global ATM Security Alliance has published International Cardholder Security Tips and Best Practices for Physical ATM Security, PIN and Key Management Security, Transactional Security, Cyber Security and Cash Security. This overview collects in one manual the key guidelines 1 from all of this published material. The objective is to encourage security practitioners in the industry to adopt a more integrated lifecycle security approach as part of a holistic security strategy. It is a well-known fact that crime migrates along the path of least resistance to attack the weakest link or softest target. Consequently, unless each link in the lifecycle chain of the ATM is strong, crime will continue to find security vulnerabilities to exploit. We recommend that specialists focusing on particular kinds of ATM security, whether physical security, cash security or cardholder security, continue to consult GASAs comprehensive best practices for detailed guidelines for their specialised area of security, whilst using this manual in a complementary fashion to inspire lifecycle security thinking and awareness. We further recommend that security managers who are specialised, have systematic and highly co-ordinated contact with specialists focusing on other phases in the security lifecycle. This manual completes the Global ATM Security Alliances series of security best practices for the whole ATM lifecycle. Please visit www.globalasa.com for more details about GASA. We trust the manual will play a part in crime reduction and that it will enhance your security strategies to make them even more effective. Global ATM Security Alliance October 2005

1 Each organization is encouraged to use these guidelines as a framework to build its own security policies, procedures and standards. A guideline in this manual is understood as a suggestion for best practice which is strongly recommended, rather than a requirement to be met.

Chapter 1
Introduction to ATM Lifecycle Security
1.1 Clarification of ATM Lifecycle
The term ATM lifecycle refers to all the interlinked stages involved within the business processes required for the functioning and operating of the ATM. In biology, life-cycle refers to the complete series of stages through which an organism passes 2 from conception, through maturation to eventual death. The idea is that these stages are linked as the organism passes from one to the next in a natural sequence. In the ATM business lifecycle, certain processes, actions and operations happen in a sequence of steps resulting in ATMs dispensing cash and other services to customers. For example, ATMs need regular cash replenishment to continue functioning. For the ATM to dispense cash, the cardholder needs to insert his card, key in his PIN for identification, whereupon the transaction needs to be authorised by his bank through a process which links the ATM via a network and switch to the banks authorising system. The ATM business lifecycle covers all these stages and the many processes, systems, procedures and operations required to deliver ATM services to bank customers. When applied to ATM security, this business lifecycle is seen as a series of phases where different kinds of protection are needed at different points along the lifecycle to prevent crime and reduce risk of attack. Lifecycle security is the strategy of looking in a high-level, co-ordinated way, at all the phases along the lifecycle, constantly assessing crime migration patterns and changing vulnerabilities. Lifecycle security looks at all kinds of ATM security within a single strategic security management programme. When there are specialised areas of security within all these lifecycle phases, they need to be systematically co-ordinated in order to achieve lifecycle security.

The Cambridge Encyclopedia, 4th Edition

Chapter 1: Intro to ATM Lifecycle Security - 5 -

13/10/2005

1.2

Protecting the ATM Lifecycle

CASH SECURITY

CARD SECURITY

CARDHOLDER SECURITY

ATM CONNECTIVITY SECURITY CYBER SECURITY ATM TRANSACTIONAL SECURITY

ATM PHYSICAL SECURITY PIN & ENCRYPTION SECURITY

Produced for GASA by Mike Lee, CEO, ATMIA

Card Security 3 encompasses the security measures to ensure that a card, whether a debit, credit or Stored Value card, can be validated at a payments terminal and cannot be readily copied or cloned for counterfeit purposes. Cardholder Security refers to the ways in which cardholders can be educated to manage their card and ATM usage in a sensible and security-conscious way. ATM Physical Security covers the security measures undertaken to ensure that the ATM machine is properly located, installed and protected in a way that addresses and manages risks of attacks against it. PIN and Encryption Security has to do with protection of PIN numbers, secure encryption key management and encryption guidelines. Cryptography, along with strong encryption key management, is used to protect PINs and PIN keys to reduce the risk of financial loss by fraud. Thereby maintaining the integrity and confidentiality of the network and instilling cardholder confidence in the use of both the ATM network and the ATM. ATM Transactional Security is about initiating, implementing and maintaining information security within ATM networks. As messages and transactions in ATM networks contain both sensitive cardholder data and related financial information, it is important that ATM networks safeguard this information. The transactional security controls should be applied throughout an ATM network, from the ATM to the authorisation process, including all transaction processing and the generation and storage of PINs.
3

GASA has not produced best practices for card security and refers readers to relevant Payment Card Industry (PCI) standards for card issuing.

Chapter 1: Intro to ATM Lifecycle Security - 6 -

13/10/2005

Cyber Security refers to general cyber security for computer, network and information security as well as guidelines for operating ATMs on a Windows XP platform. ATM Connectivity Security involves line encryption and protection of data over the communications lines between ATMs and their host systems to prevent interceptions of data through devices like wire-tapping. ATM Cash Security focuses on securing the cash replenishment phase for three self-fill models: bank-branch-fill, merchant-fill and CiT-fill. This includes securing the approach to the ATM, securely loading the cash and then securing the exit away from the ATM. Cash security is critical to any ATM business, since ATMs are essentially cash dispensers and the highest cost for deployers is typically the cost of cash. It is recommended that banks and businesses in the ATM industry encompass lifecycle security covering all of these phases within an integrated and holistic security strategy, coordinating the areas of specialisation within a single security framework in order to produce seamless security across this lifecycle. The objective of all ATM security is to protect the ATMs whole Trusted Environment.

Chapter 1: Intro to ATM Lifecycle Security - 7 -

13/10/2005

Chapter 2
Cardholder Security
2.1 The role of the cardholder in ATM security
This chapter is designed to ensure optimal levels of customer safety and convenience at ATMs. It is true that law enforcement agencies around the world need the communities they police to play a part in the upholding of law and order. By being more security-conscious and taking precautions whenever possible, citizens can help prevent crimes from taking place. This is equally true when it comes to ATM usage.

2.2

The Worlds Top Twenty Tips for ATM Use 4

Tips for Choosing an ATM

To enhance the ATM customer experience

Tip 1 Where possible, use ATMs with which you are most familiar. Alternatively, choose well-lit, well-placed ATMs where you feel comfortable. Tip 2 Scan the whole ATM area before you approach it. Avoid using the ATM altogether if there are any suspicious-looking individuals around or if it looks too isolated or unsafe. Tip 3 Avoid opening your purse, bag or wallet while in the queue for the ATM. Have your card ready in your hand before you approach the ATM. Tip 4 Notice if anything looks unusual or suspicious about the ATM indicating it might have been altered. If the ATM appears to have any attachments to the card slot or key pad, do not use it. Check for unusual instructions on the display screen and for suspicious blank screens. If you suspect that the ATM has been interfered with, proceed to another ATM and inform the bank.

4 The Worlds Top Twenty Tips for ATM Use were collected from Australia, New Zealand, United States of America, United Kingdom, Europe, Canada, India and South Africa. Banks are free to distribute these security tips under their own branding and in their own format.

Chapter 2: Cardholder Security

-8-

13/10/2005

Tip 5 Avoid ATMs which have messages or signs fixed to them indicating that the screen directions have been changed, especially if the message is posted over the card reader. Banks and other ATM owners will not put up messages directing you to specific ATMs, nor would they direct you to use an ATM which has been altered. Tips for Using an ATM Tip 6 Be especially cautious when strangers offer to help you at an ATM, even if your card is stuck or you are experiencing difficulty with the transaction. You should not allow anyone to distract you while you are at the ATM. Tip 7 Check that other individuals in the queue keep an acceptable distance from you. Be on the look-out for individuals who might be watching you enter your PIN. Tip 8 Stand close to the ATM and shield the keypad with your hand when entering your PIN (you may wish to use the knuckle of your middle finger to key in the PIN). Tip 9 Follow the instructions on the display screen, e.g. do not key in your PIN until the ATM requests you to do so. Tip 10 If you feel the ATM is not working normally, press the Cancel key, withdraw your card and proceed to another ATM. Report the matter to your financial institution. Tip 11 Never force your card into the card slot. Tip 12 Keep your printed transaction record so that you can compare your ATM receipts to your monthly statement. Tip 13 If your card gets jammed, retained or lost, or if you are interfered with at an ATM, report this immediately to the bank and/or police using the help line provided or nearest phone. Tip 14 Do not be in a hurry during the transaction, and carefully secure your card & cash in your wallet, handbag or pocket before leaving the ATM.

Chapter 2: Cardholder Security

-9-

13/10/2005

Tips for Managing your ATM use Tip 15 Memorise your PIN (If you must write it down, do so in a disguised manner and never carry it with your card). Tip 16 NEVER disclose your PIN to anyone, whether to family member, bank staff or police. Tip 17 Do not use obvious and guessable numbers for your PIN like your date of birth. Tip 18 Change your PIN periodically, and, if you think it may have been compromised, change it immediately. Tip 19 Set your daily ATM withdrawal limit at your branch at levels you consider reasonable. Tip 20 Regularly check your account balance and bank statements and report any discrepancies to your bank immediately. Please note that you should show the same precautionary care when using your card(s) at a POS (point of sale) pinpad terminal in a retail environment or at a restaurant, or when conducting transactions online or telephonically, or when writing cheques (checks) speak to your bank branch about security when using these other service delivery channels

2.3

Additional Tips for Different Types of ATMs

Tip for Use of Lobby ATMs If you are using an indoor ATM that requires your card to open the door, avoid letting anyone that you do not know come in with you. Check for modifications to the card reading device affixed to the lobby door. Tip for Use of Drive-up ATMs Lock the car doors and roll up the other windows when you use a drive-through ATM.

Chapter 2: Cardholder Security

- 10 -

13/10/2005

2.4

General Tips
General Tip 1 Ensure that you sign your card on the signature panel as soon as you receive it.

General Tip 2 Protect your cards as if they were cash. Do not leave them unattended anywhere. Keep your cards in a safe place and never leave them or personal identity documents lying around at home, at work, in a vehicle, or in public places. General Tip 3 If at all possible, do not let your bag or wallet containing the cards out of your sight in public places. General Tip 4 Be alert to what is happening with your card when performing a transaction. For example, do not let a restaurant waiter take your card away to settle the account, and watch your card when you hand it to a cashier. Watch while cashiers process your card - make sure they do not swipe it through two different devices: if that happens, contact your bank immediately. General Tip 5 Make a list of your card account numbers and telephone numbers for reporting lost or stolen cards. Keep the list in a safe place. Check your cards periodically to make sure none are missing. General Tip 6 Never give your credit card number over the phone or internet, unless you are dealing with a reputable company, or you have initiated the call yourself, or you are 100% certain of the callers identity and that of the company they work for. General Tip 7 Read and understand the Terms & Conditions for card usage issued by your financial institution(s). Contact customer services if you are unclear about any of the terms.

2.5

Summary of ATM Security for Customers

YOU, your PIN and your CARD looked after together are the keys to ATM security: Approach an ATM only under the right conditions in order to protect YOURSELF. Ensure only you know, see, and use your PIN. Follow the ATM screens instructions when using your CARD, and ensure the card is kept secure during and after use.

Chapter 2: Cardholder Security

- 11 -

13/10/2005

Chapter 3
ATM Physical Security
3.1 Role of Physical Security

The physical ATM provides the interface between the self-service banking industry and millions of cardholders around the world who use ATMs to withdraw cash, check balance enquiries, top-up their mobile phones, purchase tickets and pay bills.

ATMs are becoming the face of many financial institutions. For many consumers, ATMs are becoming the only interaction they have with their banks. In addition, ATMs are becoming a competitive mark for many banks. Therefore, it is imperative to ensure that the customers experience with the ATM is safe and secure, as well as pleasant. ATM Security and Fraud (July 2004) by Celent Communications 3.2 Scope of Physical Security Requirements

The physical security recommendations in this chapter refer to the ATM itself and its host premises. The security of cash is covered in Chapter 9 ATM Cash Security. The security guidelines listed are recommended as crime reduction "good practice". Additional security measures and practices may well be required and will depend on existing local premises security and the assessed risk carried out prior to site selection and installation. Our guidelines are intended to complement the advice of local police and government, insurers and security advisers, as well as the manufacturers guidelines.

3.3

Risk-Assessments

Site selection and installation of all ATMs should always be preceded by risk assessments. During initial site validation, or at subsequent site risk assessment visits, an ATM should be classified by the deployer as Low, Medium or High risk. Risk assessment criteria can depend on organisational, insurance and law enforcement recommendations and requirements. Industry advice may also be sought from industry approved consultants. It is recommended that details of site risk assessments be recorded in defined reports and stored in an organisational database.

Chapter 3: ATM Physical Security

- 12 -

13/10/2005

It is also recommended that each ATM deploying organisation conducts a detailed and thorough ATM risk analysis based on their own country, and geographical areas of operation, and that based on this, a detailed ATM security strategy is prepared or up-dated.

3.4

Common ATM Security Considerations

The security considerations laid down in this section are considered common to both Stand Alone and Thru-the-Wall ATMs. The security considerations particular to each type are discussed separately later.

3.4.1 ATM Safe

It is recommended that a strong ATM safe be used to protect cash inside the ATM. The grade of safe used can be varied depending on the area risk assessment. In addition the security provided by the security container (safe) within the ATM should be to a level commensurate with that required for the value of cash loaded in the ATM 5 . For recommendations regarding safes and locks, please see Best Practice for Physical ATM Security, section 6.3.3.

3.4.2 Banknote Degradation Systems

A banknote degradation system may be installed, which dyes/stains/degrades notes when activated in order to render them unattractive to thieves. Such a system should meet any national standards relating to usage of ink/dye systems. These systems are fitted to each ATM cassette, which holds notes contained in the ATM to provide a deterrent to theft of, or from, the ATM The banknote degradation system should be designed to activate immediately the ATM is moved or attacked by any means If required the system may incorporate a unique chemical identifying system, although such identification systems should not be used in isolation Where a banknote degradation system is utilised notices to this effect should be displayed prominently around the perimeter of the premises and on the ATM itself An independent test house should check any banknote degradation system used, and should certify that it does operate according to the manufacturers claims. Each national Central Bank should also test the system on real banknotes and should verify that the ink is safe, and that the required percentage of the notes is stained on the required percentage of the printed area. Some banknote degradation systems can link with CIT to provide end-to-end security between the ATM and the cash centre.

Refer to the relevant BS/EN Performance Test Standards

Chapter 3: ATM Physical Security

- 13 -

13/10/2005

3.4.3 Smoke Generating System

As an alternative to a banknote degradation system, a smoke generating system may be installed to protect the internal area of the premises where the ATM is installed to provide a deterrent to theft of, or from, the ATM Such systems should be designed to activate immediately the ATM is moved or attacked by any means. The means of activation must be provided only when the area of the premises in which the ATM is sited is non-operational Where attack through the building roof is a possibility the smoke generating system should protect vulnerable roof voids Such systems must not negate any procedures associated with fire and emergency, particularly in means of escape in the case of an actual fire. It is recommended that advice be taken from the local fire safety officer before installation Where a smoke generating system is utilised, notices to this effect should be displayed prominently around the perimeter of the premises and on the ATM itself

3.4.4 ATM Alarm Systems

Intruder Alarm
Premises where ATMs are installed should be protected by an intruder alarm system with monitored remote signalling to an Alarm Receiving Centre to a security level commensurate with the risk level.

ATM Alarm System

In addition to alarming the premises consideration may be given to alarming the ATM itself. This can be achieved by means of a stand-alone alarm system with its own unique reference number (URN) The system should be monitored by remote signalling to an Alarm Receiving Centre and should qualify for an appropriate local 1 police response. If it is a confirmable alarm system a dual signalling facility should be provided The design should ensure that the system is armed at all times other than for maintenance for servicing and cash replenishment. It should give the earliest possible warning of attack on the ATM. In addition, consideration should be given to including personal attack switches for the use of CIT crews in the event of an attack during cash replenishment.

ATM Alarm Equipment

For recommendations for alarm equipment at each ATM location, please see Best Practice for Physical ATM Security, section 6.5. Chapter 3: ATM Physical Security - 14 13/10/2005

Control, Monitoring and Maintenance

The Alarm System should be monitored from a Central Monitoring Station (CMS) 24 hours daily. The CMS, which should conform to ISO and local police standards, should automatically generate an alarm signal if the telephone line fails or is cut. In the event that an alarm signal is received, the CMS should respond according to its standard operating procedures. A maintenance record should be kept for the alarm detection system and routine maintenance should be conducted. The minimum should be one planned maintenance visit each year.

3.4.5 ATM Lighting

Where a national standard for illumination of the keyboard and surrounds of an ATM does not exist, an ATM Deployer should set its own standard. 200-300 Lux is recommended for ATM keyboard illumination. 50 Lux is suggested as the minimum ambient illumination at floor level up to a distance of 1 metre from the face of the ATM and extending 75 cm either side of the mid-point of the ATM. This is also the minimum recommendation should a CCTV camera be fitted. 200 Lux ambient illumination at floor level should be considered in areas deemed to pose a higher risk to customers at night.

3.4.6 CCTV
Should the site risk assessment require it, the premises may be protected by a closed circuit television system, with or without detection facility, viewing the ATM, but not viewing the ATM keypad.

3.4.7 PIN Protection

For locations deemed to have a high risk of ATM fraud, it is recommended that a written siting policy be submitted, subject to audit, confirming that the ATM is positioned to prevent oversight of the PIN pad from any source (cardholders in the queue, passers-by, mirrors, etc) For comprehensive PIN security measures, see GASAs Best Practice Manual for PIN Security and Key Management

Chapter 3: ATM Physical Security

- 15 -

13/10/2005

3.4.8 ATM Testing & Commissioning

The following steps should be followed for an ATM to be tested and commissioned:

Authorisation
Prior to dispatching a Technician to the ATM site, the Installation Contractor 6 should check with the ATM Deployer that all the Pre-Conditions have been met.

Field Test & Network Connection

On arrival at the ATM site the Installation Contractors Technician should conduct a thorough test of the ATM and connect it to the ATM network.

Test Certificate
On completion he should sign a Test Certificate to confirm that everything is correct and that the ATM is ready to go live. A copy of this Certificate should subsequently be sent to the ATM Deployer.

Telephone Line
If the telephone line is not working, he may proceed to hand over the ATM, but may not switch it live or on-line7 .

3.4.9 ATM Handover

Before handing over the ATM and switching it on-line, the Installation Contractors Technician should ask the Banks representative to sign a formal ATM Handover Certificate for the ATM. This will acknowledge the date and time that the Bank took over responsibility for the management of the ATM, and will also record any keys and/or combinations handed over. A copy of this Certificate should be left with the Bank, a copy passed to the ATM Manager and a copy passed to the ATM Deployer.

3.4.10 On-site monitoring of the ATM by Site Personnel

ATM deployers should ensure that site owners/managers, or other on-site personnel, check the ATM regularly to ensure there are no alien or parasite attachments, such as skimming (or card copying) devices, that do not belong to the original device. ATM deployers should ensure that training and education is carried out to enable this on-site monitoring to be effective. In the event that an alien or parasite attachment is discovered, there should be a clear procedure laid down as to what follow up action should be taken (i.e. inform the Police).
The Installation contractor may be the ATM Supplier, or may be a third party working for either the ATM Deployer or the ATM Supplier For Warranty purposes ATM Manufacturers require an on-line transaction to be completed

Chapter 3: ATM Physical Security

- 16 -

13/10/2005

3.4.11 Passive Compliance

In the event of an attack during opening hours, host staff should be advised to passively comply with the raiders demands and must be trained accordingly

3.4.12 ATM Storage

The following security requirements are advised when ATMs are stored during any part of the ATM lifecycle and particularly after initial purchase, during preparation for site, during modification/repair and while awaiting disposal.

Secure Area
ATMs should be stored in a secure area with reasonable restrictions on physical access, and with an access control procedure in place for all persons entering the area. Access control records should be kept for a minimum of two years, for external audit purposes.

Alarm System
The secure area should be protected by a monitored alarm system with sensors covering the external access points and all movement within the general area. This system should be switched on and monitored, outside of normal working hours, and at any time when the storage area is left unattended.

Encryption Keys
It is recommended that Encryption keys are deleted from an ATM while it is in storage. This stops the Encryptor being brought back on-line if the ATM is plugged back into the network.

3.5

Physical Security Considerations for Stand Alone ATMs

3.5.1 Definition of a Stand Alone ATM

Stand Alone ATMs are free-standing, and are not installed in the wall of a building, for example, at a bank branch. Typically, they are situated in convenience stores, petrol stations, supermarkets, shopping malls, etc.

3.5.2 Minimum Security Recommendations

Position
If the ATM is located in a premises immediately adjoining a road accessible to vehicles, the ATM should be sited within the premises well away from perimeter glazing, particularly shop fronts, preferably directly against a strongly built internal or perimeter wall, which does not have vehicular access to its external face, and positioned to avoid a direct and unimpeded line of access from a door or other access point.

Chapter 3: ATM Physical Security

- 17 -

13/10/2005

To reduce the risk of vandalism to the ATM and to increase user safety, the ATM should be positioned in a highly visible and well-lit area that allows maximum surveillance by counter staff and other customers.

Anchorage
The ATM should be securely fixed to the floor through its security container by a minimum of four resin anchor bolts (minimum 12mm diameter to a minimum depth of 150mm) into a substantial concrete base. Where a timber floor is involved the ATM should be bolted to a steel base plate by a minimum of four bolts, which is bolted through the floor joists by a minimum of four bolts.

3.5.3 Additional Security Recommendations for Higher Risk Deployments

External Measures
External approaches to the area of the premises where the ATM is sited should be protected by the installation of anti-ram bollards, vehicle-arresting systems, high rise kerbs, raised planters, reinforced lamp posts or similar street furniture, usually subject to local authority approval Where perimeter glazing extends down to the floor of the premises this should be protected by visually permeable metal roller shutters, security grilles or retractable anti-ram bollards configured to keep vehicles away from the vulnerable perimeter elements of the premises outside the premises operational hours

Enhanced Anchorage
Instead of the anchoring system recommended in item 3.5.2 the ATM should be anchored by an enhanced anchoring system specifically designed to provide superior fixing for ATM's.

Security Collar or Anti-Lasso Device

A security collar, of the type associated with gaming machines, or an anti-lasso device, may be fitted where removal of the ATM is a risk Where such devices are deployed these should be attached to the main body of the ATM itself and not to the exterior facings

Tracking System
The ATM may be fitted with a tracking system to enable its position to be determined in the event of theft of the ATM from the premises.

Chapter 3: ATM Physical Security

- 18 -

13/10/2005

3.6

Physical Security Considerations for Thru-the-Wall ATMs

3.6.1 Definition of a Thru-the-Wall ATM

A TTW ATM does not stand on its own but is installed within the wall of a building (interior or exterior) to which it is affixed to allow customers to conduct transactions at the ATM outside of, or even away from, a bank branch. This type of machine contrasts with Stand Alone ATMs, which are not fixed within the wall of a building.

3.6.2 Minimum Security Recommendations

Site Validation
Each ATM site should be thoroughly validated before the decision to install an ATM is taken. For full details on site validation report structure, report distribution, planning requirements and site validation responsibilities, see section 5.1 of GASAs Best Practice Manual for ATM Physical Security.

Base Composition
During the Site Validation an assessment should be made of the base to ensure that it is of sufficient strength and depth to anchor the ATM. If it is deemed possible to use the existing base, the existing concrete should be reinforced and of a minimum depth to meet the requirements of the anchor bolt manufacturers. The ATM can then be anchored directly into it (provided that the base height is not required to be raised see section entitled Base Height below). If it is not possible to use the existing base without modification, then a plan should be made to strengthen the base. When making this plan a minimum depth of 10cm reinforced concrete should be retained with the existing base, in order to anchor the new base to it.

Base Height
In order to anchor the ATM properly it is important that accurate measurements are taken during the Site Validation Visit. For the ATM to be properly anchored it should be able to sit on a plinth that will enable it to exactly reach the required height.

Anchorage
Secure anchorage can be made under the following scenarios (for full details, including recommendations for base preparation, see Best Practice Manual for ATM Physical Security). For all anchorages the Installation & Maintenance Contractor should complete a Certificate stating that the anchoring has been done in accordance with these requirements. All exact measurements relating to the anchorage should be recorded. A copy of this Certificate should be passed to the ATM deployer for audit purposes:

Chapter 3: ATM Physical Security

- 19 -

13/10/2005

Anchoring Plinth To Base - No Cellar - Sufficient Concrete This assumes that the ATM will be anchored into solid ground with sufficient concrete. Sufficient Concrete is reinforced concrete to a minimum depth required for the length of bolt used. For details of required depths it is recommended to consult the handbooks of the major anchor bolt manufacturers e.g. Hilti. The installation contractor should anchor the ATM in accordance with the relevant CEN (or other) standard relating to the grade of safe used.. Anchoring Plinth To Base - No Cellar - Insufficient Concrete This assumes that the ATM will be anchored into solid ground with insufficient concrete. Insufficient concrete is concrete that is not reinforced and does not meet the minimum requirements of the anchor bolt manufacturers. When this is the case a concrete base should be constructed and properly attached to the existing floor. The installation contractor should anchor the ATM in accordance with the relevant CEN (or other) standard relating to the grade of safe used.. Anchoring Plinth To Base Over A Cellar This assumes that the ATM will be anchored over a cellar/basement/garage to which the public may or may not have access, and for which entry/egress control may or may not be under the direct control of the Bank, or other TTW ATM deployer. After the Site Validation visit, the ATM Deployer Security Representative should approve the proposed anchoring plan. The installation contractor should anchor the ATM in accordance with the relevant CEN (or other) standard relating to the grade of safe used.

Installation in Solid Wall

If accessible from an area with vehicular access, the ATM should always be installed behind a solid brick or concrete wall. If one does not exist, it should be constructed. For specifications, please see Best Practice for Physical ATM Security, section 6.1.1. In the event that it is not possible to install the ATM behind a brick or concrete wall, then the next preferred method is to install it behind a solid steel section. For specifications, please see Best Practice for Physical ATM Security, section 6.1.2. In the event that it is not possible to install the ATM behind a brick or concrete wall, or a steel section, then the next preferred method is to install it behind steel girders. For specifications, please see Best Practice for Physical ATM Security, section 6.1.3.

ATM Plinth
When deciding on an ATM plinth, ATM deployers should assess its construction from a security perspective. Plinths specially constructed to withstand ram raids and other brute force attacks may be considered for higher risk locations. For installers using CEN approved plinths, the anchoring arrangements should be those that are approved in the CEN documentation for that product. The correct implementation of those arrangements will guarantee good anchoring. Chapter 3: ATM Physical Security - 20 13/10/2005

Chapter 4
PIN & Encryption Security
4.1 Introduction
4.1.2 Objectives of PIN Security & Key Management
The principle behind PIN Security and encryption Key Management is to protect the PIN against unauthorized disclosure, compromise and misuse throughout the life of a transaction. This goal can be broken down into the 7 separate objectives listed below, and the requirements and best practices laid down in this chapter are aimed at meeting these objectives.
OBJECTIVE 1

PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure. Cryptographic keys used for PIN encryption/decryption and related key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys. Keys are conveyed or transmitted in a secure manner. Key loading to hosts and PIN entry devices is handled in a secure manner. Keys are used in a manner that prevents or detects their unauthorized usage. Keys are administered in a secure manner. Equipment used to process PINs and keys is managed in a secure manner.

OBJECTIVE 2

OBJECTIVE 3 OBJECTIVE 4

OBJECTIVE 5

OBJECTIVE 6 OBJECTIVE 7

4.1.3 The Scope of PIN & Encryption Security Recommendations

These recommendations are aimed at securing PIN data during online and offline payment card transaction processing at ATMs. They can also be applied at Point-of-Sale Terminals. The recommendations are intended for use by all acquiring institutions and agents responsible for PIN transaction processing on the payment card industry participants denominated accounts and should be used in conjunction with applicable industry standards. Chapter 4: PIN & Encryption Security - 21 13/10/2005

To help establish a secure environment for PIN based transactions, this chapter sets out the minimum acceptable recommendations for securing PINs and encryption keys. Its purpose is to aid all electronic payment system participants in providing the fundamental assurance that cardholder PINs will not be compromised. For a complete set of recommendations please see GASAs Best Practice PIN Security & Key Management Recommendations. It should be understood that the recommendations given in this chapter are supplementary to the security requirements laid down by the networks. Network requirements should always take precedence over these guidelines.

4.2

PIN Security Recommendations

4.2.1 General Standards

a) PIN Management and security procedures should be compliant with the ANSI X9.8 Standard and ISO 9564-1. b) All cardholder-entered PINs should be processed in equipment that conforms to the requirements for Tamper-Resistant Security Modules (TRSMs). c) The PIN should not appear in plain text at any point within the network other than in a secure Tamper Evident or Tamper Responsive, Secure Module (TESM or TRSM), or PIN mailer. d) The PIN length should be a minimum of 4 digits and a maximum of 12. e) The plain text PIN should never be logged. PIN blocks, even encrypted, should not be retained in transaction journals or logs, except temporarily for audit and fault resolution purposes. PIN blocks are required in messages sent for authorization, but are not required to be retained for any subsequent verification of the transaction. f) PINs should be encrypted using a PIN block format that does not produce the same encrypted PIN block for the same PIN but a different card number. g) TESMs in ATMs should comply with ISO 9564-1 Section 6.3.3 h) TESMs in ATMs should be upgraded to TRSMs compliant with FIPS 140-2 Level 3. i) TRSMs at Host Processors should comply with ISO 9564-1 Section 6.3.1 and FIPS 140-2 Level 3. j) All ATM connections and Host connections to the network should be configured to use line encryption, to provide end-to-end encryption of data. k) Acquirers, the Network and Issuers should support the ANSI X9.8/ISO 9564 Format 3 PIN block, so that an acquirer can ensure response messages are generated by the correct issuer system.

Chapter 4: PIN & Encryption Security

- 22 -

13/10/2005

4.2.2 Recommendations for PIN Entry at the Acquiring Device

a) The PIN should not be echoed to the device screen. b) The PIN should be encrypted at the keypad or in a TESM directly connected to the keypad such that the PIN and key data cannot be intercepted between the keypad and the TESM. It should not be possible to insert a device between the keypad and the encryption device. c) The PIN should not be in the clear to the application in the device. d) The PIN entry device should be configured will full tamper resistance according to industry decreed timings and standards.

4.2.3 Recommendations for the Acquirer Host

a) The Acquirer should only decrypt/encrypt PIN blocks within TRSMs. b) The Acquirer should maintain adequate key management procedures and processes. These should comply with all parts of ISO 11568. c) The Acquirer should maintain discrete zones across which PIN keys will apply. d) Unique cryptographic keys should be in use for each identifiable link between host computer systems.

4.2.4 Recommendations for the ATM Network Switch

a) The Switch should only decrypt/encrypt PIN blocks within TRSMs. b) The Switch should maintain adequate key management procedures and processes. These should comply with ISO 11568. c) The Switch should maintain discrete zones across which PIN keys will apply. d) Unique cryptographic keys should be in use for each identifiable link between host computer systems.

4.2.5 Recommendations for the Issuer Host

a) The Issuer should validate the PIN by comparison with stored encrypted values or offsets. The issuer should not store the PIN in the clear. b) The Issuer should only decrypt/encrypt PIN blocks, and compare clear PIN blocks, within TRSMs.

Chapter 4: PIN & Encryption Security

- 23 -

13/10/2005

c) The issuer should limit the successive attempted validations by a cardholder with the incorrect PIN. Indication that the PIN is invalid should be included in the response from the issuer to the acquirer.

4.2.6 Recommendations for Tamper-Resistant Security Module

a) A Tamper-Resistant Security Module (TRSM) should meet the requirements of a Physically Secure Device as defined in ISO 9564-1. Such a device must have a negligible probability of being successfully penetrated to disclose all or part of any cryptographic key or PIN. A TRSM can be so certified only after it has been determined that the devices internal operation cannot be modified to allow penetration (e.g., the insertion within the device of an active or passive tapping mechanism). A TRSM (e.g., a PIN Entry Device (PED)) that complies with this definition may use a Fixed Key or a Master Key/Session Key management technique, that is, a unique (at least) double-length PIN encryption key for each PED, or may use double-length key DUKPT as specified in ANSI X9.24.2002 b) A TRSM relying upon compromise prevention controls requires that penetration of the device when operated in any manner and any environment should cause the automatic and immediate erasure of all PINs, cryptographic keys and other secret values, and any useful residuals of those contained within the device. These devices should employ physical barriers so that there is a negligible probability of tampering that could successfully disclose such a key.

4.2.7 Recommendations for PIN Entry Devices

a) PIN Entry Devices (PEDs) should use encrypting PIN pads that encrypt the PIN directly at the point of entry to meet the requirements for compromise prevention. PEDs in which the cleartext (unenciphered) PIN travels over cable or similar media from the point of entry to the cryptographic hardware encryption device do not meet this requirement. b) Devices that do not retain any key that has been used to encrypt or decrypt secret data, including other keys (e.g., DUKPT) require only compromise detection, and may be less tamper resistant.

4.2.8 Recommendations for PIN Entry at the Acquiring Device

a) PIN pads should be located such that they are protected from unauthorized observation. b) PIN entry devices should move to encrypting keypads as soon as possible, or as part of upgrading to Triple DES.

Chapter 4: PIN & Encryption Security

- 24 -

13/10/2005

4.2.9 Recommendations for PIN Pad Security

a) Prior to connection to an ATM network, an ATM should be certified to have a tamperresistant PIN pad that meets the stated requirements of the Network. Networks may elect to accept certification that the PIN pad meets the requirements set by other networks, such as Visa/MasterCard, if those requirements meet or exceed those of the Network. b) Members who wish to deploy a new device type should begin by inquiring with the vendor or against the List of Certified Devices to determine if the device type has already been certified - if the device type is included on the List of Certified Devices the Member should obtain a copy of the Device Certificate from one of the device vendors or the Device Certification Agent prior to connecting the device. c) For devices types not included on the List of Certified Devices, a Member or the device vendor should contact a Device Certification Agent to arrange for testing and certification of the device type. d) If the manufacturer has had the device certified, it can be sold as a certified device, with no further certification costs being incurred prior to installation. e) A manufacturing change to a device means that the device should be re-certified. f) When any modification is made to any component or attribute of the device that is subject to certification, the device should be re-certified prior to deployment; recertification is required for all modifications to a device, unless none of the modifications affect a component or attribute that is subject to certification. g) Deployers should keep current a published list of all its certified ATMs in operation. h) Networks should set dates for compliance of new devices, replacement devices, and existing devices. The dates set for each category of device should be appropriate to the potential risk of compromise at non-compliant devices. Devices identified as noncompliant will either not be permitted to be connected to the network, or, in the case of installed ATMs, a request should be filed for exemption status, failing which removal of the ATM will be required. Note: Deployed devices must meet the requirements of all Networks for which the devices acquire transactions.

4.2.10 Recommendations for PIN Translation & Encryption

a) All cardholder PINs processed online should be encrypted and decrypted using an approved cryptographic technique that provides a level of security compliant with international and industry standards. b) Online PIN translation should only occur using one of the allowed key management methods: DUKPT, Fixed Key, Master Key/Session Key.

Chapter 4: PIN & Encryption Security

- 25 -

13/10/2005

c) Online PINs should be encrypted using the TDEA Electronic Code Book (TECB) mode of operation as described in ANSI X9.52. For purposes of these recommendations, all references to TECB are using key options 1 or 2, as defined in ANSI X9.52. Schemes may allow alternative methods if validated as at least as secure as TDES. d) All cardholder PINs processed offline using IC Card technology should be protected in accordance with the requirements in Book 2 of the EMV2000 IC Card Specifications for Payment Systems. 8 e) For online transactions, PINs should only be encrypted using ISO 95641 PIN block formats 0, 1 or 3. Format 2 should be used for PINs that are submitted from the IC reader to the IC. f) For secure transmission of the PIN from the point of PIN entry to the card issuer, the encrypted PIN block format should comply with ISO 95641 format 0, ISO 9564-1 format 1, or ISO 95641. Schemes may allow for alternative methods on a case-by-case basis. g) For ISO format 0 and 3, the cleartext PIN block and the Primary Account Number block should be XOR'ed together and then Triple-DES encrypted in Electronic Code Book (ECB) mode to form the 64-bit output cipherblock (the reversibly encrypted PIN block). Note that as stated in recommendation (f) above, a scheme approved alternative encryption method may be used. h) ISO format 3 should be used for encryption zones where the PIN encryption key is static for the productive life of the device in which it resides. i) PINs enciphered only for transmission between the PIN entry device and the IC reader should use ISO format 0, 1 or 3. j) PINs should not be stored except as part of a store-and-forward transaction as noted in ISO 9564-1, and then only for the minimum time necessary. Any store-and-forward transaction PIN should be stored in encrypted form using a unique key not used for any other purpose. k) Host Security Module (HSM) Master File Keys, including those generated internal to the HSM and never exported, should be at least double-length keys and use the TDEA.

8See

sections 7 and 11.1.2 of Book 2 of the EMV2000 IC Card Specifications for Payment Systems.

Chapter 4: PIN & Encryption Security

- 26 -

13/10/2005

4.3

Key Management Recommendations

In order to protect the secrecy of a PIN that has been encrypted using DES or Triple DES it is vital that the key used for encrypting and decrypting is also kept secret. It is particularly important that great care be exercised in order to protect the clear-text components of a key as they pass through the various life-cycles. The practices and recommendations laid down in this chapter, while not necessarily exhaustive, are considered effective in protecting the secrecy of encryption keys and their components 9 .

4.3.1 General Recommendations

Usage
a) Keys should be unique: i. All keys used in a PIN Entry Device, whether for key encryption or PIN encryption, should be unique to that device. ii. Terminal Master Keys (TMKs), and any keys used to load TMKs, should be unique to the device being loaded. iii. In a master/session key approach, the master key(s) and all session keys should be unique to each cryptographic device. iv. Where a PIN Entry Device interfaces with more than one acquirer, the PED TRSM should have a completely different and unique key(s) for each acquirer. These should be totally independent and not variants of one another. v. Keys that are generated by a derivation process and derived from the same base key should use unique data for the derivation process, such that all cryptographic devices receive unique initial keys. vi. Zone encryption should be used for communication between organizations, and unique keys should be used for each identified link between host computer systems. vii. Where two organizations share a key to encrypt PINs (including key encipherment keys used to encrypt the PIN encryption key) communicated between them, that key should be unique to those two organizations and should not be given to any other organization.

For more guidance on Key Management the reader is referred to the White Paper produced by K3DES LLC, Effective Encryption Key Management Practices, available at ATMIAs Best Practice Online Resource Center at http://www.atmianortham.com/ResourceCenter/atmresourcecenter.asp and on the GASA website at www.globalasa.com .
9

Chapter 4: PIN & Encryption Security

- 27 -

13/10/2005

b) PIN encryption keys should be held in only the PIN Entry Device and in security modules at the minimum number of locations consistent with effective operation. Disclosure of the key in one such device should not provide information that could feasibly be used to determine the key in any other such device. c) Keys may exist at more than one pair of locations for load balancing purposes, for example in dual processing sites. d) Encryption keys should only be used for the purpose they were intended, so as to minimize exposure should a key be compromised. This is to say for example, a Key Encryption Key should never be used as a PIN Encryption Key. e) Keys should never be shared or substituted on a processors production and test system. f) No key or key component should ever exist outside a TRSM expect when encrypted, or securely stored and managed using the principles of dual control and split knowledge.

Dual Control & Split Knowledge

As in DES and Triple-DES the same key is used to encrypt and decrypt, the principles of dual control and split knowledge are fundamental to the protection of encryption keys. These principles should be applied throughout all key life-cycle stages. a) Dual Control means that at least two authorized individuals are required to work in partnership to carry out an activity, such as generating, storing, or loading the clear text components of a key. b) Split Knowledge means that no single individual knows, or has access to, a whole entity, be it all the clear-text components of a key, or the combination of a safe where key components are stored. In order to implement these principles an organization should designate certain individuals as Key Custodians. Each Key Custodian should be assigned responsibility for specific key components throughout their life-cycle. They may be responsible for more than one key component, as long as no two components form part of the same key, as this would compromise the principle of split knowledge. One Key Custodian may back-up another Key Custodian, but only where the principle of split knowledge wouldnt be compromised. A Key Custodian should not backup another Key Custodian where they are both responsible for components belonging to the same key. In order to reduce the opportunity for key compromise, the number of key custodians should be limited to the minimum number required. In general, the designation of a primary and a backup key custodian for each component should be sufficient. This designation should be documented by having each custodian sign a Key Custodian Form. The form should specifically authorize the custodian and identify the custodians responsibilities for safeguarding key components or other keying material entrusted to them.

Chapter 4: PIN & Encryption Security

- 28 -

13/10/2005

The Key Custodians should have no connection or reporting relationship to other Key Custodians.

Witnessing Key-related Events

Even with the principles of dual control and split knowledge in place it is recommended that certain life-cycle events be witnessed and signed-off by a third-party. This third-party should have no relationship with the Key Custodians involved. At a minimum key-related events that should be witnessed are: a) Generation of encryption keys. b) Erasure of encryption keys. c) Destruction of cleartext encryption key components, regardless of the media they are on. The witness should be given a copy of the script or procedure in use, so that they can follow the process, and should sign an affidavit to the effect that the activity was carried out completely and correctly. Any deviations from the script or procedure should be noted, along with the reason. These affidavits form part of the auditable records of the key management process and should be kept indefinitely.

Documentation, Administration & Logging

For the effective management of encryption keys and their components certain procedures, logs and forms should be in place. a) Documented procedures should exist and be in use for: i. ii. iii. iv. All key generation processes. All key transmission and conveyance processes. All key loading activities. All key compromise activities, including replacement of compromised keys, escalation processes, damage assessment and remediation. v. All key destruction activities.

b) An Encryption Key Log should be maintained for all actions related to key components. At a minimum this log should contain: i. ii. iii. iv. v. vi. The name and signature of the authorized Key Custodian. The type of key. The number of the component. The date and time of the action. The serial number of the tamper-evident envelope. The action undertaken.

Chapter 4: PIN & Encryption Security

- 29 -

13/10/2005

The log should be periodically audited by an independent group, such as Information Security, for completeness and accuracy. The Encryption Key Log should be kept in a tamper-evident envelope in a secure place such as the safe. Its removal from the safe and its tamper-evident envelope should be recorded. c) In addition to the log mentioned above certain other forms should be used to record activities undertaken with regard to keys and key components. At a minimum these forms should include: i. A form to record encryption key component values and corresponding check sum values. ii. A form for recording encryption key components that are being transported. iii. A log for recording key loading activities. iv. A form for recording PINs used to access smart cards that contain key components. v. A form for recording any passwords needed to activate any equipment used. vi. Affidavits for the generation or destruction of keys and key components. These forms along with the Encryption Key Log form the basis for auditing key management processes. They should be complete and contain as much information as possible. They should be securely stored and made available to those individuals conducting an audit.

Backups
In principle, unique keys, once loaded, should not be retained even for the purposes of back-up. Please note, it is not a requirement to have backup copies of key components or keys. However, for other keys: a) Back-ups of secret keys should exist only for the purpose of reinstating keys that are accidentally destroyed. The back-ups should exist only in one of the allowed storage forms for that key. b) Creation and management of back-up copies should be under dual control, they should be securely stored with proper access controls and subject to at least the same level of security as keys in use. c) Backups (including cloning) should require a minimum of two authorized individuals to enable the process.

Chapter 4: PIN & Encryption Security

- 30 -

13/10/2005

4.3.2 Specific Recommendations for Key Encryption

a) All DES keys used for encrypting keys for transmittal should be at least double-length keys and use the TDEA in an encrypt, decrypt, encrypt mode of operation for key encipherment. b) A double- or triple-length DES key should not be encrypted with a DES key of a shorter length. c) RSA keys used to transmit or convey other keys should use a key modulus of at least 1024 bits. 10 d) DES keys that are used to encrypt other keys or to encrypt PINs, and which exist outside of a TRSM, should be encrypted using either: the TDEA using at least double length keys, or RSA using a key modulus of at least 1024 bits. Schemes may allow alternative methods if validated to be at least as secure as TDES. e) Symmetric secret keys may be encrypted using public key cryptography for distribution to PEDs as part of a key-establishment protocol. f) Key variants should only be used in devices that possess the original key. g) Although a key used to protect the PIN Encrypting Key should never be used for any other cryptographic purpose, variants of the same key may be used for different purposes. h) Variants of a Master File Key should not be used external to the (logical) configuration that houses the MFK itself.

4.3.3 Specific Recommendations for Key Generation

The following is a list of the specific recommendations related to Key Generation. Please bear in mind that these are in addition to those recommendations already given in section 4.3.1, particularly those related to dual control and split knowledge, and documentation and logging. a) All keys and key components should be generated using a random or pseudo random process that is capable of satisfying the statistical tests of FIPS 140-2 level 3. b) Keys should be generated so that it is not feasible to determine that certain keys are more probable than other keys from the set of all possible keys. c) An independent laboratory should certify self-developed implementations of a cryptographic pseudo-random number generator.

10

Key lengths should be periodically re-evaluated.

Chapter 4: PIN & Encryption Security

- 31 -

13/10/2005

d) The output of the key generation process should be monitored to ensure there is no unauthorized tap or other mechanism that might disclose a cleartext key or key component as it is transferred between the key generation TRSM and the device or medium receiving the key or key component. e) Printed key components should be printed within blind mailers, or sealed immediately after printing, so that only the party entrusted with it can observe each component and so that tampering can be detected. f) Any residue from the printing or recording process that might disclose a component should be destroyed before an unauthorized person can obtain it.

4.3.4 Specific Recommendations for the Transfer, Conveyance and Distribution of Cleartext Components
The following is a list of the specific recommendations related to the transfer, conveyance and distribution of clear-text key components. Please bear in mind that these are in addition to those recommendations already given in section 4.3.1, particularly those related to dual control and split knowledge, and documentation and logging. a) Where a private or secret key is being physically forwarded it should be sent as a minimum of two separate components. Where: i. Each component should be transferred in a tamper-evident package or within a TRSM. ii. Each component should be sent via different communication channels, such as different courier services. It is not sufficient to send the key components for a specific key by the same courier on different days. b) Private and secret keys may also be transferred by transmitting the key in ciphertext form, provided that this does not compromise the principle of split knowledge or the level of security in general. c) All key encryption keys used to transmit or convey other cryptographic keys should be (at least) as strong as any key transmitted or conveyed. d) Public keys should be conveyed in a manner that protects their integrity and authenticity and should use a mechanism independent of the actual conveyance to provide the ability to validate receipt of the correct key. e) No person should have access to any cleartext key during the transport process. f) Mechanisms should exist to ensure that only authorized custodians place key components into tamper-evident packaging for transmittal and that only authorized custodians open tamper-evident packaging containing key components upon receipt.

Chapter 4: PIN & Encryption Security

- 32 -

13/10/2005

g) Any single unencrypted key component should be at all times during its transfer, conveyance, or movement between any two organizational entities: i) Under the continuous supervision of a person with authorized access to this component, or, ii) Locked in a security container (including tamper evident packaging) in such a way that it can be obtained only by a person with authorized access to it, or iii) In a physically secure TRSM managed under the strict principles of dual control and split knowledge.

k) Key establishment protocols using public key cryptography may also be used to distribute PED symmetric keys. These key establishment protocols may use either key transport or key agreement. In a key transport protocol, the key is created by one entity and securely transmitted to the receiving entity. For a key agreement protocol, both entities contribute information, which is then used by the parties to derive a shared secret key. l) A public key technique for the distribution of symmetric secret keys should: i) Use public and private key lengths that are deemed acceptable for the algorithm in question (e.g., 1024-bits minimum for RSA); ii) Use key-generation techniques that meet the current ANSI and ISO standards for the algorithm in question; iii) Provide for mutual device authentication for both the host and the PED, including assurance to the host that the PED actually has (or actually can) compute the session key and that no other entity other than the PED specifically identified can possibly compute the session key

4.3.5 Specific Recommendations for Key Component Storage and Physical Access
Please note that this section refers to keys and key components prior to their being loaded. Unique keys and their component parts should not be kept once they have been loaded. For details on storage of backup copies etc, the reader is referred to section 4.3.1 (Backups). Also note that these recommendations are in addition to those given in this chapter regarding dual control and split knowledge, and documentation and logging. a) Printed or magnetically recorded key components should reside only within tamperevident sealed envelopes, so that the component cannot be ascertained without opening the envelope.

Chapter 4: PIN & Encryption Security

- 33 -

13/10/2005

b) The media upon which a component resides should always be physically safeguarded. c) Components for a specific key that are stored in separate envelopes, but within the same secure container, place reliance upon procedural controls and do not meet the requirement for physical barriers. d) Furniture-based locks, or containers with a limited set of unique keys, are not sufficient to meet the requirement for physical barriers. e) No one but the authorized key custodian (and designated backup) should have physical access to a key component. f) Key components may be stored on tokens (e.g., PC cards, smart cards, and so forth). These tokens should be stored in such a manner as to prevent unauthorized individuals from accessing the key components. For example, if key components are stored on tokens that are secured in safes, more than one person might have access to these tokens. Therefore, additional protection is needed for each token (possibly by using tamper-evident envelopes) to enable the tokens owner to determine if a token was used by another person. Key components for each specific custodian should be stored in separate secure containers. g) If a key is stored on a token, and a PIN or similar mechanism is used to access the token, only that tokens owner (or designated backup) should have possession of both the token and its corresponding PIN.

4.3.6 Specific Recommendations for Key Loading and Entry

The following is a list of the specific recommendations related to the key loading and entry. Please bear in mind that these are in addition to those recommendations already given in section 4.3.1, particularly those related to dual control and split knowledge, and documentation and logging. a) All keys when loaded from individual clear-text components should be loaded using the principles of dual control and split knowledge. b) Manual key loading may involve the use of media such as paper or specially designed key-loading hardware devices. For devices that do not support the entry of full-length components, two or more components should be created and used. c) Any TRSM loaded with the same key components should combine all entered key components using the identical process. d) Any mechanisms used to load keys, such as terminals, external PIN pads, key guns, etc, should be protected to prevent any type of monitoring that could result in the unauthorized disclosure of any component. e) Prior to key loading TRSM equipment should be inspected to detect any evidence of monitoring or tampering.

Chapter 4: PIN & Encryption Security

- 34 -

13/10/2005

f) Plaintext keys and key components should be transferred into a TRSM only when it can be ensured that there is no tap at the interface between the conveyance medium and the cryptographic device that might disclose the transferred keys, and that the device has not been subject to any prior tampering which could lead to the disclosure of keys or sensitive data. g) A TRSM should transfer a plaintext key only when at least two authorized individuals are identified by the device (e.g., by means of passwords or other unique means of identification). h) The injection of key components from electronic medium to a cryptographic device (and verification of the correct receipt of the component is confirmed, if applicable) should result in either of the following: the medium is placed into secure storage, if there is a possibility it will be required for future re-insertion of the component into the cryptographic device, or all traces of the component are erased or otherwise destroyed from the electronic medium. i) For keys transferred from the cryptographic hardware that generated the key to an electronic key-loading device: i) The key-loading device should be a physically secure TRSM, designed and implemented in such a way that any unauthorized disclosure of the key is prevented or detected; The key-loading device should be under the supervision of a person authorized by management, or stored in a secure container such that no unauthorized person can have access to it; The key-loading device should be designed, or controlled, so that only authorized personnel under dual control can use and enable it to output a key into another TRSM. Such personnel should ensure that a key-recording device is not inserted between the TRSMs; The key-loading device should not retain any information that might disclose the key, or a key that it has successfully transferred.

ii)

iii)

iv)

j) Any tokens, EPROMs, or other key component holders used in loading encryption keys should be maintained using the same controls used in maintaining the security of hard copy key components. These devices should be in the physical possession of only the designated component holder and only for the minimum practical time. k) If the component is not in human comprehensible form (e.g., in a PROM module, in a smart card, on a magnetic stripe card, and so forth), it should be in the physical possession of only one entity for the minimum practical time until the component is entered into a TRSM.

Chapter 4: PIN & Encryption Security

- 35 -

13/10/2005

l) If the component is in human readable form (e.g., printed within a PIN-mailer type document), it should only be visible at one point in time to only one person (the designated key custodian), and only for the duration of time required for this person to privately enter the key component into a TRSM. m) Printed key component documents should not be opened until just prior to entry. n) All hardware and passwords used for key loading should be managed under dual control. o) Any hardware used in the key-loading function should be controlled and maintained in a secure environment under dual control. Use of the equipment should be monitored and a log of all key-loading activities maintained for audit purposes. All cable attachments should be examined before each application to ensure they have not been tampered with or compromised. p) Any physical (e.g., brass) key(s) used to enable key loading should not be in the control or possession of any one individual who could use those keys to load cryptographic keys under single control. q) The loading of keys or key components should incorporate a validation mechanism such that the authenticity of the keys is ensured, and it can be ascertained that they have not been tampered with, substituted, or compromised.

4.3.7 Specific Recommendations for Key Compromise and Destruction

The following is a list of the specific recommendations related to key compromise and destruction. Please bear in mind that these are in addition to those recommendations already given in relation to dual control and split knowledge, and documentation and logging. a) The compromise of a key requires the destruction of that key and all variants and nonreversible transformations of that key, as well as all keys encrypted under or derived from that key. Likewise, known or suspected substitution of a secret key requires destruction and replacement of that key and any associated key encipherment keys. b) A cryptographic key should be replaced with a new key whenever the compromise of the original key is known or suspected. In addition, all keys encrypted under or derived using that key should be replaced with a new key within the minimum feasible time. The replacement key should not be a variant of the original key, or an irreversible transformation of the original key. c) Key components should never be reloaded when there is any suspicion that either the originally loaded key or the device has been compromised. If suspicious alteration is detected, new keys should not be installed until the TRSM has been inspected and assurance reached that the equipment has not been subject to unauthorized physical or functional modification.

Chapter 4: PIN & Encryption Security

- 36 -

13/10/2005

d) Specific events should be identified that would indicate a compromise may have occurred. Such events may include, but are not limited to: Missing cryptographic devices. Tamper-evident seals or envelope numbers or dates and times not agreeing with log entries. Tamper-evident seals or envelopes that have been opened without authorization or show signs of attempts to open or penetrate. Indications of physical or logical access attempts to the processing system by unauthorized individuals or entities. Procedures should require that plain text key components stored in tamperevident envelopes that show signs of tampering should result in the destruction and replacement of the set of components, as well as any keys encrypted under this key. e) If attempts to load a key or key component into a cryptographic device fail, the same key or component should not be loaded into a replacement device unless it can be ensured that all residue of the key or component has been erased or otherwise destroyed in the original device. f) Instances of keys or key components that are no longer used or that have been replaced by a new key should be securely destroyed. Keys maintained on paper should be burned, pulped or shredded in a cross-cut shredder. If the key is stored in EEPROM, the key should be overwritten with binary 0s (zeros) a minimum of three times. If the key is stored on EPROM or PROM, the chip should be physically destroyed in such a way as to leave it unusable and unrepairable. Where possible it should be broken into pieces and the pieces disposed of separately. Other permissible forms of a key instance (physically secured, enciphered or components) should be destroyed following the procedures outlined in ISO95641 or ISO115683. In all cases, a third partyother than the custodianshould observe the destruction and sign an affidavit of destruction. g) Key encipherment key components used for the conveyance of working keys should be destroyed after successful loading and validation of the working key. h) Documented procedures should exist, be known by all affected parties, and be demonstrably in use for: i) Replacement of compromised keys, including subsidiary keys (ie: those keys enciphered using the compromised key) to a value not feasibly related to the original key. ii) Escalation process including notification to organizations that currently share or have previously shared a suspect key. The procedures should also include damage assessment and details of specific actions to be taken with system software and hardware, keys, encrypted data, etc.

Chapter 4: PIN & Encryption Security

- 37 -

13/10/2005

i) Controls and procedures should also exist to prevent or detect the unauthorized substitution of one key for another, thereby reducing the risk of an adversary substituting a key known only to them. These procedures should include investigating multiple synchronization errors. j) To prevent substitution of a compromised key for a legitimate key, key component documents that show signs of tampering should result in the discarding and invalidation of the component and the associated key at all locations where they exist.

4.3.8 Specific Recommendations for Key Equipment Management

The following is a list of the specific recommendations related to the management of key equipment. Please bear in mind that these are in addition to those recommendations already given in section 4.3.1, particularly those related to dual control and split knowledge, and documentation and logging. a) Hardware Security Modules (HSMs) and PIN Entry Devices (PEDs) should only be placed into service if there is assurance that the equipment has not been subject to unauthorized modification, substitution, or tampering. This requires physical protection of the device up to the point of key insertion or inspection, and possibly testing of the device immediately prior to key insertion. Techniques include the following: Cryptographic devices are transported from the manufacturers facility to the place of key-insertion using a trusted courier service. The devices are then securely stored at this location until key insertion occurs. Cryptographic devices are shipped from the manufacturers facility to the place of key-insertion in serialized, counterfeit resistant, tamper-evident packaging.Devices are then stored in such packaging, or secure storage, until key-insertion occurs. The manufacturers facility loads into each cryptographic device a secret, deviceunique transport-protection token. The TRSM used for key-insertion has the capability to verify the presence of the correct transport-protection token before overwriting this value with the initial key that will be used. Each cryptographic device is carefully inspected and perhaps tested immediately prior to key-insertion using due diligence. This is done to provide reasonable assurance that it is the legitimate device and that is has not been subject to any unauthorized modifications. b) Records should be maintained of the tests and inspections given to PIN-processing devices before they are placed into service, as well as devices being decommissioned. c) Controls should exist to ensure that a counterfeit device possessing all the correct operational characteristics plus fraudulent capabilities has not been substituted for a legitimate device.

Chapter 4: PIN & Encryption Security

- 38 -

13/10/2005

d) Notwithstanding how the device is inspected and tested, the device serial number should be verified against the purchase order, invoice, waybill or similar document to ensure that device substitution has not occurred. e) Devices incorporate self-tests to ensure their correct operation. Devices should not be re-installed unless there is assurance they have not been tampered with or compromised. f) Key and data storage should be zeroized when a device is decommissioned. g) If necessary to comply with the above, the device should be physically destroyed so that it cannot be placed into service again, or allow the disclosure of any secret data or keys. h) Any TRSM capable of encrypting a key, and producing cryptograms of that key, should be protected against unauthorized use. This protection takes the form of either or both of the following: i) Dual access controls are required to enable the key encryption function. ii) Physical protection of the equipment with access under dual control. i) Cryptographic equipment should be managed in a secure manner in order to minimize the opportunity for key compromise or key substitution. That is to say, physical keys, authorization codes, passwords, or other enablers should be managed under dual control and split knowledge. j) Controls should exist and be in use to ensure that all physical and logical controls and anti-tamper mechanisms used are not modified or removed. k) Documented procedures should exist, be known by all affected parties, and be demonstrably in use for the following: i) Inventory control and monitoring allowing equipment to be tracked by both physical and logical identifiers, so as to protect equipment against unauthorized substitution or modification, or to detect lost or stolen equipment. ii) Destruction of all keys and PINs, or related data within a cryptographic device when that device is removed from service. iii) The security and integrity of PIN processing equipment as it is placed into service, initialized, deployed, used, and decommissioned. These should include the principles for dual control and split knowledge. iv) Physical security and access to HOST Tamper Resistant Security Modules.

Chapter 4: PIN & Encryption Security

- 39 -

13/10/2005

4.4

Key Management Regimes

4.4.1 Recommendations for Key Management Regimes

Only Key Management regimes agreed by the network can be used. Members may submit proposals for other regimes to the network for agreement. Please see GASAs Best Practice PIN Security & Key Management Recommendations, p.27-28, parts 4.1 and 4.2 for details of recommended key management regimes.

4.5

Cryptography Best Practice Recommendations

4.5.1 Objective
The cryptographic algorithms and key lengths shall be such that the likelihood of finding the key, or the data it is protecting, is low within the life of the Key. The objective of key management is to provide the users with the keys that they need to perform the required cryptographic operations and to control the use of those keys. It ensures that the keys are protected during their lifecycle, minimizing the opportunity for a breach of security, and the consequences of a security breach, and maximizing the probability that any illicit access or change to keys is detected.

4.5.2 Recommendations for Algorithms

a) Only algorithms approved by the Network for PIN block encryption should be used. Currently only the Data Encryption Standard (DES) algorithm is permitted. b) The connection between the member host and the network should use Triple DES, as defined in ANSI X9.52. c) The connection between the ATM and Acquirer host should use a hardware implementation of Triple DES, as defined in ANSI X9.52 and according to industry decreed timings.

4.5.3 Recommendations for Key Length

a) Only Key lengths approved by the network should be used. b) Double length (112 bit) DES keys (Zone PIN Keys and Zone Master Keys) should be used between each member and the network. c) All TMKs and TPKs should be double length (112 bit) keys, according to industry decreed timings and standards, or use an approved more secure encryption method.

Chapter 4: PIN & Encryption Security

- 40 -

13/10/2005

Chapter 5
Data & Transactional Security
5.1 Introduction

The purpose of these recommendations is to protect ATM networks, their members and their cardholders, and ATM owners, from attacks designed to compromise sensitive data or defraud financial institutions and their cardholders. This protection takes into account not just the direct financial losses that may be incurred, but also the potential reputational damage and its impact on customer confidence in the ATM network and ATMs in general.

5.2

Principles Underlying Information Security

When developing and devising a Security Policy the following points should be taken into consideration: The level of security to be achieved should be commensurate with: the sensitivity of the data; the risk of the data being compromised; the impact of any compromise; the practicality and cost of providing the security measure.

The prevailing legal & regulatory framework should be adhered to. Information security controls should be compatible with relevant industry standards. All parties to a transaction on an ATM network should have implemented a formal Information Security management structure. And every member of an ATM network should establish responsibilities and procedures for managing security. All parties to a transaction on an ATM network should manage Information Security within their own organisations, and should be responsible for the protection of all sensitive information that they transmit.

Chapter 5: Data & Transactional Security - 41 -

13/10/2005

 In addition, all network members should have implemented a Security Policy covering common areas such as: the network configuration required to protect the method by which the issuer authenticates the cardholder; protection of confidential data from unauthorised access; maintenance of data integrity.

Operating practice should be subject to regular internal reviews to ensure ongoing compliance with security policies and procedures. No individual should have the capability to access or ascertain the PIN or any plain text secret key. In any hierarchical cryptographic scheme, the hierarchy of the keys should be such that the encryption of the higher level key is always of at least the same strength as the key it is protecting. Where the same encryption algorithm is used, the length of the higher key should be at least as long as that of the lower key. Where different encryption algorithms are used, the principle that should be adopted is that the time taken for an attack shall be at least the same for the higher key as for the lower key

5.3

Information Security Policy

Each ATM network should provide an Information Security Policy for the network as a complete entity. Each ATM network should publish its own internal Information Security Policy covering its own responsibilities. Each member of the ATM network should publish a Security Statement describing the discharge of its responsibilities in the network.

5.4

Security Management

An information security infrastructure should be established to manage information security both within the organisation and at its interfaces. There should be a management framework to initiate and control information security within the organisation. Senior management should approve the Information Security Policy, assign clearly defined security roles, and co-ordinate the implementation of security across the organisation.

Chapter 5: Data & Transactional Security - 42 -

13/10/2005

In addition an ATM network should establish a Network Security Group to: review and recommend an Information Security Policy and overall responsibilities; monitor the networks exposure to major threats to information assets; review and monitor security developments; recommend initiatives to enhance information security; annually ratify an Information Security Standard; conduct periodic reviews, no more than 5 years apart, of the Information Security Standard and recommend enhancements when appropriate; be notified of any security or fraud incidents involving the network.

5.5

Message Security for ATM Networks

The objective of message security is to minimise the risk of fraud occurring within the ATM network, or other EFT systems, from the unauthorised disclosure of message data as it is transmitted through the network. Security classifications and associated protective measures should take account of the business needs for sharing or restricting data, and the business impact associated with unauthorised access or damage to the data. When considering security the following business needs should be taken into account: Availability: Integrity: the business need to have data available when required by the business, and the controls required to achieve this. the business need to control modifications to data, and the controls required to protect accuracy and completeness of data.

Confidentiality: the business need to share or restrict access to data, and the controls required to restrict access to the information.

5.6

Definitions of Security Classifications of Data

Within each of the business needs discussed previously, that is Availability, Integrity, and Confidentiality, there are a range of classifications that can be applied to the different types of data involved. Additionally each piece, or type of data, will normally have a classification related to each of the business needs. For example: the Availability of transaction records may be classed as inconvenient, while their Integrity may be classed as strong (high), and their Confidentiality as restricted.

Chapter 5: Data & Transactional Security - 43 -

13/10/2005

5.6.1 The Business Need for Availability

This covers transaction data where failure to access the data could have a critical impact on the service provided to the cardholder, and may cause financial loss, and/or embarrassment or loss of customer confidence in the network. Critical: Very Serious: Serious: Inconvenient: Data that must be made available within two hours of any incident. Data that must be made available within 12 hours of any incident. Data must be made available within 24 hours of any incident. Data that would cause inconvenience if not available for more than 24 hours but would not impact unduly on the service provided to cardholders.

5.6.2 The Business Need for Integrity

Strong (High Integrity): Data within the network that if corrupted, inaccurate, duplicated or deleted, either deliberately or accidentally, might lead the network to suffer from: Unquantifiable losses. Significantly damaged public confidence. Litigation. Significant adverse publicity. Widespread reputational damage.

Enhanced (Med Integrity): Data within the network that if corrupted, inaccurate, duplicated or deleted, either deliberately or accidentally, might lead the network to suffer from limited loss. Basic (Low Integrity): Data within the network that if corrupted, inaccurate, duplicated or deleted, either deliberately or accidentally, might lead the network to suffer from little or no loss.

5.6.3 The Business Need for Confidentiality

Internal: Data to be made available to all Network and member staff and contractors, subject to Non-Disclosure Agreements, but not in the public domain. Data known to one person but not shared with other individuals, e.g. PIN, password, cryptographic key component. 13/10/2005

Private:

Chapter 5: Data & Transactional Security - 44 -

Public: Restricted:

Data that is in the public domain or is intended to be accessible to all. Data that, if disclosed to parties not authorised to view it: Could result in legal action against the network. Could enable fraudulent acts to occur with the potential for financial loss to the network. Has strategic value and would severely disadvantage the network if disclosed in public or to rival organisations. Is sensitive within the network. Is operational information that should be viewed only by authorised staff on a need-to-know basis, e.g. code.

Secret:

Data not known to any individual, e.g. cryptographic keys, decrypted secure handshakes, sign-on control messages.

5.7

Allocation of Responsibilities for Message Security

The responsibility for the confidentiality, integrity and transmission of the messages and the transaction data, should, in general terms, be with the originator of the message. A table outlining the recommended responsibilities in the various zones can be read in GASAs Best Practice for ATM Transactional Security, section 2.4, p.10.

5.8

Data Confidentiality & Integrity for ATM Networks

In order to protect the confidentiality of transaction data the following is recommended: Cardholder specific transaction data should not be disclosed to third parties without the express agreement of the card issuer, unless requested by an approved regulatory body. The full Primary Account Number (PAN) should not be printed on transaction receipts at the ATM . No discretionary data from Track 2 should be printed on transaction receipts at the ATM. Line encryption is used between the acquirer or issuer host and the Network Switch.

Chapter 5: Data & Transactional Security - 45 -

13/10/2005

In order to safeguard the accuracy and completeness of the transaction data the following is recommended: Each transaction should be uniquely identified. ATMs and systems should be protected against replay attack. The ATM should be protected against unauthorised modification of the software or transaction data. The following is recommended to prevent unauthorised access to the network, and to audit data and other transaction-related data. Acquirers should take precautions to identify and prevent unauthorised connection of remote terminals to their networks. The recommendations for additional authentication should be reviewed periodically.

5.9

Procedure & Review Recommendations

For details of how to ensure the correct operation of the security regime, please see section 3.4, p1.2 of GASAs Best Practice for ATM Transactional Security.

Chapter 5: Data & Transactional Security - 46 -

13/10/2005

Chapter 6
ATM Cyber Security
6.1 Outlining the Drivers for ATM Cyber Security
Financial institutions and ATM operators are replacing and upgrading aging Automatic Teller Machine fleets across the globe in order to satisfy regulatory and business imperatives. Regulatory requirements include the use of the Triple DES encryption algorithm, whilst business drivers include demands for increased functionality, enhanced customer experience and system integration to streamline management and monitoring. In order to satisfy these business and regulatory drivers, new platforms utilising mainstream technologies are being introduced which is busy altering the vulnerability landscape associated with this traditionally proprietary system. Basing the ATM channel on the Windows XP, and other common use, operating systems, as well as the TCP/IP network protocol suite, has created a new and different threat and risk profile for the industry. The use of proprietary technologies afforded ATMs a degree of defence against malware, hacking toolkits and utilities, denial of service attacks and other threats that have been used to exploit vulnerabilities in more prevalent operating systems and networks. Most modern ATMs are now running on operating systems and network communication protocols known by, and familiar to, the majority of computer users. As a result, they exist within the identical vulnerability landscape that the majority of computing systems and networks in use today experience, and are consequently exposed to many of the associated threats. The risk mitigation recommendations in this chapter are designed to address these new kinds of cyber threat.

6.2

Operating System Security

The default installation of modern operating systems includes many components, packages or clusters. The selection of system components ultimately installed as part of an operational build can usually be made either during installation, post-installation, or both. However, as the majority of ATMs are delivered with a standard operating system build, the only opportunity to remove unnecessary packages is at post-installation. Only the components necessary for the normal operation of the ATM should be installed. The decision to remove a particular package needs to be analysed against the ATM vendors application requirements, and the acquirers management, monitoring and other operational considerations. Chapter 6: ATM Cyber Security - 47 13/10/2005

It is sound security practice to ensure that the operating system patch level meets the latest requirements prior to the ATM being deployed. This will require consultation with the ATM vendor and operating system software support staff and/or knowledge databases to determine applicability, operational impact and depth of regression testing. Any additional patches applied should be included as part of a standard build for multiple ATM deployments. It is possible that any patches or hot fixes applied to a customised, or hardened operating system may undo the system modifications. Pre-deployment patching should be undertaken prior to the introduction of these changes. Ongoing system patching is critical to risk management and security assurance throughout the lifetime of the ATM. A communication channel should be established between the vendor and the ATM owner/service provider to ensure timely notification of the existence of vulnerabilities and operating system or application patches. All system patches should be applied in a test environment prior to their implementation into the production fleet. Most commercial operating systems are designed to enable, and automatically start, a large number of various services that would not normally be required by an ATM. Only operating services necessary for normal operation of the device should be enabled and set to start automatically. The decision to disable a particular service needs to be analysed against the ATM vendors application requirements, and the acquirers management, monitoring and other operational considerations. Services should be run with the least privilege necessary. For details on recommended Operating System Security Policies for Windows XP, including security settings, please see GASA manual Best Practice for ATM Cyber Security, Section 1.4, pages 3-6. Certain events that relate to account access or operating system status should be configured to be captured in the system event logs. As a minimum, the following items should be audited. However, the ability to configure specific system auditing will be dependant on the ATM operating system: Account Modification track changes to the account database on the operating system. Specifically, capture account creation, deletion or modification (e.g. changes to group membership). Account Use track successful and unsuccessful attempts to logon onto the operating system. Privilege Use/Elevation track unsuccessful attempts to access privileged programs or gain elevated privilege level access (e.g. the use of the su command in Linux). Major System Events track system restarts, shutdowns or runtime mode changes.

System event logs should be protected from unauthorised modification or deletion by suitable access control lists or file permissions.

Chapter 6: ATM Cyber Security

- 48 -

13/10/2005

6.3

Account Security

A typical operating system installation will include various system and user accounts (e.g. Guest) that are usually not necessary for the normal operation of the ATM. These accounts need to be locked, disabled or deleted depending on the operating system and the function of the account. The ATM operating system will also have a super user or administrator account, and if permissible, this account should be renamed to a unique account for each ATM. The account name and password should be released to authorised individuals as required for support purposes. If the introduction of unique administrator accounts for each ATM is determined to be operationally untenable, the passwords should consist of 14 characters, with complexity enforced. Accounts should be set to lockout after 3 failed logon attempts if the unsuccessful attempts occur within a 15 minute period. In environments where the password length is 14 characters with complexity enforced, it is reasonable to increase this lockout threshold to 5. The accounts should be locked out for a specific period of time, and it is recommended that this be set to 15 minutes. ATM application design should ensure that elevated account privilege levels are not required for normal operation. Any additional software installed to provide business or support enhancements should also abide by this principle. If the operating system permits, access to the desktop or command line shell should be denied to the runtime account. Depending on the operating system and application design, there may be one or more privileged accounts configured at the operating system level. The passwords assigned to these accounts should adhere to standard privileged account password security principles. Namely: Password Uniqueness each privileged account on each ATM should have a unique password. Password Complexity each privileged account on each ATM should have passwords that are a minimum of 8 characters consisting of letters, numbers, mixed-case and meta-characters. Additionally, the password should not match the account name.

Chapter 6: ATM Cyber Security

- 49 -

13/10/2005

 Password Ageing whilst it is recognised that all passwords should be subject to ageing, the frequency of password changes cannot be determined in isolation. When considering the lifecycle of a password, the following should be taken into consideration: Privilege level of account Frequency of use/access Administrative overhead/cost of actually implementing the password change Operational impact of implementing the password change

Password History configuring password history requirements will preclude a previously used password from being re-applied to a particular account. It is recommended that password history for privileged accounts be set to 12, which essentially prevents any of the previous 12 passwords from being chosen as the new account password. Password Storage All privilege level passwords should be stored securely and provided to administrative and support staff as required. Passwords should only be released to authorised personnel and the release recorded for audit purposes. Some ATM applications (e.g. Maintenance/Administrative Mode access, firewall software) may require passwords to be entered in order to gain access to the functions or configuration menus they provide. Access to these application menus should be treated as a privileged event, and the passwords that control access treated accordingly. The passwords should be changed from any default setting prior to deployment, and they should abide by the principles above.

6.4

Network Security

ATMs should be separated either physically or virtually from networks that provide general business connectivity. With physical separation, ATMs should connect to Host systems via dedicated network segments that are not shared by general purpose servers and workstations. There are several points along the communication path connecting the ATM with the host system that would permit the introduction of firewall enforcement points depending on the network topology. Access from within the general network to the ATM network should be controlled by the use of an enterprise statefull firewall. In situations where network architecture does not permit the use or introduction of a single (or several) firewall enforcement points on the internal network due to technical or business limitations, packet filters should be configured on the next hop perimeter router that provides TCP/IP connectivity to the ATM. Where ATMs share network infrastructure (e.g. remote ATMs on Branch networks), border router access control lists should be used to restrict access to the ATM from within the branch network if the traffic is passed through a suitable router.

Chapter 6: ATM Cyber Security

- 50 -

13/10/2005

In environments where an ATM shares a VLAN with other branch traffic, the use of layer two (in TCP/IP terminology) controls, such as switch port security and static ARP mapping, should be employed to restrict intra-LAN access violations. Unused switch ports should be disabled until required for the addition of devices onto the network. Network HUBS should not be used due to the ability to capture network traffic and the lack of security features they provide. Some ATMs are being shipped with firewall capability either bundled with a 3rd party product, or as part of the actual operating system, and this should be enabled and configured irrespective of the extent of additional network enforcement points present or intended on the network. The design of any firewall ruleset or router access control list must be based on the principle what is not expressly permitted, is denied. The opposite position to this principle (what is not expressly denied, is permitted) if employed will render the protection afforded by the ruleset virtually null. Determine exactly what network addresses, protocols and ports are required to support the ATM in terms of transactions, management and monitoring; then deny everything else.

6.5

Detection and Prevention

6.5.1 Intrusion Detection Systems

The ATM network access point into the central processing host systems should deploy one or more (depending on topology) network intrusion detection systems (NIDS). The NID(S) must be supported by appropriate management, monitoring and incident response policies and procedures.

6.5.2 Malware Protection

If the ATM supports it, malware protection should be installed. Careful analysis of the product, signature file update management, engine update management, periodic scan invocation and status changes/alert notification needs to be undertaken. Updates should be applied to a control/test group as soon as possible after release by the software vendor. System stability should then be confirmed prior to the deployment of the update to the production systems. Periodic system scans have the potential to cause degraded performance, and should be conducted when the ATM is out of service. The frequency of the scans should be determined based on ATM service level agreements, business requirements and additional security controls employed (e.g. firewalls, intrusion detection) Different Anti-virus products can behave differently with respect to advising of status changes (e.g. AV disabled) or alert notification (e.g. Virus detected). Ensure that any AV installed does not result in screen alerts or messages being displayed on the consumer terminal.

Chapter 6: ATM Cyber Security

- 51 -

13/10/2005

Chapter 7
ATM Cash Security
7.1 Defining the scope of ATM cash security

This chapter focuses on ATM cash replenishment for CIT-Fill, Merchant-Fill and Bank Branch-Fill ATMs. It is acknowledged that security best practices need to be applied throughout the whole cash cycle from a Central Bank vault, through a cash processing centre (CPC), until the time the replenished cash cassettes are safely stored within the ATM, and any part-filled cassettes and sealed bags containing purged notes are safely removed from the ATM location and returned to a CPC or other secure location. However, for the purposes of this chapter the ATM cash replenishment which forms the basis of these best practices is defined as follows:

ATM cash replenishment is the process of loading an ATM with the required cash, from the point of entering the ATM zone to the securing of any replaced cash during its return to a secured area.
Using this definition this chapter covers the following four phases: securing the cash during the approach to the ATM securing the cash loading process securing the ATM after loading securing any replaced cash during its return to a secured area

The ATM Cash Security guidelines do NOT cover security at vaults or cash centres, and only touch on certain best practices relating to the commercial cash carriers. They cover the cash cycle from cross the pavement security to completion of the replenishment tasks at the ATM, and include delivery of cash, and cash counting best practices. They also discuss ATM security during 1st line and 2nd line maintenance 11 .

11 It should be borne in mind that the cash inside an ATM can also be at risk outside of normal cash replenishment and during first and second-line maintenance, when the service staff can have access to the ATM safe.

Chapter 7: ATM Cash Security

- 52 -

13/10/2005

7.2

Basic Recommendations
proper insurance is in place at all times covering public liability, personal accident and life insurance for staff members, and the insurance of the cash. any security measures put in place do not negate any procedures associated with fire and emergency, particularly in means of escape in case of fire. as a minimum, the manufacturers instructions should be followed with regard to the filling and operation of cassettes, and with regard to the usage and operation of safes. any local banking rules with regard to the issue and storage of cash are followed. any local laws and regulations regarding safety and security requirements are adhered to.

7.3

How cash replenishment fits into the cash cycle

The ATM cash cycle extends through the following phases: Bulk cash collection and delivery phase; during which the cash is collected from a bank, or a secure non-bank vault, and transported to a CIT branch, to a CPC or to a bank branch. Cash packing phase; when the cash is counted, balanced, packed and secured into cassettes or sealed bags (if to be transported and depending on the service requirement). Cash-in-transit (Distribution) phase; where the cash is collected from a CIT branch or CPC and transported to the ATM zone. Securing the approach to the ATM zone; during which the approach to the ATM and the cash is secured. Cash loading phase; when the cash is loaded into the ATM. Post-loading securing of ATM; during which the ATM is secured after loading and the cash balanced. Securing any replaced cash; during its return to a secured area Some of these phases are discussed in the following sections.

Chapter 7: ATM Cash Security

- 53 -

13/10/2005

7.3.1 Bulk Cash Collection & Delivery

Cash is collected in bulk from a bank, or a secure non-bank vault, and transported to a CIT branch or to a CPC for sorting. Such bulk cash is normally only used in CIT-Fill operations.

7.3.2 Cash Packing CIT-Fill

In the CIT Branch or CPC, all cash to be used for ATM replenishment should be sorted to ensure that it is ATM Fit, and for counterfeit detection purposes. Ideally each bundle checked should be certificated that it is ATM Fit. All cassettes and sealed bags are labelled to indicate the ATM owner and the note denominations and amounts to be packed for the specific ATM replenishment. The balance is checked and then the required amount of cash is packed into the cassettes (for cassette exchange) or sealed bags (for cash exchange).

7.3.3 Cash-in-Transit (Distribution) CIT-Fill

The cassettes or sealed bags are counted, checked and packed into sealed containers, then tagged and sealed before leaving the cash carriers premises. If the service being provided is cassette exchange, the cassettes are not opened again until they are returned to the CPC, with seals intact, to prevent tampering. The specific individual amount required for each ATM is transported to the site. How this is done depends on the standard operating procedures of the CIT Company. At the site, the ATM is balanced to obtain the existing cash total.

7.3.4 Cash Loading CIT-Fill

If the service is cassette exchange, existing cassettes are removed and replaced with new cassettes. New cassettes are counted on arrival. Used cassettes, along with accompanying paperwork, are returned to the provider, where they are opened and the remaining cash counted and balanced against the ATM total. If the service is cash exchange 12 , the cash is removed from the cassettes and placed into sealed bags to be returned to the CPC for counting and balancing. Replenishment cash is then placed into the cassettes from the sealed bags issued from the CPC (during this service cash removed from the cassettes must be kept separate from cash removed from the purge bin and from deposited items).

12 It should be noted that the cash exchange and add cash methods are generally only conducted in developing markets or where a short-term shortage of cassettes necessitates the cash exchange or add cash method be used as a temporary emergency measure, normally with extra security in place. The cash exchange and add cash methods are NOT considered to represent best practice and are considered high risk by CIT companies as they require staff in the field to directly handle cash, generally without adequate CCTV coverage and management.

Chapter 7: ATM Cash Security

- 54 -

13/10/2005

If the service is add cash 13 , the cassettes are removed from the ATM and topped up with replenishment notes according to the agreed value. On no account should any cash be placed in the ATM outside of the cassettes (commonly known as side cash or excess cash for the purpose of future cash addition). For all the above services a statement is subsequently issued to the customer.

7.3.5 Cash Packing / Cash Loading Merchant-Fill

Ideally a check should be made by the merchant to ensure the quality of the notes to be loaded into the ATM and also to detect for counterfeit notes. The Merchant or Retailer then removes the cassettes from the ATM, balances the cash against the ATM total, and then adds cash to replenish the cassettes. (Typically the cassettes may already be outside the ATM as the safe is left open with the cassettes removed outside normal business hours) Again, on no account should any cash be placed in the ATM outside of the cassettes

7.3.6 Cash Packing / Cash Loading Bank Branch-Fill

The Bank Branch manager is responsible for the ATM and its cash replenishment. Branch staff should check the quality of the notes to be loaded into the ATM cassettes, and also for counterfeits, preferably using notes that have been sent to the branch as ATM fit. The branch staff remove the cassettes from the ATM, balance the cash against the ATM total, and then add cash to replenish the cassettes.

7.4

Definition of the chain of responsibility in the ATM cash cycle.

At no point along the cash cycle, including at transition points from one phase to another (for example, in the transition from the CPC to the transit route on the way to the ATM) should there be any doubt as to whom is responsible for the security of the cash. It is imperative for cash suppliers, cash carriers and ATM owners to sign contractual agreements that clearly define the liability switch between the different parties, as well as cash management service level agreements (SLAs), which cover the attribution of responsibility for cash security along the whole cash cycle. Proper insurance cover should be in place throughout the ATM cash cycle.

13

See footnote 12.

Chapter 7: ATM Cash Security

- 55 -

13/10/2005

7.4.1 CIT-Fill
In general, the following responsibilities for cash security should be allocated and stipulated in contractual agreements: The cash suppliers are responsible for counting, allocating, packing and securing the cash drawn from the cash centre, bank vault or secure non-bank vault. A signing-off process should take place between the cash suppliers and cash carriers. The cash carriers are responsible for the cash from the moment the signing-off procedure has been completed, even before they leave the cash centre, bank vault or secure non-bank vault. The cash carriers are responsible for securing the approach to the ATM zone. The cash loaders are responsible for (a) the secure loading of the ATM (b) the securing of the ATM after loading and (c) cash balancing. Any difference in cassette balancing will be subject to a dispute resolution process. The responsibilities for cash management and dispute resolution during this cycle should be included in the contractual agreements but fall outside the scope of these best practices. It should be noted that the procedure for determining how notes are recognised and dispensed vary by ATM Type. Some ATMs must be set based on cassette position in the Dispenser Rack (eg $50 notes will always be in Slot 1 and 2, $100 notes must be in Slot 3 and 4), whilst other ATMs may use a system that identifies the denomination in the cassette based on settings within the cassette, meaning that the cassettes can be positioned on any slot in the dispenser. Where the latter applies, contracts should specify who is responsible for setting and checking the cassette denomination setting - either the CIT company, Bank or ATM vendor providing second line maintenance.

7.4.2 Merchant-Fill
The following responsibilities for cash security are normally in place, working on the assumption that the merchant or retailer owns the cash inside the ATM: The merchant is responsible for counting, allocating, packing and securing the cash drawn from his till or safe. The merchant is responsible for securing the approach to the ATM zone. The merchant is responsible for (a) the secure loading of the ATM (b) the securing of the ATM after loading and (c) cash balancing. It is recommended that the merchant empties the ATM of all cash at the close of each business day and leaves the safe door visibly open. The merchant is responsible for meeting any requirements for note quality and counterfeit detection of loaded cash. Chapter 7: ATM Cash Security - 56 13/10/2005

7.4.3 Branch Bank-Fill

In general, the following responsibilities for cash security should be allocated and stipulated in contractual agreements (where appropriate): The cash carriers are responsible for delivering bulk cash, ideally sorted as ATM Fit to the Bank Branch. (The cash carriers may be commercial security organisations, or may be the Banks own staff and vehicles). A signing-off process should take place between the cash carrier and the bank branch staff. The bank branch staff are responsible for counting, allocating, packing and securing the cash. The bank branch staff are responsible for securing the approach to the ATM zone. The bank branch staff are responsible for (a) the secure loading of the ATM (b) the securing of the ATM after loading and (c) cash balancing.

7.5

Safe Operating Procedures

Throughout the ATM cash replenishment process it is recommended that the following safe operating procedures are in place: Clearly defined and communicated roles and duties of each employee. Checklists in place to be followed by staff before each phase. Appropriate and regular testing of all safety features such as duress alarms and communication devices. Regular inspection of all equipment used, particularly personal protective equipment. Variations in timings (and routes where applicable). Clearly documented procedures to cover all aspects ATM cash replenishment, and staff to be adequately trained to follow them.

7.6

Audit Trails for the ATM Cash Cycle

Although cash management as such falls outside of the scope of this manual, cash security covers both physical security during the cash cycle as well as financial security. An audit trail provides information that allows for random inspections to take place to check that no fraud or inaccuracies have occurred during the cash cycle. Losses due to internal fraud and insider collusion pose a significant threat to the industry.

Chapter 7: ATM Cash Security

- 57 -

13/10/2005

To make the cash cycle susceptible to a financial inspection of this nature, financial records, statements, reports and all paper work should be completed at defined points in the cash cycle. In addition it should be borne in mind that the cash may also be exposed during ATM servicing and maintenance. Ideally electronic locks should be used to enable all user access to the ATM to be traced, to allow one-time access codes to be issued and for dual control purposes. In addition track and trace technology can be used to quickly and effectively scan sealed bags and ATM cassettes through the cash cycle. As a minimum, the following paper work should be completed in order to provide adequate information for audit trails: Bulk cash collection and delivery phase The cash suppliers should provide the cash carriers with a signed and dated statement of the amount of cash that was collected, with the figures checked by the cash carriers against the statement. The cash in transit branch or CPC should issue a dated and stamped receipt to the cash carriers after the cash has been received and counted. Cash packing phase The CPC or CIT branch should issue the cash carriers responsible for the distribution phase with a statement of the amount of cash paced into the cassettes or sealed bags, and the number of cassettes or sealed bags, which the cash carriers should verify before the cassettes or sealed bags are closed, secured and packed. Cash-in-transit (Distribution) phase If using track and trace technology the sealed bags and/or ATM cassettes should be scanned into and out of the vehicle. Cash loading phase The ATM owner should receive and date stamp a copy of the statement from the cash packing phase. An electronic audit trail will also be in place if electronic locks are used on the ATM safe. Post-loading securing of ATM The cash loaders should produce a signed and dated statement after the loading has been complete and the cash balanced Reconciliation phase - The cash loaders statement of: total cash amount inserted into the machine during the previous replenishment and physical cash remaining in the cassettes and purge bin at the time of replenishment.

Should be reconciled with the Electronic Journal or Journal Printout to confirm that the record of cash withdrawn and purged balances with the cash remaining in the machine. If the records match then that replenishment cycle can be closed. In general, each statement or report or receipt should be completed in triplicate so that each party to the replenishment process across the cash cycle cash supplier, cash carrier and cash loader can receive copies of each transaction between each party to the process. For more details of how to set up audit trails for the ATM cash cycle please see Chapter Two of GASAs ATM Cash Security Manual. Chapter 7: ATM Cash Security - 58 13/10/2005

7.7

Securing the ATM Zones

7.7.1 Securing the Approach to the ATM Zone

Securing the approach to the ATM involves transforming the ATM zone into a secure zone. A zone is an area having a specific purpose or subject to specific restrictions (for example, a pedestrian zone in a city centre where motor vehicles are not permitted to drive). A secure zone is defined as one in which, as far is as humanly possible, all threats have been minimised, and in which, planned operations can take place in optimal conditions. The ATM zone can be defined as having an outer zone and an inner zone. The outer zone would be the surrounding environment in which the ATM is located within which it would be capable of being subjected to illegal long-range surveillance by criminals targeting the ATM for any type of criminal attack: For CIT-Fill ATMs this would normally include the pavement transit from the vehicle to the ATM site. For Merchant-Fill ATMs this could include the transit from the cash-till or backoffice area to the ATM. For Bank Branch-Fill ATMs this would include the transit from the branch vault, or other secure cash processing area, to the ATM. The inner zone would be the immediate environment of the ATM within a radius of 5 to 10 metres.

7.7.2 Securing the Outer ATM Zone

Operations in this zone include: Positioning the vehicle (if CIT-Fill). Securing the route from the secure location (vehicle if CIT-Fill) to the ATM inner zone. Conducting multiple transits of cash along this route, to and from the ATM.

The Threats to personnel operating in this zone (and to members of the public in the immediate vicinity) include the following: Attacks on the vehicle (if CIT-Fill), which could include holding a crew member on the pavement hostage to demand access. Attacks on staff crossing the pavement and/or on other approach routes to the ATM. The use of firearms and other offensive weapons against personnel.

Chapter 7: ATM Cash Security

- 59 -

13/10/2005

Adequate security cover for securing the outer ATM zone should include: The completion of advance risk assessments to establish a risk rating for the zone. Prior reconnaissance of the outer zone to search for signs of criminals or suspicious individuals in the vicinity. Taking due regard for staff and public safety. Parking the vehicle as close as possible to the ATM location (for CIT-fill) and having a suitable drive away policy in place.

Additional security measures and precautions during this phase could include: Use of an intelligent end-to-end ink staining system to seamlessly protect the cash inside cassettes from CPC to ATM (CIT-Fill). Use of a smoke box to protect bagged cash while in transit across the pavement (CIT-Fill). Use of a portable alarm (911 in the US). Minimising the visibility to the public of the cash boxes being moved as the cash replenishment team approaches the ATM zone. Separating the cash carrying function and the protection function. For CIT-Fill, discussions with the customer in order to provide, where possible, extended time/day delivery periods providing greater flexibility and security (random delivery). For Merchant-Fill and Bank Branch-Fill, the use of site security staff, if available, to escort the cash loaders to and from the ATM. Carrying of firearms, stun guns, batons or other weapons (depending on local legislation and requirements). Wearing of bullet proof jackets by the cash replenishment team (depending on local legislation and requirements).

7.7.3 Securing the Inner ATM Zone

Operations in this zone include: Securing the immediate environs of the ATM. Accessing the ATM safe. Conducting cash replenishment operations. Conducting related FLM tasks including the removal of purged notes and cards. Closing the ATM safe and securing the ATM.

It must be borne in mind that specific threats to personnel operating in the inner zone will depend on the type of ATM installation (lobby type or through-the wall, inside bunker/kiosk or free-standing etc). Threats to personnel operating in this zone include the following:

Chapter 7: ATM Cash Security

- 60 -

13/10/2005

Attacks on staff while accessing the safe (possibly using duress tactics). Attacks on staff while engaged in cash replenishment and associated operations. The use of firearms and other offensive weapons against personnel

Adequate security cover for securing the inner ATM zone should include: Prior reconnaissance of the inner zone to search for signs of criminals or suspicious individuals in the vicinity, including a check of the ATM fascia and surrounds for any signs of interference. Where possible sealing off the ATM area during replenishment to create a secure inner zone (it is recommended that doors to the ATM site area are kept locked throughout cash replenishment and ATM servicing operations). Awareness of the presence of legitimate parties such as ATM maintenance personnel. Separation of loading and protection functions. Sufficient lighting of the ATM and its immediate area. Keys to the premises must be closely controlled by all parties (in order to define responsibility the person having control or custody of those keys must sign for them upon taking possession). For CIT-Fill, staff identification procedures when staff are accessing a site where there is some form of perimeter security and where site security staff are present. For Merchant-Fill, ensuring that the ATM is not clearly visible from the street or other external area.

Additional security measures and precautions during this phase could include: CCTV coverage of the ATM and its immediate surroundings. Use of an intelligent end-to-end ink staining system to seamlessly protect the cash inside cassettes during transit and cash loading (CIT-Fill). Use of locking bars (or other cassette locking mechanisms) to fully expose only one cassette at a time during cash replenishment. Duress procedures to covertly alert authorities to a robbery/attack in progress that will not increase the risk to the replenishment staff. Personal attack alarm buttons to be installed within ATMs located in public areas. These devices to remain live when the alarm system is unset [to be used as a last resort]. Personal attack alarm buttons installed in non-public areas (if the ATM is sited in a kiosk or technical room) [to be used as a last resort]. Properly briefed site security staff in attendance. For Merchant-Fill, avoiding busy times of the day and conducting replenishment when the store is empty of all customers.

Chapter 7: ATM Cash Security

- 61 -

13/10/2005

7.8

Best Practices for ATM Cash Replenishment

Times at which replenishment takes place at any given ATM should never follow a predictable or repetitive pattern. Predictability is the enemy of security. It is recognised that replenishment windows can be limited, particularly for CIT-Fill ATMs, but it is recommended that timings are as widely varied as possible. In addition, it is recommended that, for CIT-Fill ATMs, the sequence of replenishment visits is also varied and that the crews are tasked to routinely change the order in which they visit ATM sites.

7.8.1 General Measures

After securing the inner zone of the ATM, the following general measures should be taken for all three types of replenishment: Secure removal of all cassettes to be replaced before loading of new cassettes begins. Separate cases should be used to hold the balance money, cash, documents etc., collected from the ATMs deposit and reject bins. At no time should these items be kept on the floor or on the ATM, but should be immediately secured upon removal. Security of the combination keys to the cash safe should be maintained. There should be a procedure of giving the cash loaders the combination in two sealed envelopes which should be resealed immediately after use, such combinations to be centrally changed on a random basis. Where CIT Fill is used, it is highly desirable that the twolock system normally used be replaced by a system incorporating both dual control and one-time use combination codes 14 . This ensures that only the CIT company can access the ATM , it confirms that the ATM safe has actually been locked, and provides an independent, auditable record of opening and closing times. Master key systems should be avoided as they increase vulnerability from lost keys. Where staff are required to make a call to obtain safe access codes, a duress procedure should be in place. For multiple sites, only one ATM at a time to be serviced/replenished. Separation of loading and protection functions, with security personnel standing a little distance away from the loading personnel, so as to reduce the possibility of both of them being attacked simultaneously. Checking to ensue that the correct cassettes are put into the correct pick-units to ensure that that the correct value notes are dispensed. Only one cassette at should be exposed to risk of attack at any one time.

14

One example is the Cencon Lock system.

Chapter 7: ATM Cash Security

- 62 -

13/10/2005

Additional security measures and precautions during this phase could include: Use of a portable alarm (911 in US). Separation of cash balancing AND cash loading functions. Use of an end-to-end note degradation systems to protect the cash (CIT-Fill).

7.8.2 Merchant-Fill Additional Measures

In addition to the previous section, the following best practice is recommended: Minimise cash exposure on the premises by keeping tills and safes locked when conducting ATM replenishment. When replenishing, ensure that the premises is free of all customers and all access points are secure. If possible replenishment should be conducted out of public view, and so blinds or shutters should be brought down if available. Check all cash before loading, looking for damaged, stained or counterfeit notes. If found they should be handed in to a bank branch following the procedure (if any) laid down by the national central bank.

7.9 Best Practices for Securing ATM Servicing / Maintenance

7.9.1 First Line Maintenance (FLM)
It is common for the staff performing ATM cash replenishment to also carry out scheduled ATM FLM visits. Such duties would depend on contractual arrangements and could include: Clearing paper jams. Confirming the operation of all print devices. General cleaning of the ATM and its immediate surroundings. Removing purged cards and journal rolls (older machines). Removing purged notes. Removing deposit envelopes from ATMs where the facility exists. Replenishing consumables.

In addition unscheduled FLM visits may also be carried out at the customers request, normally when a fault has been reported. In this context FLM is defined as an intervention to bring an ATM back into service that requires no tools or parts. In the majority of occasions this unscheduled FLM does involve opening the ATM safe. When conducting such operations the ATM must either be free of cash, or the same security procedures as for a cash exchange should be followed. The security and integrity of the system is greatly enhanced in this case if the Cassette Swap method is used, as the uniquely numbered Tamper Evident Seals affixed to the cassette at the CPC can later be checked to confirm that the cassette was not opened during the FLM visit.

Chapter 7: ATM Cash Security

- 63 -

13/10/2005

If the staff conducting FLM are not professional security staff, then they should undergo security awareness training which should highlight the risks to themselves, to others, and to the cash whilst performing FLM.

7.9.2 Second Line Maintenance (SLM)

ATM SLM is traditionally performed by Field Engineers, who are often not security trained. This is preventative (scheduled) and emergency (unscheduled) maintenance designed to ensure that the hardware remains fully operational at all times, thereby minimising ATM downtime. The unscheduled maintenance differs from FLM in that a tool or part is required to bring the ATM back into service. When conducting SLM visits, Field Engineers often have to access the ATM safe. When conducting such maintenance the ATM must either be free of cash, or the same security procedures as for a cash replenishment visit should be followed (without any actual cash exchange taking place). In some cases they may be accompanied by security personnel, and indeed may not be able to access the ATM safe without another party present. Whatever the policy for ATM safe access, the Field Engineers should undergo security awareness training which should highlight the risks to themselves, to others, and to the cash, whilst performing SLM.

7.9.3 Additional Security Recommendations

These additional requirements are recommended for both FLM and SLM. When a field engineer is unescorted by trained security staff, then the engineer should have a similar level of security training as provided to ATM replenishment crew. This training should be updated on a regular basis (every two years is suggested). A security trained engineer may normally provide FLM or SLM to any top box fault without a second person present. Subject to procedural approval, an engineer may only work alone at an ATM within a secured secure area, with the safe open and with cash present. An engineer should not work alone at a free standing ATM when the safe is open. Should the safe be open two staff are required, one of whom must be fully security trained, and the cash should only remain exposed on site for a maximum of 10 minutes. If a free standing ATM requires safe access for repair, arrangements must be made for the removal of the cash prior to any work taking place. When two different companies are providing replenishment and maintenance services to an ATM then EITHER one company must escort the other on all occasions OR the companies must have pre-agreed a liability arrangement with a clear definition of the security measures to be undertaken. Chapter 7: ATM Cash Security - 64 13/10/2005

For guidelines for effective partnering with cash security stakeholders, please see Chapter 6 of GASAs ATM Cash Security Manual. The essence of a partnership is not simply to produce, together, optimal business results, but, rather, to hold one another accountable at all times to the inseparable standards of integrity and professionalism.

Chapter 7: ATM Cash Security

- 65 -

13/10/2005

Acknowledgements
Lachlan Gunn, BenAlpin Ltd Janet Edwards, Technical Editor The Global ATM Security Alliance

Disclaimer
IMPORTANT: The ATM Industry Association ("ATMIA") is a nonprofit corporation, incorporated in the State of Delaware, which is exempt from federal taxation under Section 501(c)(6) of the Internal Revenue Code. This publication, the ATM Lifecycle Security Manual, has been developed in furtherance of ATMIA's nonprofit and tax exempt purposes to enhance the efficiency and effectiveness of modern corporate governance in light of perceived mores and best practices espoused by certain individuals and entities. ATMIA has taken reasonable measures to develop this publication in a fair, reasonable, open, unbiased, and objective manner for the purpose of providing information and guidance to those in the ATM industry with respect to corporate governance in the Twenty First Century. This publication has been developed in compliance with all applicable ATMIA policies, including but not limited to its anti-trust policy. The nature of appropriate practices or guidance is likely to change over time and with developments in business, technology, and the laws of the various countries where ATMIA members and others in the industry conduct their businesses. ATMIA cannot guarantee the accuracy, completeness, efficacy, timeliness, or other aspects of this publication. ATMIA cannot assure compliance with the laws or regulations of any particular country and does not represent that the information in this publication is consistent with any particular principles, standards, or guidance of any country or entity. Use of this publication and any information provided is voluntary, and reliance should be undertaken only after an independent review by the user. There is no effort or intention to create a standard for business activity. The principles described in this publication are aspirational and reflective of one or a few individual perspectives, but are not conclusive of any appropriate or legal business behavior. Inclusion of material in this publication does not constitute a guarantee, warranty, or endorsement by ATMIA regarding any guidance, methodologies, or preferences for conducting business, implementing any standards, or enhancing security, and does not constitute any guarantee, warranty, endorsement, or sponsorship of or by any person or company that may be referenced in the document. Further, neither ATMIA nor its officers, directors, members, employees, or agents shall be liable for any loss, damage, or claim with respect to any such documents, work, or services; all such liabilities, including direct, special, indirect, or consequential damages, are expressly disclaimed. Information provided in this publication is "as is" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or freedom from infringement. The name and marks ATM Industry Association, ATMIA, and related trademarks are the property of ATMIA. 2005 ATM Industry Association. All rights reserved.

- 66 -