Constraints on the ATM and Credit Card Processing Industry

Some companies such as credit card processors in the financial industry have little or no choice in implementing some procedures. For credit card (CC) processing, VISA and MasterCard make the rules. You don't have to follow their rules but if you do not they will cut you off and not allow you to process their cards. Visa and MasterCard are the top two CC companies in the world and if you don't process for them you are not in business for long.

For our company this cost us in parts, labor and equipment. When I started in ATM servicing business in 1996 there were standard encryption codes used to encrypted CC and ATM data. The codes were very simple. There was once an industry standard code of 16 zeros and 16 ones. This code was keyed into an ATM by a technician on site.

Soon the codes got more complicated and unique to each processor but they were still static. The same codes were used at every machine.

Later the rules changed to where the codes had to be randomly generated by the processor and sent to us the ATM servicing company. They were printed and shipped to us in sealed envelopes but if a tech was out in the field and had run out of envelopes we could just read them a code over the phone.

Later Visa became so strict that we had to ship the two codes separately by two different mail carriers, FedEx and UPS for example, to the customer who owned the ATM. One tech had to enter one part of the code and the customer had to enter the other. The customer and tech then signed an agreement that neither looked at the other's code.

At our facility we had to keep Part A keys in a pad locked metal box and Part B keys in another locked box. We had to designate and train certain individuals in the office who were the only ones allowed to handle the codes.

As for hardware, they kept shortening the length of cable allowed from the PIN or keypad on an ATM to the CPU. This was to prevent hackers from tying into the cable.

Eventually they created a PIN pad that encrypted the code as it was typed in without the CPU's involvement. The PIN pad was also required to be tamper resistant so that if it was removed from the machine it would lose the encryption keys. Still, when retiring an ATM we had to physically destroy the old PIN pads. We smashed them with a hammer.

Each time the standard changed we had to purchase new hardware and pay for a technician to go out and change the part. We had to pay for shipping of keys through two different carriers. We of course passed this cost on to our customers who were not happy. We tactfully told them it was not our fault that Visa/MasterCard implemented the changes and that it was part of the cost of owning and operating an ATM.

PIN Security and Key Management Program | Merchants | Visa USA - Retrieved from the Internet August 30, 2011 from: http://usa.visa.com/merchants/risk_management/cisp_pin_security.html?ep=v_sym_PIN

PCI Compliance Guide, PCI Data Security Standards, Manage a Data Breach, Protection Compliance and Reporting (Susan Matt, 2011) - Retrieved from the Internet August 30, 2011 from: http://www.pcicomplianceguide.org/