What the New PCI Mandate Means for Financial Institution ATMs
by Darren Smith | Originally published by CUInsight
Meeting compliance standards is an ongoing concern for financial institutions. Over the last 15 years, ATM management has significantly added to those headaches.
Changing requirements, additional mandates, and liability updates have created a need for expensive upgrades and pricey software updates. In every instance, there have been at least a handful of costly, long-standing machines made obsolete. Credit union and bank employees have to not only keep track of what is coming down the pipeline for their ATMs but also make sure they are appropriately budgeting to allow for the appropriate changes.
And it’s not only the costs of parts, software, and equipment, there is also the issue of service, scheduling and management for compliance upgrades. ATM service technicians are often difficult to arrange when it comes to meeting compliance timelines, as they are booked up by multiple financial institutions and ATM operators to address the same issues. This is especially the case as timelines get closer to specific compliance deadlines.
Even if a bank or credit union is staying on top of things, there are situations where manufacturers will release upgraded parts, kits and hardware while they are still working on the final software updates. In these cases, upgrades might require two site visits – one to upgrade equipment and a follow-up to implement the software once it is released.
So, what are the latest compliance requirements and what do they really mean for financial institutions?
PCI Updates for ATMs
The PCI (Payment Card Industry) Security Standards Council (PCI SSC) has released new mandates for ATM PIN pads and data encryption with two consecutive deadlines. By December 31, 2024, any terminals that are capable of being upgraded to the latest version of encrypting pin pad (EPP) must be upgraded. Any terminals that are not upgradable must be replaced.
On January 1, 2025, operational ATMs are required to have current firmware and software that uses the TR31 Phase 3 key blocks. This key block encryption is designed to provide greater security for PINs and data that is transferred through the ATM and onto payment network infrastructure. The additional security protects the cryptography of the payment data and makes it more difficult for hackers to exploit weaknesses.
Machines that are not enabled with the latest pin pads and key blocks after the deadline will no longer be supported by host processors. Transactions attempted on these ATMs will not be accepted on the networks. The machines will be essentially become non-operational.
This isn’t financial institution's first rodeo. We’ve been through a slew of ATM updates already including, but not limited to, ADA, EMV, Windows 7, Windows 10, and prior PCI compliance updates. In all these instances, there was a process involving certifications, hardware upgrades or replacements, and, of course, juggling parts, service, and budget constraints.
This time around, there are two components to become fully compliant – an updated keypad and the appropriate software. Newer equipment that was sold within the past year or two is likely to already have the hardware required for the compliance mandate. For everything else, leading vendors are currently selling upgraded equipment, parts and kits. However, even if you think your machines are ready and able, it is best to check with the manufacturer to make certain each ATM is outfitted with everything needed to support the latest PCI standards.
But, even if your machines are ready to rock the latest security, it’s likely they will need to be updated or validated for the correct software. In many cases, the latest updates will still need to be installed. Once again, the most prudent move is to contact the manufacturer to get the latest information and documentation on upgrade requirements.
Outsourcing is an Excellent Solution to the Compliance Issue
But banks and credit unions don’t have to add ATM compliance and upgrades to their laundry list of other compliance and regulator concerns. Nor do they have to reallocate large amounts of money for new capital expenditures to stay ahead of the latest ATM upgrades. Instead, they could choose to outsource the entire operation.
ATM outsourcing partners are 100% focused on ATM operations and actively stay on top of the latest mandates, upgrades and compliance. They can track, source and manage the right equipment and software to make sure all the machines they manage are ready and capable of transacting quickly, efficiently and securely.
Most ATM operators either have their own ATM service technicians or have robust vendor partnerships that leverage their wide-ranging ATM portfolios. As such, they are better equipped to demand priority service throughout their markets.
In addition to their dedication to ATMs and better service position, today’s ATM outsourcing providers recognize the problem ATM compliance poses for their credit union partners. As such, many of the most reputable companies include compliance guarantees and provisions in their contracts that place the responsibility for compliance changes and upgrades directly on the shoulders of the ATM provider. These compliance guarantees usually include parts, equipment swaps and software updates as well as any liability penalties for non-compliance.
So, while compliance continues to be a headache for credit unions, that problem doesn’t have to include the ongoing operation of the institution’s ATMs. With ATM outsourcing, the upcoming PCI update is just one more problem no longer on the credit union’s plate.
Lean How Partnering with ATM USA Can Benefit Your Financial Institution
Darren Smith, Vice President, ATM Management
firstname.lastname@example.org • 919-534-3232 • Schedule a Meeting
Craig Helmers, Vice President, ATM Management
email@example.com | 919-534-3233 | Schedule a Meeting