A task force assembled last year by the Electronic Funds Transfer Association to suggest ways to stop the illegal skimming of financial data from debit cards at automated teller machines has drafted preliminary recommendations-most of them common sense, but some of them aimed at creating more standards in payments hardware.
The proposal will not be released publicly until it is approved by the board of the Washington trade group, but members of the industrywide ATM integrity task force say it addresses encryption standards, the security of personal identification number pads, and the best ways to conduct background checks for independent sales organizations. It also attempts to define such terms as "secure PIN pad."
Speaking The Same Language
"We're really trying to standardize the nomenclature," said Kurt Helwig, the executive director of EFTA. "Different manufacturers use different language to describe the machine. They should all be using the same kind of language so it's not subject to different interpretations."
For example, a secure PIN pad simply means "ATM manufacturers had certified" that the pads were secure, he said, but "in some cases the PIN pads were the point of compromise."
The draft recommendations advise manufacturers, merchants, ISOs, and financial institutions not to cut corners on ATM design or background checks on partner companies. "We're not reinventing the wheel here," Helwig said. "We're taking the practices that many in the industry are already doing and trying to achieve greater scale with those kinds of things."
Skimming takes place in many ways: at the ATM or the point of sale, or from a pilfered card. The recommendations address the integrity of the ATMs themselves and set forth liability scenarios.
The EFTA does not have enforcement capabilities. If the best practices recommendations are approved, adoption will be voluntary. Helwig said he is still fielding comments on the draft proposal; it will then be sent to the board for a vote.
Though manufacturers now certify that an ATM is secure, Helwig said that in the future the machines could be independently tested for security and even display a seal of approval from the testing lab. Liability remains a controversial issue.
Rob Evans, the director of industry marketing for NCR Corp. and a member of the task force, said that the draft proposal clearly places liability on the institution that sponsors the ISO, the ATM owner, or any third party that touches the transaction. "It clearly says the sponsor institution is ultimately responsible for anyone who participates in the switch," Evans said, adding this would compel sponsoring banks to conduct much more thorough credit checks of companies that want to resell ATMs.
Stan Paur, the president and chief executive of Pulse EFT Association, one of the largest such networks in the United States, said that it may be unrealistic to expect a sponsoring bank to keep track of the ISO as well as the many venders contracting with that ISO. The number of participants gets so broad that "it's extremely difficult to justify the cost of knowing everybody involved in the game," Paur said. "The only way that would have any hope of succeeding is if the regulators got involved."
Another matter is how much blame a manufacturer shoulders when ATMs are tampered with. "That's where the discussion really starts to heat up for a guy like me," said Evans. "It's a theoretical, academic discussion until the question: 'Does the manufacturer share liability?' "