There is little doubt that compliance with minimum security certification requirements is important, whether covering the security of card data or providing a measure of the physical resistance from attacks to the ATM security enclosure.
PCI DSS (Payment Card Industry Data Security Standard) provides a clear and well-documented set of requirements with the primary objective of the protection of card data being processed and stored. Physical security requirements focused on the resistance to attacks against the safe or ATM security enclosure are well-covered by standards such as UL291 (Underwriters Laboratories) or the various CEN (European Committee for Standardization) standards.
Standards are valuable to equipment designers and suppliers in that they provide some clearly defined rules and requirements that they will design their equipment to meet. Designing to a documented and internationally recognized standard helps suppliers have confidence that the product they supply has at least the same protection level (and often cost-base) as their competitors. The requirement for independent testing and certification of new products and modifications to existing products also provides an objective check that vulnerabilities have not been mistakenly introduced.
For purchasers and deployers of equipment, certificated proof that the product being procured meets, at a minimum, an internationally recognized level of security, helps provide confidence in their investment. By specifying compliance with a minimum-standards requirement during the selection process for new equipment is a primary filter for what will and what will not be considered suitable to carry their brand name. Compliance with a particular standard is also often used as a deciding factor when considering the insurance costs for an asset.
Many standards are created and debated by a large group of experts, each of whom is a stakeholder whose own organization or discipline will be impacted in some way by the final details that are specified in the published standard. While this structure helps make sure that the broadest consideration is given to often conflicting needs, it does often create a time-lag between the desire to specify protection against a certain threat and final acceptance and publication of the standard.
The reality of criminality is that new attack techniques are constantly being invented and rapidly deployed to exploit weaknesses in the security of products and systems.
As this article is being written, there is a wide array of physical attacks ongoing against ATMs, proving that the criminal fraternity pays little notice to the label attached to the machine confirming it meets the latest physical security standard. The same can be said for the much-publicised card data compromise attacks against major card processors and personal information thefts from well-known service providers.
Does this mean that the industry is expending money, time and resources to create, design to, test against, purchase and certify compliance for no return?
What must not be overlooked is the number of criminal attacks that have failed, perhaps even at the concept stage, for the simple reason that the potential target was seen to be protected to the extent that the expected return was outweighed by the risk to the potential perpetrators.
There is, and always will be, an absolute need to have internationally approved minimum-security requirements in the shape of measurable and certifiable standards.
However, to increase confidence in the security of your assets, whether you are the supplier or the deployer, assessing current and emerging threats in the real world, in real time, must be a prioritised and ongoing process.
The above article was written by Douglas Russell, DFR Risk Management Ltd.