Addressing Looming ATM Compliance Guidelines to Avoid Security Risks and Fines
Today’s Presenter
Dean StewartSenior Director, Self-service Solutions Product Management
Diebold, Incorporated
Crucial Dates
2012
2013
2014
2015
2016
2017
April 2014
Microsoft® ends support for
Windows® XP; ATM
software should be
migrated to Windows® 7
and Agilis® 3
15 March 2012
Compliance deadline to
adopt 2010 Americans with
Disabilities Act (ADA)
Standards
April 2013
All POS and ATM Maestro
acquirer processors must
support EMV transactions,
according to MasterCard®
and VISA®
April 2013
Counterfeit fraud liability
shifts to ATM transaction
acquirers that do not
accept EMV chip cards for
Maestro inter-regional
transactions, according to
MasterCard
April 2014
ATMs purchased and
installed or moved after
this date will require the
EPP7 to remain PCI
compliant
April 2015
All ATM acquirer
processors must support
EMV transactions,
according to VISA
October 2015
Counterfeit card fraud liability
shifts to transaction acquirers
that do not accept EMV chip
cards at U.S. POS terminals,
according to MasterCard and
VISA
October 2016
Counterfeit card fraud liability
shifts to transaction acquirers
that do not accept EMV chip
cards at U.S. ATMs,
according to MasterCard
October 2017
Counterfeit card fraud
liability shifts to transaction
acquirers that do not accept
EMV chip cards at U.S.
ATMs, according to VISA
EMV Windows 7 PCI Guidelines ADA Compliance
Solution Color Key
Connect with us: #DBD411 or @DieboldInc
The 411 on Windows 7 Migration
2013 POLLING QUESTION RESULTS
What is your timeframe for initiating Windows 7 implementation?
March 2013 (319 respondents)
July 2013(308 respondents)
November 2013 (152 respondents)
n/a 23% 56% < 6 months
14% 39% 26% 6-9 months
29% 12% 5% 9-12 months
16% 2% 0% 12 months or more
41% 24% 13% Currently have no plan
Windows 7 Update
Agilis 3 91x is certified with all major networks
We are currently engaged with over 1,000 financial institutions in the migration process
Robust scheduling and rigor with our Professional Services organization
DIEBOLD SNAPSHOT
Where Are You on the Path to Migration?
1. Evaluate the timelines and understand the impact of the changes
2. Evaluate your fleet:• Hardware, software and network implications
3. Calculate capital investment and ability to invest • Upgrade/replace• Migration to Diebold Integrated Services
4. Develop and prioritize implementation plan
5. Get started today
FIVE STEP ACTION PLAN
Plan of Attack | Virginia Credit Union
February 2013
CU makes decision
to change ATM
driver
June 2012
Initial discussions with
Diebold at TAG
conference
September 2012
Budget $50k towards
2013 processor
upgrades
April/May 2013
Resurvey of VACU
ATMs for W7/A3
conversion during
quarterly ATM
reviews
June 2013
Multiple conference calls
and meetings to discuss
VACU plans for 2013 and
2014 for ATM driving
conversion, Campaign
Office, W7/A3 migration,
EMV and EPP7
July 2013
Finalize project scope
for W7/A3
August 2013
Sign off on W7/A3
project scope
September 2013
Create schedule for
W7/A3 project
2012
1Q
2013
2Q
2013
3Q
2013
4Q
2013
Q1 2014
Begin deployment
of encrypted hard
drive and Sierra
processors
December
Coordinate W7
migration with
STAR conversion
plan in 2014
1Q
2014
Microsoft Custom Support Agreement
Custom support is offered on a one year basis with possible renewal for two additional years
Custom support is per ATM, not blanket coverage
APRIL 2014 – APRIL 2015
Microsoft Custom Support Agreement
APRIL 2014 – APRIL 2015Support includes:
Problem resolution• “Critical” security hotfixes (Microsoft Security Response Center
defined) Support assistance
• Short term assistance focused on the specific product
Support does not include: “Important” security hotfixes
• Product related vulnerabilities to end user data• Diebold charged by Microsoft if we need an important item fixed
and they agree to fix it• Fix available to all units with a custom support agreement
Microsoft Custom Support Agreement
Critical:A vulnerability whose exploitation could allow the propagation of an Internet worm without user action
Important:A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources
CRITICAL vs. IMPORTANT
Microsoft Custom Support Agreement
Microsoft has announced that it will provide malware updates for Windows XP beyond the company's originally planned cutoff date of April 8. The company said in a blog post that it still plans to discontinue support for the operating system, but will continue to update anti-malware signatures and engine for users through July 14, 2015.
As of April until July 15, 2015, Microsoft will be releasing updates for their security products — and only their security products — their anti-virus.
RECENT ANNOUCEMENT FROM MICROSOFT
The 411 on EMV Adoption
Improve the security of the U.S. payments systems and eliminate the primary target for mag stripe fraud.
Increase global cardholder satisfaction, especially when traveling internationally.
Maintain interoperability with the rest of the world as it migrates to EMV.
Leverage commercial EMV products and services for low-risk.
Position for future advanced payment forms using near field communication (NFC) based, mobile, contactless payments.
BENEFITS OF MIGRATING TO EMV
The 411 on EMV Adoption
POLLING QUESTION RESULTS
What is the status of your institutions migration to EMV chip cards?
57% Early education of EMV migration
13% Assessing the compliance risk and cost associated with EMV migration
10% Strategy planning to begin upgrades in 2014
5% Started upgrades and plan to achieve network certification in 2013
14% We currently have no plan
344 respondents
Crucial Dates, EMV AdoptionQ2 2014
New Canyon quad core process
or available, replacing Sierra for
Windows 7 operationApril 2014
Microsoft® ends support for
Windows® XP; ATM
software should be
migrated to Windows® 7
and Agilis® 3
15 March 2012
Compliance deadline to
adopt 2010 Americans
with Disabilities Act (ADA)
Standards
April 2013
All POS and ATM Maestro
acquirer processors must
support EMV transactions,
according to MasterCard®
and VISA®
April 2013
Counterfeit fraud liability
shifts to ATM transaction
acquirers that do not
accept EMV chip cards
for Maestro inter-regional
transactions, according
to MasterCard
April 2014
ATMs purchased and
installed or moved after this
date will require the EPP7 to
remain PCI compliant
April 2015
All ATM acquirer
processors must support
EMV transactions,
according to VISA
October 2015
Counterfeit card fraud
liability shifts to
transaction acquirers
that do not accept EMV
chip cards at U.S. POS
terminals, according to
MasterCard and VISA
October 2016
Counterfeit card fraud
liability shifts to
transaction acquirers
that do not accept EMV
chip cards at U.S.
ATMs, according to
MasterCard
October 2017
Counterfeit card fraud
liability shifts to
transaction acquirers
that do not accept
EMV chip cards at
U.S. ATMs, according
to VISA
EMV Windows 7 PCI Guidelines ADA Compliance
Solution Color Key
2012
2013
2014
2015
2016
2017
PCI Data Security StandardsTHE PCI DATA SECURITY STANDARD (PCI DSS)
Goals PCI DSS Requirements
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security for employees and contractors
PCI PA-DSS
The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.
• Agilis 91x, 3.0 SP1
• Agilis 3.0 SP 3
The 411 on EPP7 Upgrades and PCI 3.0 Guidelines
POLLING QUESTION RESULTS
How would you rate your level of compliance with PCI?
20% We passed our PCI audit with a clean bill
15% We passed PCI with some nonconformities
0% We failed our PCI audit
13% What is a PCI audit?
52% I do not know
188 respondents
PCI PTS 3.0 Requirements
NEW ENCRYPTING PIN PAD – EPP7
• Compliant with industry regulations (PCI v.3, Interac, etc.)
• New root certificate for Remote Key Loading (RKL)
• Support Certificate & Signature based RKL
• Secure communications
• ValiTech
• PIN Pad Shield continued support
The 411 on EPP7 Upgrades and PCI 3.0 Guidelines
POLLING QUESTION RESULTS
How well do you understand the advantages of EPP7?
17% Completely
69% Somewhat
14% Not at all
273 respondents
Crucial Dates - PCI and EPP7
2012
2013
2014
2015
2016
2017
April 2014
Microsoft® ends support for
Windows® XP; ATM
software should be
migrated to Windows® 7
and Agilis® 3
15 March 2012
Compliance deadline to
adopt 2010 Americans with
Disabilities Act (ADA)
Standards
April 2013
All POS and ATM Maestro
acquirer processors must
support EMV transactions,
according to MasterCard®
and VISA®
April 2013
Counterfeit fraud liability
shifts to ATM transaction
acquirers that do not
accept EMV chip cards for
Maestro inter-regional
transactions, according to
MasterCard
April 2014
ATMs purchased and
installed or moved after
this date will require the
EPP7 to remain PCI
compliant
April 2015
All ATM acquirer
processors must support
EMV transactions,
according to VISA
October 2015
Counterfeit card fraud liability
shifts to transaction acquirers
that do not accept EMV chip
cards at U.S. POS terminals,
according to MasterCard and
VISA
October 2016
Counterfeit card fraud liability
shifts to transaction acquirers
that do not accept EMV chip
cards at U.S. ATMs,
according to MasterCard
October 2017
Counterfeit card fraud
liability shifts to transaction
acquirers that do not accept
EMV chip cards at U.S.
ATMs, according to VISA
EMV Windows 7 PCI Guidelines ADA Compliance
Solution Color Key
Connect with us: #DBD411 or @DieboldInc
Develop An Action plan
Customize to meet your FIs needs:
1. Evaluate the timeline
2. Evaluate your fleet
3. Calculate capital investment
4. Develop implementation plan
5. Get started today
FIVE STEPS TO GET STARTED
Step 1 – Evaluate the Timeline
EVALUATE IMPACT AND PRIORITIZE
Evaluate crucial dates and understand the impact of each change
Determine the key priorities for your FI
Step 2 – Evaluate Your FleetHARDWARE, SOFTWARE AND NETWORK IMPLICATIONS
Windows 7 EMV EPP7
Hardware • Pentium 4, 3.0GHz CPU• Celeron, 2.9GHz CPU (Denver)• Core 2 Duo, 3.0GHz CPU (Sierra) recommended• 2GB required, 4GB recommended
• EMV chip card reader • Opteva terminals• Requires no fascia change
Software • Agilis XFS for Opteva V4.1.0 or higher• Agilis 3 (Custom Applications based on Agilis EmPower v3)• Agilis 3 91x SP3
• EMV Kernel• Agilis 2.4 or Agilis 3
• Agilis 3 91x, SP4• Agilis XFS version 4 or higher• Windows XP and Windows 7
Network Certification Certification Certification
Step 3 – Calculate Capital Investment
CALCULATE YOUR CAPITAL INVESTMENT AND READINESS TO INVEST
Upgrade
Replace
Migrate towards Integrated Services
Step 4 – Develop Implementation Plan
SUCCESSFUL IMPLEMENTATION
Develop and prioritize implementation plan
Determine timing of implementation
Talk to your network provider,
particularly around EMV and PCI
Step 5 – Get Started Today
CONTACT YOUR DIEBOLD SALES ASSOCIATESchedule upgrades early to ensure compliance as deadlines approach
Action Plan Summary – Five Steps
1. Evaluate the timelines and understand the impact of the changes
2. Evaluate your fleet:
• Hardware, software and network implications
3. Calculate capital investment and ability to invest
• Upgrade/replace
• Migration to Integrated Services
4. Develop and prioritize implementation plan
5. Get started today
The 411 On Crucial DatesQ2 2014
New Canyon quad core
processor or available, replacing
Sierra for Windows 7 operationApril 2014
Microsoft® ends
support for Windows®
XP; ATM software
should be migrated to
Windows® 7 and
Agilis® 3
15 March 2012
Compliance deadline to
adopt 2010 Americans with
Disabilities Act (ADA)
Standards
April 2013
All POS and ATM Maestro
acquirer processors must
support EMV transactions,
according to MasterCard®
and VISA®
April 2013
Counterfeit fraud liability
shifts to ATM transaction
acquirers that do not
accept EMV chip cards
for Maestro inter-regional
transactions, according
to MasterCard
April 2014
ATMs purchased and
installed or moved after
this date will require the
EPP7 to remain PCI
compliant
April 2015
All ATM acquirer
processors must support
EMV transactions,
according to VISA
October 2015
Counterfeit card fraud
liability shifts to
transaction acquirers
that do not accept EMV
chip cards at U.S. POS
terminals, according to
MasterCard and VISA
October 2016
Counterfeit card fraud
liability shifts to
transaction acquirers
that do not accept EMV
chip cards at U.S.
ATMs, according to
MasterCard
October 2017
Counterfeit card fraud
liability shifts to
transaction acquirers
that do not accept
EMV chip cards at
U.S. ATMs, according
to VISA
EMV Windows 7 PCI Guidelines ADA Compliance
Solution Color Key
2012
2013
2014
2015
2016
2017
For more information on today’s webinar topic:
• Visit www.diebold.com/411
• Email [email protected]
• Call 800.806.6827