ARE YOU AWARE OF UPCOMING ATM EPP PCI COMPLIANCE MANDATES?

Upcoming ATM Industry compliance mandates looming that affect your ATM business.

Whether you’ve been in the ATM Industry a short time or for ages, you are aware this industry is highly regulated by federal regulators, banking regulators and sponsor banks, and debit networks. You are conducting business in the financial services space and that means heightened security and compliance is required for participation across many areas.

Cardholder data security has been managed since 2006 by a Council developed by five debit networks – Visa, MasterCard, American Express, Discover and JCB. The Council is known as the Payment Card Industry (PCI) Security Standards Council. The Council published the initial EPP standards roadmap shortly after its inception. The Council has now published its new key compliance deadline dates and these compliance requirements definitely affect those whose deployed ATM terminals are “ancient, archaic, not able to be upgraded to current required standards.” Why is this necessary? For security of cards, cardholders, processors, networks, and you the ATM deployer.

  • By December 31, 2022, terminals that have encrypting pin pads (EPP) that can be upgraded must be upgraded with the current version EPP or the terminal must be replaced with a new one that meets current standards.
  • By January 1, 2025, every deployed terminal must have current standards EPP hardware, firmware, and software that uses TR31 Phase 3 “Key Blocks.”

 

Key Block encryption provides further security for PINs and data to be transferred through the ATM and payment network infrastructure which in turn makes it more difficult for hackers to exploit weaknesses and protects the cryptography that protects payment data.

You are encouraged to perform due diligence now on your actively deployed terminal platform to determine what course of action you need to begin in order to be compliant before the December 31, 2024 deadline for both EPP and TR31 Phase 3 Key Blocks. Non-compliance on the deadline can cause

Cause Affect to deployer
Terminals to be inactivated Loss of income
Deployer to be assessed fines and penalties if determined data breach(es) have occurred at terminal High expenses; loss of income
Terminal to go dark because parts and maintenance no longer available for terminal make and model Loss of income

 

These are due diligence points to consider and then you are encouraged to act in a conscientious and timely manner to bring your deployed portfolio up the ATM Industry standards.

*To avoid having to do two visits to a terminal for required upgrades, we suggest you install a replacement ATM that includes the most current ATM standards as well as EPP hardware/firmware and ATM software by end of year 2022. Please note, depending on your ATM manufacturer, you may still be required to do a software update prior to January 1, 2025 even with installation of a new ATM terminals and compliant EPP.

  • Is the ATM EPP upgradeable beyond PCI PTS v1 or older?
    • No – replace the ATM before end of year 2022
    • Yes – replace the EPP before end of year 2022
  • Is the ATM EPP upgradeable?
    • No – replace the ATM before end of year 2024
    • Yes – replace the EPP with new software before end of year 2024
  • Are parts still available for the ATM?
    • No – replace the ATM before end of year 2022

Contact your ATM Partner representative for information if you require assistance in determining your needs in replacing terminals and/or EPPs with PCI compliant units.

Set up a schedule for compliance and follow it.