Be Prepared, ATM EPP PCI Compliance Deadlines Are Coming
The ATM industry is highly regulated by federal regulators, banking regulators, sponsor banks, and debit networks. As a result, security and compliance are essential for participation in this space. One of the key areas of compliance is cardholder data security, which has been managed since 2006 by the Payment Card Industry (PCI) Security Standards Council. The Council, which is made up of five debit networks – Visa, MasterCard, American Express, Discover and JCB – has now published new compliance deadline dates that will affect ATM deployers whose terminals are “ancient, archaic, not able to be upgraded to current required standards.”
The first compliance requirement that ATM deployers should be aware of is that by December 31, 2024, terminals that have encrypting pin pads (EPP) that can be upgraded must be upgraded with the current version EPP or the terminal must be replaced with a new one that meets current standards. This is necessary for the security of cards, cardholders, processors, networks, and the ATM deployer. The second compliance requirement that ATM deployers should be aware of is that by January 1, 2025, every deployed terminal must have current standards EPP hardware, firmware, and software that uses TR31 Phase 3 “Key Blocks.”
Key Block encryption provides additional security for PINs and data to be transferred through the ATM and payment network infrastructure, which makes it more difficult for hackers to exploit weaknesses and protects the cryptography that protects payment data.
To ensure compliance with these upcoming mandates, ATM deployers are encouraged to perform due diligence now on their actively deployed terminal platform to determine what course of action is needed to be compliant before the December 31, 2024 deadline for both EPP and TR31 Phase 3 Key Blocks. Non-compliance on the deadline can lead to terminals being inactivated, deployers being assessed fines and penalties if determined data breaches have occurred at the terminal, or the terminal going dark because parts and maintenance are no longer available for the terminal make and model.
To avoid having to do two visits to a terminal for required upgrades, ATM deployers are encouraged to install a replacement ATM that includes the most current ATM standards if needed, as well as EPP hardware/firmware and ATM software by end of year 2024. Please note, depending on your ATM manufacturer, you may still be required to do a software update prior to January 1, 2025 even with the installation of new ATM terminals and compliant EPP.
For those with Nautilus Hyosung ATMs, it is important to note that Nautilus Hyosung offers a number of options for EPP upgrades, including the Nautilus Hyosung EPP and the Nautilus Hyosung 8000R Keypad. The Nautilus Hyosung EPP is a fully PCI-compliant solution that meets all of the current standards, while the Nautilus Hyosung 8000R Keypad is a cost-effective solution that can be used to upgrade existing EPPs.
In conclusion, ATM deployers should be aware of the upcoming compliance mandates that affect their ATM business. By performing due diligence on their actively deployed terminals and taking the necessary steps to ensure compliance, deployers can protect the security of cardholders, processors, networks, and themselves. Nautilus Hyosung offers a number of options for EPP upgrades, including the Nautilus Hyosung EPP and the Nautilus Hyosung 8000R Keypad, that can help ATM owners meet the upcoming compliance mandates. If ou have questions or need any guidance, just give us a call at 877-538-2869.