lifecycle introsecuritymanual

7/27/2019 Lifecycle IntroSecurityManual

1/66

ATM LIFECYCLE SECURITY MANUAL

International minimum security guidelines

Produced by the Global ATM Security Alliance


2/66

Table of Contents

Foreword 4

CHAPTER1:INTRODUCTION TO ATMLIFECYCLE SECURITY 5-7

1.1 CLARIFICATION OF ATMLIFECYCLE 51CHAPTER2:CARDHOLDER SECURITY 8-11

2.1 THE ROLE OF THE CARDHOLDER IN ATM SECURITY 8

.2 PROTECTING THE ATMLIFECYCLE 6

2.2 THE WORLDS TOP TWENTY TIPS FORATMUSE 82.3 ADDITIONAL TIPS FORDIFFERENT TYPES OF ATMS 102.4 GENERAL TIPS 112.5 SUMMARY OF ATMSECURITY FORCUSTOMERS 11

CHAPTER3:ATMPHYSICAL SECURITY 12-20

3.1 ROLE OF PHYSICAL SECURITY 123.2 SCOPE OF PHYSICAL SECURITY REQUIREMENTS 123.3 RISK-ASSESSMENTS 123.4 COMMON ATMSECURITY CONSIDERATIONS 133.5 PHYSICAL SECURITY CONSIDERATIONS FORSTAND ALONE ATMS 173.6 PHYSICAL SECURITY CONSIDERATIONS FORTHRU-THE-WALL ATMS 19

CHAPTER4:PIN&ENCRYPTION SECURITY 21-40

4.1 INTRODUCTION 214.2 PINSECURITY RECOMMENDATIONS 22

4.3 KEY MANAGEMENT RECOMMENDATIONS 274.4 KEY MANAGEMENT REGIMES 404CHAPTER5:DATA &TRANSACTIONAL SECURITY 41-46

5.1 INTRODUCTION 41

.5 CRYPTOGRAPHY BEST PRACTICE RECOMMENDATIONS 40

5.2 PRINCIPLES UNDERLYING INFORMATION SECURITY 415.3 INFORMATION SECURITY POLICY 425.4 SECURITY MANAGEMENT 425.5 MESSAGE SECURITY FORATMNETWORKS 435.6 DEFINITIONS OF SECURITY CLASSIFICATIONS OF DATA 435.7 ALLOCATION OF RESPONSIBILITIES FORMESSAGE SECURITY 455.8 DATA CONFIDENTIALITY &INTEGRITY FORATMNETWORKS 455.9 PROCEDURE &REVIEW RECOMMENDATIONS 46

CHAPTER6:ATMCYBER SECURITY 47-51

6.1 OUTLINING THE DRIVERS FORATMCYBERSECURITY 476.2 OPERATING SYSTEM SECURITY 476.3 ACCOUNT SECURITY 496.4 NETWORKSECURITY 506.5 DETECTION AND PREVENTION 51

CHAPTER7:ATMCASH SECURITY 52-65

7.1 DEFINING THE SCOPE OF ATM CASH SECURITY 52

7.2 BASIC RECOMMENDATIONS 537.3 HOW CASH REPLENISHMENT FITS INTO THE CASH CYCLE 537.4 DEFINITION OF THE CHAIN OF RESPONSIBILITY IN THE ATM CASH CYCLE. 55


3/66

7.5 SAFE OPERATING PROCEDURES 577.6 AUDIT TRAILS FOR THE ATMCASH CYCLE 577.7 SECURING THE ATMZONES 597.8 BEST PRACTICES FORATMCASH REPLENISHMENT 627.9 BEST PRACTICES FORSECURING ATMSERVICING /MAINTENANCE 63

Acknowledgements 66Disclaimer 66


4/66

Foreword

This Best Practice Manual for ATM Lifecycle Security sets out to provide a high-leveloverview of the key elements of each phase of the ATM business lifecycle from cardholdersecurity to cash security, and every kind of security in-between. The Global ATM Security

Alliance has published International Cardholder Security Tips and Best Practices forPhysical ATM Security, PIN and Key Management Security, Transactional Security, CyberSecurity and Cash Security.

This overview collects in one manual the key guidelines1 from all of this published material.The objective is to encourage security practitioners in the industry to adopt a moreintegrated lifecycle security approach as part of a holistic security strategy.

It is a well-known fact that crime migrates along the path of least resistance to attack theweakest link or softest target. Consequently, unless each link in the lifecycle chain of theATM is strong, crime will continue to find security vulnerabilities to exploit.

We recommend that specialists focusing on particular kinds of ATM security, whetherphysical security, cash security or cardholder security, continue to consult GASAscomprehensive best practices for detailed guidelines for their specialised area of security,

whilst using this manual in a complementary fashion to inspire lifecycle security thinkingand awareness. We further recommend that security managers who are specialised, havesystematic and highly co-ordinated contact with specialists focusing on other phases in the

security lifecycle.

This manual completes the Global ATM Security Alliances series of security best practicesfor the whole ATM lifecycle. Please visitwww.globalasa.com for more details aboutGASA. We trust the manual will play a part in crime reduction and that it will enhance yoursecurity strategies to make them even more effective.

Global ATM Security AllianceOctober 2005

1

Each organization is encouraged to use these guidelines as a framework to build its own security policies, proceduresand standards. A guideline in this manual is understood as a suggestion for best practice which is strongly recommended,rather than a requirement to be met.
http://www.globalasa.com/http://www.globalasa.com/


5/66

Chapter 1Introduction to ATM Lifecycle Security

1.1 Clarif ication of ATM Lifecycle

The term ATM lifecycle refers to all the interlinked stages involved within the businessprocesses required for the functioning and operating of the ATM. In biology, life-cyclerefers to the complete series of stages through which an organism passes2 fromconception, through maturation to eventual death. The idea is that these stages are linkedas the organism passes from one to the next in a natural sequence.

In the ATM business lifecycle, certain processes, actions and operations happen in asequence of steps resulting in ATMs dispensing cash and other services to customers. Forexample, ATMs need regular cash replenishment to continue functioning. For the ATM todispense cash, the cardholder needs to insert his card, key in his PIN for identification,

whereupon the transaction needs to be authorised by his bank through a process whichlinks the ATM via a network and switch to the banks authorising system.

The ATM business lifecycle covers all these stages and the many processes, systems,procedures and operations required to deliver ATM services to bank customers.

When applied to ATM security, this business lifecycle is seen as a series of phases wheredifferent kinds of protection are needed at different points along the lifecycle to preventcrime and reduce risk of attack. Lifecycle security is the strategy of looking in a high-level,co-ordinated way, at all the phases along the lifecycle, constantly assessing crime migrationpatterns and changing vulnerabilities. Lifecycle security looks at all kinds of ATM security

within a single strategic security management programme. When there are specialised areasof security within all these lifecycle phases, they need to be systematically co-ordinated inorder to achieve lifecycle security.

2 The Cambridge Encyclopedia, 4th Edition

Chapter 1: Intro to ATM Lifecycle Security - 5 - 13/10/2005


6/66

1.2 Protecting the ATM Lifecycle

CASH

SECURITY

CARD

SECURITYCARDHOLDER

TRANSACTIONAL

PIN &

ENCRYPTION

CYBER

PHYSICAL

SECURITY

ATM

SECURITY SECURITYSECURITY

ATM

SECURITY

ATM

SECURITY

CONNECTIVITY

Produced for GASA by Mike Lee, CEO, ATMIA

Card Security3 encompasses the security measures to ensure that a card, whether a debit,credit or Stored Value card, can be validated at a payments terminal and cannot be readilycopied or cloned for counterfeit purposes.

Cardholder Security refers to the ways in which cardholders can be educated to managetheir card and ATM usage in a sensible and security-conscious way.

ATM Physical Security covers the security measures undertaken to ensure that the ATMmachine is properly located, installed and protected in a way that addresses and managesrisks of attacks against it.

PIN and Encryption Security has to do with protection of PIN numbers, secureencryption key management and encryption guidelines. Cryptography, along with strongencryption key management, is used to protect PINs and PIN keys to reduce the risk of

financial loss by fraud. Thereby maintaining the integrity and confidentiality of the networkand instilling cardholder confidence in the use of both the ATM network and the ATM.

ATM Transactional Security is about initiating, implementing and maintaininginformation security within ATM networks. As messages and transactions in ATMnetworks contain both sensitive cardholder data and related financial information, it isimportant that ATM networks safeguard this information. The transactional securitycontrols should be applied throughout an ATM network, from the ATM to theauthorisation process, including all transaction processing and the generation and storageof PINs.

3 GASA has not produced best practices for card security and refers readers to relevant Payment Card Industry (PCI)standards for card issuing.



7/66

Cyber Security refers to general cyber security for computer, network and informationsecurity as well as guidelines for operating ATMs on a Windows XP platform.

ATM Connectivity Security involves line encryption and protection of data over the

communications lines between ATMs and their host systems to prevent interceptions ofdata through devices like wire-tapping.

ATM Cash Security focuses on securing the cash replenishment phase for three self-fillmodels: bank-branch-fill, merchant-fill and CiT-fill. This includes securing the approach tothe ATM, securely loading the cash and then securing the exit away from the ATM. Cashsecurity is critical to any ATM business, since ATMs are essentially cash dispensers and thehighest cost for deployers is typically the cost of cash.

It is recommended that banks and businesses in the ATM industry encompass lifecycle

security covering all of these phases within an integrated and holistic security strategy, co-ordinating the areas of specialisation within a single security framework in order to produceseamless security across this lifecycle. The objective of all ATM security is to protect the

ATMs whole Trusted Environment.



8/66

Chapter 2Cardholder Security

2.1 The role of the cardholder in ATM securi ty

This chapter is designed to ensure optimal levels of customer safety and convenience atATMs.

It is true that law enforcement agencies around the world need the communities they policeto play a part in the upholding of law and order. By being more security-conscious andtaking precautions whenever possible, citizens can help prevent crimes from taking place.

This is equally true when it comes to ATM usage.

2.2 The Worlds Top Twenty Tips for ATM Use4

To enhance the ATM customer experience

Tips for Choosing an ATM

Tip 1Where possible, use ATMs with which you are most familiar. Alternatively, choose well-lit,

well-placed ATMs where you feel comfortable.

Tip 2Scan the whole ATM area beforeyou approach it. Avoid using the ATM altogether if there

are any suspicious-looking individuals around or if it looks too isolated or unsafe.

Tip 3Avoid opening your purse, bag or wallet while in the queue for the ATM. Have your card

ready in your hand beforeyou approach the ATM.

Tip 4Notice if anything looks unusual or suspicious about the ATM indicating it might have

been altered. If the ATM appears to have any attachments to the card slot or key pad, donot use it. Check for unusual instructions on the display screen and for suspicious blankscreens. If you suspect that the ATM has been interfered with, proceed to another ATM

and inform the bank.

4

The Worlds Top Twenty Tips for ATM Use were collected from Australia, New Zealand, United States of America,United Kingdom, Europe, Canada, India and South Africa. Banks are free to distribute these security tips under their ownbranding and in their own format.

Chapter 2: Cardholder Security - 8 - 13/10/2005


9/66

Tip 5Avoid ATMs which have messages or signs fixed to them indicating that the screendirections have been changed, especially if the message is posted over the card reader.

Banks and other ATM owners will not put up messages directing you to specific ATMs,

nor would they direct you to use an ATM which has been altered.

Tips for Using an ATM

Tip 6Be especially cautious when strangers offer to help you at an ATM, even if your card is

stuck or you are experiencing difficulty with the transaction. You should not allow anyoneto distract you while you are at the ATM.

Tip 7

Check that other individuals in the queue keep an acceptable distance from you. Be on thelook-out for individuals who might be watching you enter your PIN.

Tip 8Stand close to the ATM and shield the keypad with your hand when entering your PIN

(you may wish to use the knuckle of your middle finger to key in the PIN).

Tip 9Follow the instructions on the display screen, e.g. do not key in your PIN until the ATM

requests you to do so.

Tip 10Ifyou feel the ATM is not working normally, press the Cancel key, withdraw your card and

proceed to another ATM. Report the matter to your financial institution.

Tip 11Never force your card into the card slot.

Tip 12Keep your printed transaction record so that you can compare your ATM receipts to your

monthly statement.

Tip 13If your card gets jammed, retained or lost, or if you are interfered with at an ATM, reportthis immediately to the bank and/or police using the help line provided or nearest phone.

Tip 14Do not be in a hurry during the transaction, and carefully secure your card & cash in your

wallet, handbag or pocket beforeleaving the ATM.



10/66

Tips for Managing your ATM use

Tip 15Memorise your PIN

(If you must write it down, do so in a disguised manner and never carry it with your card).

Tip 16NEVER disclose your PIN to anyone, whether to family member, bank staff or police.

Tip 17Do not use obvious and guessable numbers for your PIN like your date of birth.

Tip 18Change your PIN periodically, and, if you think it may have been compromised, change it

immediately.

Tip 19Set your daily ATM withdrawal limit at your branch at levels you consider reasonable.

Tip 20Regularly check your account balance and bank statements and report any discrepancies to

your bank immediately.

Please note that you should show the same precautionary care when using your card(s) at a POS (point ofsale) pinpad terminal in a retail environment or at a restaurant, or when conducting transactions online or

telephonically, or when writing cheques (checks) speak to your bank branch about security when usingthese other service delivery channels

2.3 Additional Tips for Different Types of ATMs

Tip for Use of Lobby ATMsIf you are using an indoor ATM that requires your card to open the door, avoid lettinganyone that you do not know come in with you. Check for modifications to the card

reading device affixed to the lobby door.

Tip for Use of Drive-up ATMsLock the car doors and roll up the other windows when you use a drive-through ATM.



11/66

2.4 General Tips

General Tip 1Ensure that you sign your card on the signature panel as soon as you receive it.

General Tip 2Protect your cards as if they were cash. Do not leave them unattended anywhere. Keep

your cards in a safe place and never leave them or personal identity documents lyingaround at home, at work, in a vehicle, or in public places.

General Tip 3If at all possible, do not let your bag or wallet containing the cards out of your sight in

public places.

General Tip 4Be alert to what is happening with your card when performing a transaction. For example,

do not let a restaurant waiter take your card away to settle the account, and watch your cardwhen you hand it to a cashier. Watch while cashiers process your card - make sure they donot swipe it through two different devices: if that happens, contact your bank immediately.

General Tip 5Make a list of your card account numbers and telephone numbers for reporting lost or

stolen cards. Keep the list in a safe place. Check your cards periodically to make sure noneare missing.

General Tip 6Never give your credit card number over the phone or internet, unless you are dealing witha reputable company, or you have initiated the call yourself, or you are 100% certain of the

callers identity and that of the company they work for.

General Tip 7Read and understand the Terms & Conditions for card usage issued by your financial

institution(s). Contact customer services if you are unclear about any of the terms.

2.5 Summary of ATM Security for Customers

YOU, your PIN and your CARD looked after together are the keys to ATM security:

Approach an ATM only under the right conditions in order to protectYOURSELF. Ensure only you know, see, and use your PIN. Follow the ATM screens instructions when using your CARD, and ensure the card is

kept secure during and after use.



12/66

Chapter 3ATM Physical Security

3.1 Role of Physical Security

The physical ATM provides the interface between the self-service banking industry andmillions of cardholders around the world who use ATMs to withdraw cash, check balanceenquiries, top-up their mobile phones, purchase tickets and pay bills.

ATMs are becoming the face of many financial institutions. For many consumers, ATMsare becoming the only interaction they have with their banks. In addition, ATMs are

becoming a competitive mark for many banks. Therefore, it is imperative to ensure that thecustomers experience with the ATM is safe and secure, as well as pleasant.

ATM Security and Fraud (July 2004)by Celent Communications

3.2 Scope of Physical Security Requirements

The physical security recommendations in this chapter refer to the ATM itself and its hostpremises. The security of cash is covered in Chapter 9 ATM Cash Security.

The security guidelines listed are recommended as crime reduction "good practice".Additional security measures and practices may well be required and will depend onexisting local premises security and the assessed risk carried out prior to site selection andinstallation. Our guidelines are intended to complement the advice of local police andgovernment, insurers and security advisers, as well as the manufacturers guidelines.

3.3 Risk-Assessments

Site selection and installation of all ATMs should always be preceded by risk assessments.

During initial site validation, or at subsequent site risk assessment visits, an ATM should beclassified by the deployer as Low, Medium or High risk. Risk assessment criteria can depend onorganisational, insurance and law enforcement recommendations and requirements.

Industry advice may also be sought from industry approved consultants. It isrecommended that details of site risk assessments be recorded in defined reports andstored in an organisational database.

Chapter 3: ATM Physical Security - 12 - 13/10/2005


13/66

It is also recommended that each ATM deploying organisation conducts a detailed andthorough ATM risk analysis based on their own country, and geographical areas of operation,and that based on this, a detailed ATM security strategy is prepared or up-dated.

3.4 Common ATM Security Considerations

The security considerations laid down in this section are considered common to both StandAlone and Thru-the-Wall ATMs. The security considerations particular to each type arediscussed separately later.

3.4.1 ATM Safe

It is recommended that a strong ATM safe be used to protect cash inside the ATM. Thegrade of safe used can be varied depending on the area risk assessment. In addition thesecurity provided by the security container (safe) within the ATM should be to a levelcommensurate with that required for the value of cash loaded in the ATM 5.

For recommendations regarding safes and locks, please see Best Practice for Physical ATMSecurity, section 6.3.3.

3.4.2 Banknote Degradation Systems

A banknote degradation system may be installed, which dyes/stains/degrades notes whenactivated in order to render them unattractive to thieves.Such a system should meet anynational standards relating to usage of ink/dye systems.

These systems are fitted to each ATM cassette, which holds notes contained in the ATM to

provide a deterrent to theft of, or from, the ATM

The banknote degradation system should be designed to activate immediately the ATM ismoved or attacked by any means

If required the system may incorporate a unique chemical identifying system, although suchidentification systems should not be used in isolation

Where a banknote degradation system is utilised notices to this effect should be displayedprominently around the perimeter of the premises and on the ATM itself

An independent test house should check any banknote degradation system used, and shouldcertify that it does operate according to the manufacturers claims.

Each national Central Bank should also test the system on real banknotes and should verify thatthe ink is safe, and that the required percentage of the notes is stained on the requiredpercentage of the printed area. Some banknote degradation systems can link with CIT toprovide end-to-end security between the ATM and the cash centre.

5

Refer to the relevant BS/EN Performance Test Standards



14/66

3.4.3 Smoke Generating System

As an alternative to a banknote degradation system, a smoke generating system may beinstalled to protect the internal area of the premises where the ATM is installed to providea deterrent to theft of, or from, the ATM

Such systems should be designed to activate immediately the ATM is moved or attacked byany means. The means of activation must be provided only when the area of the premisesin which the ATM is sited is non-operational

Where attack through the building roof is a possibility the smoke generating system shouldprotect vulnerable roof voids

Such systems must not negate any procedures associated with fire and emergency,particularly in means of escape in the case of an actual fire. It is recommended that advicebe taken from the local fire safety officer before installation

Where a smoke generating system is utilised, notices to this effect should be displayedprominently around the perimeter of the premises and on the ATM itself

3.4.4 ATM Alarm Systems

Intruder Alarm

Premises where ATMs are installed should be protected by an intruder alarm system withmonitored remote signalling to an Alarm Receiving Centre to a security level

commensurate with the risk level.

ATM Alarm System

In addition to alarming the premises consideration may be given to alarming the ATM itself.This can be achieved by means of a stand-alone alarm system with its own unique referencenumber (URN)

The system should be monitored by remote signalling to an Alarm Receiving Centre and shouldqualify for an appropriate local 1 police response. If it is a confirmable alarm system a dualsignalling facility should be provided

The design should ensure that the system is armed at all times other than for maintenance forservicing and cash replenishment.

It should give the earliest possible warning of attack on the ATM.

In addition, consideration should be given to including personal attack switches for the use ofCIT crews in the event of an attack during cash replenishment.

ATM Alarm Equipment

For recommendations for alarm equipment at each ATM location, please see Best Practicefor Physical ATM Security, section 6.5.



15/66

Control, Monitoring and Maintenance

The Alarm System should be monitored from a Central Monitoring Station (CMS) 24hours daily. The CMS, which should conform to ISO and local police standards, shouldautomatically generate an alarm signal if the telephone line fails or is cut. In the event that

an alarm signal is received, the CMS should respond according to its standard operatingprocedures.

A maintenance record should be kept for the alarm detection system and routine maintenanceshould be conducted. The minimum should be one planned maintenance visit each year.

3.4.5 ATM Lighting

Where a national standard for illumination of the keyboard and surrounds of an ATM doesnot exist, an ATM Deployer should set its own standard.

200-300 Lux is recommended for ATM keyboard illumination.

50 Lux is suggested as the minimum ambient illumination at floor level up to a distance of1 metre from the face of the ATM and extending 75 cm either side of the mid-point of the

ATM. This is also the minimum recommendation should a CCTV camera be fitted.

200 Lux ambient illumination at floor level should be considered in areas deemed to pose ahigher risk to customers at night.

3.4.6 CCTV

Should the site risk assessment require it, the premises may be protected by a closed circuittelevision system, with or without detection facility, viewing the ATM, but not viewing the ATMkeypad.

3.4.7 PIN Protection

For locations deemed to have a high risk of ATM fraud, it is recommended that a written sitingpolicy be submitted, subject to audit, confirming that the ATM is positioned to preventoversight of the PIN pad from any source (cardholders in the queue, passers-by, mirrors, etc)

For comprehensive PIN security measures, see GASAs Best Practice Manual for PIN Security

and Key Management



16/66

3.4.8 ATM Testing & Commissioning

The following steps should be followed for an ATM to be tested and commissioned:

Authorisation

Prior to dispatching a Technician to the ATM site, the Installation Contractor6 shouldcheck with the ATM Deployer that all the Pre-Conditions have been met.

Field Test & Network Connection

On arrival at the ATM site the Installation Contractors Technician should conduct athorough test of the ATM and connect it to the ATM network.

Test Certificate

On completion he should sign a Test Certificate to confirm that everything is correct andthat the ATM is ready to go live. A copy of this Certificate should subsequently be sent tothe ATM Deployer.

Telephone Line

If the telephone line is not working, he may proceed to hand over the ATM, but may not switchit live or on-line7.

3.4.9 ATM Handover

Before handing over the ATM and switching it on-line, the Installation ContractorsTechnician should ask the Banks representative to sign a formal ATM HandoverCertificate for the ATM. This will acknowledge the date and time that the Bank took overresponsibility for the management of the ATM, and will also record any keys and/orcombinations handed over.

A copy of this Certificate should be left with the Bank, a copy passed to the ATM Manager anda copy passed to the ATM Deployer.

3.4.10 On-site monitoring of the ATM by Site Personnel

ATM deployers should ensure that site owners/managers, or other on-site personnel,check the ATM regularly to ensure there are no alien or parasite attachments, such asskimming (or card copying) devices, that do not belong to the original device. ATMdeployers should ensure that training and education is carried out to enable this on-sitemonitoring to be effective. In the event that an alien or parasite attachment is discovered,there should be a clear procedure laid down as to what follow up action should be taken(i.e. inform the Police).

6 The Installation contractor may be the ATM Supplier, or may be a third party working for either the ATM Deployer orthe ATM Supplier

7 For Warranty purposes ATM Manufacturers require an on-line transaction to be completed



17/66

3.4.11 Passive Compl iance

In the event of an attack during opening hours, host staff should be advised to passivelycomply with the raiders demands and must be trained accordingly

3.4.12 ATM Storage

The following security requirements are advised when ATMs are stored during any part ofthe ATM lifecycle and particularly after initial purchase, during preparation for site, duringmodification/repair and while awaiting disposal.

Secure Area

ATMs should be stored in a secure area with reasonable restrictions on physical access, andwith an access control procedure in place for all persons entering the area. Access controlrecords should be kept for a minimum of two years, for external audit purposes.

Alarm System

The secure area should be protected by a monitored alarm system with sensors coveringthe external access points and all movement within the general area. This system should beswitched on and monitored, outside of normal working hours, and at any time when thestorage area is left unattended.

Encryption Keys

It is recommended that Encryption keys are deleted from an ATM while it is in storage.This stops the Encryptor being brought back on-line if the ATM is plugged back into thenetwork.

3.5 Physical Security Considerations for Stand Alone ATMs

3.5.1 Definit ion of a Stand Alone ATM

Stand Alone ATMs are free-standing, and are not installed in the wall of a building, forexample, at a bank branch. Typically, they are situated in convenience stores, petrol stations,supermarkets, shopping malls, etc.

3.5.2 Minimum Security Recommendations

Position

If the ATM is located in a premises immediately adjoining a road accessible to vehicles, theATM should be sited within the premises well away from perimeter glazing, particularlyshop fronts, preferably directly against a strongly built internal or perimeter wall, whichdoes not have vehicular access to its external face, and positioned to avoid a direct andunimpeded line of access from a door or other access point.



18/66

To reduce the risk of vandalism to the ATM and to increase user safety, the ATM should bepositioned in a highly visible and well-lit area that allows maximum surveillance by counter staffand other customers.

Anchorage

The ATM should be securely fixed to the floor through its security container by a minimum offour resin anchor bolts (minimum 12mm diameter to a minimum depth of 150mm) into asubstantial concrete base.

Where a timber floor is involved the ATM should be bolted to a steel base plate by a minimumof four bolts, which is bolted through the floor joists by a minimum of four bolts.

3.5.3 Addit ional Securi ty Recommendations for Higher RiskDeployments

External Measures

External approaches to the area of the premises where the ATM is sited should beprotected by the installation of anti-ram bollards, vehicle-arresting systems, high rise kerbs,raised planters, reinforced lamp posts or similar street furniture, usually subject to localauthority approval

Where perimeter glazing extends down to the floor of the premises this should beprotected by visually permeable metal roller shutters, security grilles or retractable anti-rambollards configured to keep vehicles away from the vulnerable perimeter elements of the

premises outside the premises operational hours

Enhanced Anchorage

Instead of the anchoring system recommended in item 3.5.2 the ATM should be anchoredby an enhanced anchoring system specifically designed to provide superior fixing for

ATM's.

Security Collar or Anti-Lasso Device

A security collar, of the type associated with gaming machines, or an anti-lasso device, may

be fitted where removal of the ATM is a risk

Where such devices are deployed these should be attached to the main body of the ATMitself and not to the exterior facings

Tracking System

The ATM may be fitted with a tracking system to enable its position to be determined in theevent of theft of the ATM from the premises.



19/66

3.6 Physical Security Considerations for Thru-the-Wall ATMs

3.6.1 Defin ition of a Thru-the-Wall ATM

A TTW ATM does not stand on its own but is installed within the wall of a building(interior or exterior) to which it is affixed to allow customers to conduct transactions at the

ATM outside of, or even away from, a bank branch. This type of machine contrasts withStand Alone ATMs, which are not fixed within the wall of a building.

3.6.2 Minimum Security Recommendations

Site Validation

Each ATM site should be thoroughly validated before the decision to install an ATM is taken.

For full details on site validation report structure, report distribution, planningrequirements and site validation responsibilities, see section 5.1 of GASAs Best PracticeManual for ATM Physical Security.

Base Composition

During the Site Validation an assessment should be made of the base to ensure that it is ofsufficient strength and depth to anchor the ATM. If it is deemed possible to use theexisting base, the existing concrete should be reinforced and of a minimum depth to meetthe requirements of the anchor bolt manufacturers.The ATM can then be anchoreddirectly into it (provided that the base height is not required to be raised see section

entitled Base Height below). If it is not possible to use the existing base withoutmodification, then a plan should be made to strengthen the base. When making this plan aminimum depth of 10cm reinforced concrete should be retained with the existing base, inorder to anchor the new base to it.

Base Height

In order to anchor the ATM properly it is important that accurate measurements are takenduring the Site Validation Visit.

For the ATM to be properly anchored it should be able to sit on a plinth that will enable it to

exactly reach the required height.

Anchorage

Secure anchorage can be made under the following scenarios (for full details, includingrecommendations for base preparation, see Best Practice Manual for ATM PhysicalSecurity). For all anchorages the Installation & Maintenance Contractor should complete aCertificate stating that the anchoring has been done in accordance with these requirements.

All exact measurements relating to the anchorage should be recorded. A copy of thisCertificate should be passed to the ATM deployer for audit purposes:



20/66

Anchoring Plinth To Base - No Cellar - Sufficient Concrete

This assumes that the ATM will be anchored into solid ground with sufficient concrete.Sufficient Concrete is reinforced concrete to a minimum depth required for the length of

bolt used. For details of required depths it is recommended to consult the handbooks ofthe major anchor bolt manufacturers e.g. Hilti. The installation contractor should anchorthe ATM in accordance with the relevant CEN (or other) standard relating to the grade ofsafe used..

Anchoring Plinth To Base - No Cellar - Insufficient Concrete

This assumes that the ATM will be anchored into solid ground with insufficient concrete.Insufficient concrete is concrete that is not reinforced and does not meet the minimumrequirements of the anchor bolt manufacturers. When this is the case a concrete baseshould be constructed and properly attached to the existing floor. The installation

contractor should anchor the ATM in accordance with the relevant CEN (or other)standard relating to the grade of safe used..

Anchoring Plinth To Base Over A Cellar

This assumes that the ATM will be anchored over a cellar/basement/garage to which thepublic may or may not have access, and for which entry/egress control may or may not beunder the direct control of the Bank, or other TTW ATM deployer. After the Site

Validation visit, the ATM Deployer Security Representative should approve the proposedanchoring plan. The installation contractor should anchor the ATM in accordance with therelevant CEN (or other) standard relating to the grade of safe used.

Installation in Solid Wall

If accessible from an area with vehicular access, the ATM should always be installed behinda solid brick or concrete wall. If one does not exist, it should be constructed. Forspecifications, please see Best Practice for Physical ATM Security, section 6.1.1.

In the event that it is not possible to install the ATM behind a brick or concrete wall, thenthe next preferred method is to install it behind a solid steel section. For specifications,please see Best Practice for Physical ATM Security, section 6.1.2.

In the event that it is not possible to install the ATM behind a brick or concrete wall, or asteel section, then the next preferred method is to install it behind steel girders. Forspecifications, please see Best Practice for Physical ATM Security, section 6.1.3.

ATM Plinth

When deciding on an ATM plinth, ATM deployers should assess its construction from asecurity perspective. Plinths specially constructed to withstand ram raids and other bruteforce attacks may be considered for higher risk locations.

For installers using CEN approved plinths, the anchoring arrangements should be thosethat are approved in the CEN documentation for that product. The correctimplementation of those arrangements will guarantee good anchoring.



21/66

Chapter 4PIN & Encryption Security

4.1 Introduction

4.1.2 Objectives of PIN Secur ity & Key Management

The principle behind PIN Security and encryption Key Management is to protect the PINagainst unauthorized disclosure, compromise and misuse throughout the life of atransaction.

This goal can be broken down into the 7 separate objectives listed below, and therequirements and best practices laid down in this chapter are aimed at meeting theseobjectives.

OBJECTIVE 1 PINs used in transactions governed by these requirements areprocessed using equipment and methodologies that ensure theyare kept secure.

OBJECTIVE 2 Cryptographic keys used for PIN encryption/decryption andrelated key management are created using processes that ensurethat it is not possible to predict any key or determine that certainkeys are more probable than other keys.

OBJECTIVE 3 Keys are conveyed or transmitted in a secure manner.

OBJECTIVE 4 Key loading to hosts and PIN entry devices is handled in a securemanner.

OBJECTIVE 5 Keys are used in a manner that prevents or detects theirunauthorized usage.

OBJECTIVE 6 Keys are administered in a secure manner.

OBJECTIVE 7 Equipment used to process PINs and keys is managed in a securemanner.

4.1.3 The Scope of PIN & Encrypt ion Security Recommendations

These recommendations are aimed at securing PIN data during online and offline paymentcard transaction processing at ATMs. They can also be applied at Point-of-Sale Terminals.

The recommendations are intended for use by all acquiring institutions and agentsresponsible for PIN transaction processing on the payment card industry participants

denominated accounts and should be used in conjunction with applicable industrystandards.

Chapter 4: PIN & Encryption Security - 21 - 13/10/2005


22/66

To help establish a secure environment for PIN based transactions, this chapter sets outthe minimum acceptable recommendations for securing PINs and encryption keys. Itspurpose is to aid all electronic payment system participants in providing the fundamentalassurance that cardholder PINs will not be compromised.

For a complete set of recommendations please see GASAs Best Practice PIN Security &Key Management Recommendations.

It should be understood that the recommendations given in this chapter are supplementaryto the security requirements laid down by the networks. Network requirements shouldalways take precedence over these guidelines.

4.2 PIN Secur ity Recommendations

4.2.1 General Standards

a) PIN Management and security procedures should be compliant with the ANSI X9.8Standard and ISO 9564-1.b) All cardholder-entered PINs should be processed in equipment that conforms to the

requirements for Tamper-Resistant Security Modules (TRSMs).

c) The PIN should not appear in plain text at any point within the network other than in asecure Tamper Evident or Tamper Responsive, Secure Module (TESM or TRSM), or PINmailer.

d) The PIN length should be a minimum of 4 digits and a maximum of 12.e) The plain text PIN should never be logged. PIN blocks, even encrypted, should not be

retained in transaction journals or logs, except temporarily for audit and fault resolutionpurposes. PIN blocks are required in messages sent for authorization, but are not requiredto be retained for any subsequent verification of the transaction.

f) PINs should be encrypted using a PIN block format that does not produce the sameencrypted PIN block for the same PIN but a different card number.

g) TESMs in ATMs should comply with ISO 9564-1 Section 6.3.3h) TESMs in ATMs should be upgraded to TRSMs compliant with FIPS 140-2 Level 3.i) TRSMs at Host Processors should comply with ISO 9564-1 Section 6.3.1 and FIPS 140-2

Level 3.

j) All ATM connections and Host connections to the network should be configured touse line encryption, to provide end-to-end encryption of data.

k) Acquirers, the Network and Issuers should support the ANSI X9.8/ISO 9564 Format 3PIN block, so that an acquirer can ensure response messages are generated by the correctissuer system.



23/66

4.2.2 Recommendations for PIN Entry at the Acquiring Device

a) The PIN should not be echoed to the device screen.b) The PIN should be encrypted at the keypad or in a TESM directly connected to the

keypad such that the PIN and key data cannot be intercepted between the keypad andthe TESM. It should not be possible to insert a device between the keypad and theencryption device.

c) The PIN should not be in the clear to the application in the device.d) The PIN entry device should be configured will full tamper resistance according to

industry decreed timings and standards.

4.2.3 Recommendations for the Acquirer Host

a) The Acquirer should only decrypt/encrypt PIN blocks within TRSMs.b) The Acquirer should maintain adequate key management procedures and processes.

These should comply with all parts of ISO 11568.

c) The Acquirer should maintain discrete zones across which PIN keys will apply.d) Unique cryptographic keys should be in use for each identifiable link between host

computer systems.

4.2.4 Recommendations for the ATM Network Switch

a) The Switch should only decrypt/encrypt PIN blocks within TRSMs.b) The Switch should maintain adequate key management procedures and processes.

These should comply with ISO 11568.

c) The Switch should maintain discrete zones across which PIN keys will apply.d) Unique cryptographic keys should be in use for each identifiable link between host

computer systems.

4.2.5 Recommendations for the Issuer Host

a) The Issuer should validate the PIN by comparison with stored encrypted values oroffsets. The issuer should not store the PIN in the clear.

b) The Issuer should only decrypt/encrypt PIN blocks, and compare clear PIN blocks,within TRSMs.



24/66

c) The issuer should limit the successive attempted validations by a cardholder with theincorrect PIN. Indication that the PIN is invalid should be included in the responsefrom the issuer to the acquirer.

4.2.6 Recommendations for Tamper-Resistant Secur ity Module

a) A Tamper-Resistant Security Module (TRSM) should meet the requirements of aPhysically Secure Device as defined in ISO 9564-1. Such a device must have anegligible probability of being successfully penetrated to disclose all or part of anycryptographic key or PIN. A TRSM can be so certified only after it has beendetermined that the devices internal operation cannot be modified to allow penetration(e.g., the insertion within the device of an active or passive tapping mechanism). A

TRSM (e.g., a PIN Entry Device (PED)) that complies with this definition may use aFixed Key or a Master Key/Session Key management technique, that is, a unique (atleast) double-length PIN encryption key for each PED, or may use double-length key

DUKPT as specified in ANSI X9.24.2002

b) A TRSM relying upon compromise prevention controls requires that penetration of thedevice when operated in any manner and any environment should cause the automaticand immediate erasure of all PINs, cryptographic keys and other secret values, and anyuseful residuals of those contained within the device. These devices should employphysical barriers so that there is a negligible probability of tampering that couldsuccessfully disclose such a key.

4.2.7 Recommendations for PIN Entry Devices

a) PIN Entry Devices (PEDs) should use encrypting PIN pads that encrypt the PINdirectly at the point of entry to meet the requirements for compromise prevention.PEDs in which the cleartext (unenciphered) PIN travels over cable or similar mediafrom the point of entry to the cryptographic hardware encryption device do not meetthis requirement.

b) Devices that do not retain any key that has been used to encrypt or decrypt secret data,including other keys (e.g., DUKPT) require only compromise detection, and may beless tamper resistant.

4.2.8 Recommendations for PIN Entry at the Acquiring Device

a) PIN pads should be located such that they are protected from unauthorizedobservation.

b) PIN entry devices should move to encrypting keypads as soon as possible, or as part ofupgrading to Triple DES.



25/66

4.2.9 Recommendations for PIN Pad Secur ity

a) Prior to connection to an ATM network, an ATM should be certified to have a tamper-resistant PIN pad that meets the stated requirements of the Network. Networks mayelect to accept certification that the PIN pad meets the requirements set by other

networks, such as Visa/MasterCard, if those requirements meet or exceed those of theNetwork.

b) Members who wish to deploy a new device type should begin by inquiring with thevendor or against the List of Certified Devices to determine if the device type hasalready been certified - if the device type is included on the List of Certified Devicesthe Member should obtain a copy of the Device Certificate from one of the device

vendors or the Device Certification Agent prior to connecting the device.

c) For devices types not included on the List of Certified Devices, a Member or thedevice vendor should contact a Device Certification Agent to arrange for testing and

certification of the device type.

d) If the manufacturer has had the device certified, it can be sold as a certified device, withno further certification costs being incurred prior to installation.

e) A manufacturing change to a device means that the device should be re-certified.f) When any modification is made to any component or attribute of the device that is

subject to certification, the device should be re-certified prior to deployment; re-certification is required for all modifications to a device, unless none of themodifications affect a component or attribute that is subject to certification.

g) Deployers should keep current a published list of all its certified ATMs in operation.h) Networks should set dates for compliance of new devices, replacement devices, and

existing devices. The dates set for each category of device should be appropriate to thepotential risk of compromise at non-compliant devices. Devices identified as non-compliant will either not be permitted to be connected to the network, or, in the caseof installed ATMs, a request should be filed for exemption status, failing whichremoval of the ATM will be required.

Note: Deployed devices must meet the requirements of all Networks for which the devices acquire

transactions.

4.2.10 Recommendations for PIN Translation & Encryption

a) All cardholder PINs processed online should be encrypted and decrypted using anapproved cryptographic technique that provides a level of security compliant withinternational and industry standards.

b) Online PIN translation should only occur using one of the allowed key managementmethods: DUKPT, Fixed Key, Master Key/Session Key.



26/66

c) Online PINs should be encrypted using the TDEA Electronic Code Book (TECB)mode of operation as described in ANSI X9.52. For purposes of theserecommendations, all references to TECB are using key options 1 or 2, as defined in

ANSI X9.52.

Schemes may allow alternative methods if validated as at least as secure as TDES.

d) All cardholder PINs processed offline using IC Card technology should be protected inaccordance with the requirements in Book 2 of the EMV2000 IC Card Specificationsfor Payment Systems.8

e) For online transactions, PINs should only be encrypted using ISO 95641 PIN blockformats 0, 1 or 3. Format 2 should be used for PINs that are submitted from the ICreader to the IC.

f) For secure transmission of the PIN from the point of PIN entry to the card issuer, theencrypted PIN block format should comply with ISO 95641 format 0, ISO 9564-1format 1, or ISO 95641.

Schemes may allow for alternative methods on a case-by-case basis.

g) For ISO format 0 and 3, the cleartext PIN block and the Primary Account Numberblock should be XOR'ed together and then Triple-DES encrypted in Electronic CodeBook (ECB) mode to form the 64-bit output cipherblock (the reversibly encrypted PINblock).

Note that as stated in recommendation (f) above, a scheme approved alternative

encryption method may be used.

h) ISO format 3 should be used for encryption zones where the PIN encryption key isstatic for the productive life of the device in which it resides.

i) PINs enciphered only for transmission between the PIN entry device and the IC readershould use ISO format 0, 1 or 3.

j) PINs should not be stored except as part of a store-and-forward transaction as noted inISO 9564-1, and then only for the minimum time necessary.

Any store-and-forward transaction PIN should be stored in encrypted form using aunique key not used for any other purpose.

k) Host Security Module (HSM) Master File Keys, including those generated internal tothe HSM and never exported, should be at least double-length keys and use the TDEA.

8See sections 7 and 11.1.2 of Book 2 of the EMV2000 IC Card Specifications for Payment Systems.



27/66

4.3 Key Management Recommendations

In order to protect the secrecy of a PIN that has been encrypted using DES or Triple DESit is vital that the key used for encrypting and decrypting is also kept secret. It is particularlyimportant that great care be exercised in order to protect the clear-text components of a

key as they pass through the various life-cycles.

The practices and recommendations laid down in this chapter, while not necessarilyexhaustive, are considered effective in protecting the secrecy of encryption keys and theircomponents 9.

4.3.1 General Recommendations

Usage

a) Keys should be unique:i. All keys used in a PIN Entry Device, whether for key encryption or PIN

encryption, should be unique to that device.

ii. Terminal Master Keys (TMKs), and any keys used to load TMKs, should be uniqueto the device being loaded.

iii. In a master/session key approach, the master key(s) and all session keys should beunique to each cryptographic device.

iv.Where a PIN Entry Device interfaces with more than one acquirer, the PED TRSMshould have a completely different and unique key(s) for each acquirer. Theseshould be totally independent and not variants of one another.

v. Keys that are generated by a derivation process and derived from the same base keyshould use unique data for the derivation process, such that all cryptographicdevices receive unique initial keys.

vi. Zone encryption should be used for communication between organizations, andunique keys should be used for each identified link between host computer systems.

vii.Where two organizations share a key to encrypt PINs (including key enciphermentkeys used to encrypt the PIN encryption key) communicated between them, thatkey should be unique to those two organizations and should not be given to anyother organization.

9 For more guidance on Key Management the reader is referred to the White Paper produced by K3DES LLC, Effective

Encryption Key Management Practices, available at ATMIAs Best Practice Online Resource Center athttp://www.atmianortham.com/ResourceCenter/atmresourcecenter.asp and on the GASA website atwww.globalasa.com .

http://www.atmianortham.com/ResourceCenter/atmresourcecenter.asphttp://www.globalasa.com/http://www.globalasa.com/http://www.atmianortham.com/ResourceCenter/atmresourcecenter.asp


28/66

b)PIN encryption keys should be held in only the PIN Entry Device and in securitymodules at the minimum number of locations consistent with effective operation.Disclosure of the key in one such device should not provide information that couldfeasibly be used to determine the key in any other such device.

c)Keys may exist at more than one pair of locations for load balancing purposes, forexample in dual processing sites.

d)Encryption keys should only be used for the purpose they were intended, so as tominimize exposure should a key be compromised. This is to say for example, a KeyEncryption Key should never be used as a PIN Encryption Key.

e) Keys should never be shared or substituted on a processors production and test system.f) No key or key component should ever exist outside a TRSM expect when encrypted, or

securely stored and managed using the principles of dual control and split knowledge.

Dual Control & Split Knowledge

As in DES and Triple-DES the same key is used to encrypt and decrypt, the principles ofdual control and split knowledge are fundamental to the protection of encryption keys.

These principles should be applied throughout all key life-cycle stages.

a) Dual Control means that at least two authorized individuals are required to workin partnership to carry out an activity, such as generating, storing, or loading theclear text components of a key.

b)Split Knowledge means that no single individual knows, or has access to, awhole entity, be it all the clear-text components of a key, or the combination ofa safe where key components are stored.

In order to implement these principles an organization should designate certain individualsas Key Custodians. Each Key Custodian should be assigned responsibility for specific keycomponents throughout their life-cycle. They may be responsible for more than one keycomponent, as long as no two components form part of the same key, as this wouldcompromise the principle of split knowledge.

One Key Custodian may back-up another Key Custodian, but only where the principle ofsplit knowledge wouldnt be compromised. A Key Custodian should not backup anotherKey Custodian where they are both responsible for components belonging to the same key.

In order to reduce the opportunity for key compromise, the number of key custodiansshould be limited to the minimum number required. In general, the designation of aprimary and a backup key custodian for each component should be sufficient. Thisdesignation should be documented by having each custodian sign a Key Custodian Form.

The form should specifically authorize the custodian and identify the custodiansresponsibilities for safeguarding key components or other keying material entrusted tothem.



29/66

The Key Custodians should have no connection or reporting relationship to other KeyCustodians.

Witnessing Key-related Events

Even with the principles of dual control and split knowledge in place it is recommendedthat certain life-cycle events be witnessed and signed-off by a third-party.

This third-party should have no relationship with the Key Custodians involved. At aminimum key-related events that should be witnessed are:

a) Generation of encryption keys.b)Erasure of encryption keys.c) Destruction of cleartext encryption key components, regardless of the mediathey are on.

The witness should be given a copy of the script or procedure in use, so that they canfollow the process, and should sign an affidavit to the effect that the activity was carriedout completely and correctly. Any deviations from the script or procedure should be noted,along with the reason. These affidavits form part of the auditable records of the keymanagement process and should be kept indefinitely.

Documentation, Administration & Logging

For the effective management of encryption keys and their components certain procedures,logs and forms should be in place.

a) Documented procedures should exist and be in use for:i. All key generation processes.ii. All key transmission and conveyance processes.iii. All key loading activities.iv. All key compromise activities, including replacement of compromised keys,

escalation processes, damage assessment and remediation.

v.All key destruction activities.

b)An Encryption Key Log should be maintained for all actions related to key components.At a minimum this log should contain:

i. The name and signature of the authorized Key Custodian.ii. The type of key.iii. The number of the component.iv. The date and time of the action.v. The serial number of the tamper-evident envelope.vi. The action undertaken.



30/66

The log should be periodically audited by an independent group, such as InformationSecurity, for completeness and accuracy.

The Encryption Key Log should be kept in a tamper-evident envelope in a secure placesuch as the safe. Its removal from the safe and its tamper-evident envelope should be

recorded.

c) In addition to the log mentioned above certain other forms should be used to recordactivities undertaken with regard to keys and key components. At a minimum theseforms should include:

i. A form to record encryption key component values and correspondingcheck sum values.

ii. A form for recording encryption key components that are beingtransported.

iii. A log for recording key loading activities.iv.

A form for recording PINs used to access smart cards that contain keycomponents.

v. A form for recording any passwords needed to activate any equipmentused.

vi. Affidavits for the generation or destruction of keys and key components.These forms along with the Encryption Key Log form the basis for auditing keymanagement processes. They should be complete and contain as much information aspossible. They should be securely stored and made available to those individualsconducting an audit.

Backups

In principle, unique keys, once loaded, should not be retained even for the purposes ofback-up. Please note, it is not a requirement to have backup copies of key components orkeys. However, for other keys:

a) Back-ups of secret keys should exist only for the purpose of reinstating keys that areaccidentally destroyed. The back-ups should exist only in one of the allowed storageforms for that key.

b)Creation and management of back-up copies should be under dual control, they shouldbe securely stored with proper access controls and subject to at least the same level ofsecurity as keys in use.

c) Backups (including cloning) should require a minimum of two authorized individuals toenable the process.



31/66

4.3.2 Specific Recommendations for Key Encryption

a) All DES keys used for encrypting keys for transmittal should be at least double-lengthkeys and use the TDEA in an encrypt, decrypt, encrypt mode of operation for keyencipherment.

b) A double- or triple-length DES key should not be encrypted with a DES key of ashorter length.

c) RSA keys used to transmit or convey other keys should use a key modulus of at least1024 bits.10

d) DES keys that are used to encrypt other keys or to encrypt PINs, and which existoutside of a TRSM, should be encrypted using either: the TDEA using at least doublelength keys, or RSA using a key modulus of at least 1024 bits.

Schemes may allow alternative methods if validated to be at least as secure as TDES.

e) Symmetric secret keys may be encrypted using public key cryptography for distributionto PEDs as part of a key-establishment protocol.

f) Key variants should only be used in devices that possess the original key.g) Although a key used to protect the PIN Encrypting Key should never be used for any

other cryptographic purpose, variants of the same key may be used for differentpurposes.

h) Variants of a Master File Key should not be used external to the (logical) configurationthat houses the MFK itself.

4.3.3 Specific Recommendations for Key Generation

The following is a list of the specific recommendations related to Key Generation. Pleasebear in mind that these are in addition to those recommendations already given in section4.3.1, particularly those related to dual control and split knowledge, and documentation andlogging.

a) All keys and key components should be generated using a random or pseudo randomprocess that is capable of satisfying the statistical tests of FIPS 140-2 level 3.

b) Keys should be generated so that it is not feasible to determine that certain keys aremore probable than other keys from the set of all possible keys.

c) An independent laboratory should certify self-developed implementations of acryptographic pseudo-random number generator.

10 Key lengths should be periodically re-evaluated.



32/66

d) The output of the key generation process should be monitored to ensure there is no

unauthorized tap or other mechanism that might disclose a cleartext key or keycomponent as it is transferred between the key generation TRSM and the device ormedium receiving the key or key component.

e) Printed key components should be printed within blind mailers, or sealed immediatelyafter printing, so that only the party entrusted with it can observe each component andso that tampering can be detected.

f) Any residue from the printing or recording process that might disclose a componentshould be destroyed before an unauthorized person can obtain it.

4.3.4 Specific Recommendations for the Transfer, Conveyance andDistribution of Cleartext Components

The following is a list of the specific recommendations related to the transfer, conveyanceand distribution of clear-text key components. Please bear in mind that these are inaddition to those recommendations already given in section 4.3.1, particularly those relatedto dual control and split knowledge, and documentation and logging.

a) Where a private or secret key is being physically forwarded it should be sent as aminimum of two separate components. Where:

i. Each component should be transferred in a tamper-evident package or within aTRSM.

ii. Each component should be sent via different communication channels, such asdifferent courier services. It is not sufficient to send the key components for aspecific key by the same courier on different days.

b) Private and secret keys may also be transferred by transmitting the key in ciphertextform, provided that this does not compromise the principle of split knowledge or thelevel of security in general.

c) All key encryption keys used to transmit or convey other cryptographic keys should be(at least) as strong as any key transmitted or conveyed.

d) Public keys should be conveyed in a manner that protects their integrity andauthenticity and should use a mechanism independent of the actual conveyance toprovide the ability to validate receipt of the correct key.

e) No person should have access to any cleartext key during the transport process.f) Mechanisms should exist to ensure that only authorized custodians place key

components into tamper-evident packaging for transmittal and that only authorizedcustodians open tamper-evident packaging containing key components upon receipt.



33/66

g) Any single unencrypted key component should be at all times during its transfer,conveyance, or movement between any two organizational entities:

i) Under the continuous supervision of a person with authorized access to thiscomponent,

or,

ii) Locked in a security container (including tamper evident packaging) in such a waythat it can be obtained only by a person with authorized access to it,

or

iii) In a physically secure TRSM managed under the strict principles of dual controland split knowledge.

k)

Key establishment protocols using public key cryptography may also be used todistribute PED symmetric keys. These key establishment protocols may use either keytransport or key agreement. In a key transport protocol, the key is created by one entityand securely transmitted to the receiving entity. For a key agreement protocol, bothentities contribute information, which is then used by the parties to derive a sharedsecret key.

l) A public key technique for the distribution of symmetric secret keys should:i) Use public and private key lengths that are deemed acceptable for the algorithm in

question (e.g., 1024-bits minimum for RSA);

ii) Use key-generation techniques that meet the current ANSI and ISO standards forthe algorithm in question;

iii) Provide for mutual device authentication for both the host and the PED,including assurance to the host that the PED actually has (or actually can)compute the session key and that no other entity other than the PED specificallyidentified can possibly compute the session key

4.3.5 Specific Recommendations for Key Component Storage and

Physical Access

Please note that this section refers to keys and key components prior to their being loaded.Unique keys and their component parts should not be kept once they have been loaded.For details on storage of backup copies etc, the reader is referred to section 4.3.1(Backups). Also note that these recommendations are in addition to those given in thischapter regarding dual control and split knowledge, and documentation and logging.

a) Printed or magnetically recorded key components should reside only within tamper-evident sealed envelopes, so that the component cannot be ascertained withoutopening the envelope.



34/66

b) The media upon which a component resides should always be physically safeguarded.c) Components for a specific key that are stored in separate envelopes, but within the

same secure container, place reliance upon procedural controls and do not meet therequirement for physical barriers.

d) Furniture-based locks, or containers with a limited set of unique keys, are not sufficientto meet the requirement for physical barriers.

e) No one but the authorized key custodian (and designated backup) should have physicalaccess to a key component.

f) Key components may be stored on tokens (e.g., PC cards, smart cards, and so forth).These tokens should be stored in such a manner as to prevent unauthorized individualsfrom accessing the key components. For example, if key components are stored ontokens that are secured in safes, more than one person might have access to these

tokens. Therefore, additional protection is needed for each token (possibly by usingtamper-evident envelopes) to enable the tokens owner to determine if a token wasused by another person. Key components for each specific custodian should be storedin separate secure containers.

g) If a key is stored on a token, and a PIN or similar mechanism is used to access thetoken, only that tokens owner (or designated backup) should have possession of boththe token and its corresponding PIN.

4.3.6 Specific Recommendations for Key Loading and Entry

The following is a list of the specific recommendations related to the key loading and entry.Please bear in mind that these are in addition to those recommendations already given insection 4.3.1, particularly those related to dual control and split knowledge, anddocumentation and logging.

a) All keys when loaded from individual clear-text components should be loaded using theprinciples of dual control and split knowledge.

b) Manual key loading may involve the use of media such as paper or specially designedkey-loading hardware devices. For devices that do not support the entry of full-length

components, two or more components should be created and used.

c) Any TRSM loaded with the same key components should combine all entered keycomponents using the identical process.

d) Any mechanisms used to load keys, such as terminals, external PIN pads, key guns, etc,should be protected to prevent any type of monitoring that could result in theunauthorized disclosure of any component.

e) Prior to key loading TRSM equipment should be inspected to detect any evidence ofmonitoring or tampering.



35/66

f) Plaintext keys and key components should be transferred into a TRSM only when itcan be ensured that there is no tap at the interface between the conveyance mediumand the cryptographic device that might disclose the transferred keys, and that thedevice has not been subject to any prior tampering which could lead to the disclosureof keys or sensitive data.

g) A TRSM should transfer a plaintext key only when at least two authorized individualsare identified by the device (e.g., by means of passwords or other unique means ofidentification).

h) The injection of key components from electronic medium to a cryptographic device(and verification of the correct receipt of the component is confirmed, if applicable)should result in either of the following: the medium is placed into secure storage, ifthere is a possibility it will be required for future re-insertion of the component into thecryptographic device, or all traces of the component are erased or otherwise destroyedfrom the electronic medium.

i) For keys transferred from the cryptographic hardware that generated the key to anelectronic key-loading device:

i) The key-loading device should be a physically secure TRSM, designed andimplemented in such a way that any unauthorized disclosure of the key isprevented or detected;

ii) The key-loading device should be under the supervision of a person authorizedby management, or stored in a secure container such that no unauthorized personcan have access to it;

iii) The key-loading device should be designed, or controlled, so that only authorizedpersonnel under dual control can use and enable it to output a key into another

TRSM. Such personnel should ensure that a key-recording device is not insertedbetween the TRSMs;

iv) The key-loading device should not retain any information that might disclose thekey, or a key that it has successfully transferred.

j) Any tokens, EPROMs, or other key component holders used in loading encryptionkeys should be maintained using the same controls used in maintaining the security ofhard copy key components.

These devices should be in the physical possession of only the designated componentholder and only for the minimum practical time.

k) If the component is not in human comprehensible form (e.g., in a PROM module, in asmart card, on a magnetic stripe card, and so forth), it should be in the physicalpossession of only one entity for the minimum practical time until the component isentered into a TRSM.



36/66

l) If the component is in human readable form (e.g., printed within a PIN-mailer typedocument), it should only be visible at one point in time to only one person (thedesignated key custodian), and only for the duration of time required for this person toprivately enter the key component into a TRSM.

m)Printed key component documents should not be opened until just prior to entry.

n) All hardware and passwords used for key loading should be managed under dualcontrol.

o) Any hardware used in the key-loading function should be controlled and maintained ina secure environment under dual control. Use of the equipment should be monitoredand a log of all key-loading activities maintained for audit purposes. All cableattachments should be examined before each application to ensure they have not beentampered with or compromised.

p)Any physical (e.g., brass) key(s) used to enable key loading should not be in the controlor possession of any one individual who could use those keys to load cryptographickeys under single control.

q) The loading of keys or key components should incorporate a validation mechanismsuch that the authenticity of the keys is ensured, and it can be ascertained that theyhave not been tampered with, substituted, or compromised.

4.3.7 Specific Recommendations for Key Compromise andDestruction

The following is a list of the specific recommendations related to key compromise anddestruction. Please bear in mind that these are in addition to those recommendationsalready given in relation to dual control and split knowledge, and documentation andlogging.

a) The compromise of a key requires the destruction of that key and all variants and non-reversible transformations of that key, as well as all keys encrypted under or derivedfrom that key. Likewise, known or suspected substitution of a secret key requiresdestruction and replacement of that key and any associated key encipherment keys.

b) A cryptographic key should be replaced with a new key whenever the compromise ofthe original key is known or suspected. In addition, all keys encrypted under or derivedusing that key should be replaced with a new key within the minimum feasible time.

The replacement key should not be a variant of the original key, or an irreversibletransformation of the original key.

c) Key components should never be reloaded when there is any suspicion that either theoriginally loaded key or the device has been compromised. If suspicious alteration isdetected, new keys should not be installed until the TRSM has been inspected andassurance reached that the equipment has not been subject to unauthorized physical orfunctional modification.



37/66

d) Specific events should be identified that would indicate a compromise may haveoccurred. Such events may include, but are not limited to:

Missing cryptographic devices. Tamper-evident seals or envelope numbers or dates and times not agreeing

with log entries. Tamper-evident seals or envelopes that have been opened without

authorization or show signs of attempts to open or penetrate. Indications of physical or logical access attempts to the processing system by

unauthorized individuals or entities.

Procedures should require that plain text key components stored in tamper-evident envelopes that show signs of tampering should result in thedestruction and replacement of the set of components, as well as any keysencrypted under this key.

e) If attempts to load a key or key component into a cryptographic device fail, the samekey or component should not be loaded into a replacement device unless it can beensured that all residue of the key or component has been erased or otherwisedestroyed in the original device.

f) Instances of keys or key components that are no longer used or that have beenreplaced by a new key should be securely destroyed.

Keys maintained on paper should be burned, pulped or shredded in a cross-cutshredder. If the key is stored in EEPROM, the key should be overwritten with binary0s (zeros) a minimum of three times. If the key is stored on EPROM or PROM, the

chip should be physically destroyed in such a way as to leave it unusable and un-repairable. Where possible it should be broken into pieces and the pieces disposed ofseparately. Other permissible forms of a key instance (physically secured, enciphered orcomponents) should be destroyed following the procedures outlined in ISO95641 orISO115683. In all cases, a third partyother than the custodianshould observethe destruction and sign an affidavit of destruction.

g) Key encipherment key components used for the conveyance of working keys should bedestroyed after successful loading and validation of the working key.

h) Documented procedures should exist, be known by all affected parties, and bedemonstrably in use for:

i) Replacement of compromised keys, including subsidiary keys (ie: those keysenciphered using the compromised key) to a value not feasibly related to theoriginal key.

ii) Escalation process including notification to organizations that currently share orhave previously shared a suspect key. The procedures should also include damageassessment and details of specific actions to be taken with system software andhardware, keys, encrypted data, etc.



38/66

i) Controls and procedures should also exist to prevent or detect the unauthorizedsubstitution of one key for another, thereby reducing the risk of an adversarysubstituting a key known only to them. These procedures should include investigatingmultiple synchronization errors.

j)

To prevent substitution of a compromised key for a legitimate key, key componentdocuments that show signs of tampering should result in the discarding andinvalidation of the component and the associated key at all locations where they exist.

4.3.8 Specific Recommendations for Key Equipment Management

The following is a list of the specific recommendations related to the management of keyequipment. Please bear in mind that these are in addition to those recommendationsalready given in section 4.3.1, particularly those related to dual control and split knowledge,

and documentation and logging.

a) Hardware Security Modules (HSMs) and PIN Entry Devices (PEDs) should only beplaced into service if there is assurance that the equipment has not been subject tounauthorized modification, substitution, or tampering. This requires physical protectionof the device up to the point of key insertion or inspection, and possibly testing of thedevice immediately prior to key insertion. Techniques include the following:

Cryptographic devices are transported from the manufacturers facility to theplace of key-insertion using a trusted courier service. The devices are thensecurely stored at this location until key insertion occurs.

Cryptographic devices are shipped from the manufacturers facility to the placeof key-insertion in serialized, counterfeit resistant, tamper-evidentpackaging.Devices are then stored in such packaging, or secure storage, untilkey-insertion occurs.

The manufacturers facility loads into each cryptographic device a secret, device-unique transport-protection token. The TRSM used for key-insertion has thecapability to verify the presence of the correct transport-protection tokenbefore overwriting this value with the initial key that will be used.

Each cryptographic device is carefully inspected and perhaps tested immediatelyprior to key-insertion using due diligence. This is done to provide reasonableassurance that it is the legitimate device and that is has not been subject to anyunauthorized modifications.

b) Records should be maintained of the tests and inspections given to PIN-processingdevices before they are placed into service, as well as devices being decommissioned.

c) Controls should exist to ensure that a counterfeit device possessing all the correctoperational characteristics plus fraudulent capabilities has not been substituted for alegitimate device.



39/66

d) Notwithstanding how the device is inspected and tested, the device serial numbershould be verified against the purchase order, invoice, waybill or similar document toensure that device substitution has not occurred.

e) Devices incorporate self-tests to ensure their correct operation. Devices should not bere-installed unless there is assurance they have not been tampered with orcompromised.

f) Key and data storage should be zeroized when a device is decommissioned.g) If necessary to comply with the above, the device should be physically destroyed so

that it cannot be placed into service again, or allow the disclosure of any secret data orkeys.

h) Any TRSM capable of encrypting a key, and producing cryptograms of that key, shouldbe protected against unauthorized use. This protection takes the form of either or both

of the following:

i) Dual access controls are required to enable the key encryption function.ii) Physical protection of the equipment with access under dual control.

i) Cryptographic equipment should be managed in a secure manner in order to minimizethe opportunity for key compromise or key substitution. That is to say, physical keys,authorization codes, passwords, or other enablers should be managed under dualcontrol and split knowledge.

j)

Controls should exist and be in use to ensure that all physical and logical controls andanti-tamper mechanisms used are not modified or removed.

k) Documented procedures should exist, be known by all affected parties, and bedemonstrably in use for the following:

i) Inventory control and monitoring allowing equipment to be tracked by bothphysical and logical identifiers, so as to protect equipment against unauthorizedsubstitution or modification, or to detect lost or stolen equipment.

ii) Destruction of all keys and PINs, or related data within a cryptographic devicewhen that device is removed from service.

iii)The security and integrity of PIN processing equipment as it is placed into service,initialized, deployed, used, and decommissioned. These should include theprinciples for dual control and split knowledge.

iv) Physical security and access to HOST Tamper Resistant Security Modules.



40/66

4.4 Key Management Regimes

4.4.1 Recommendations for Key Management Regimes

Only Key Management regimes agreed by the network can be used. Members may submit

proposals for other regimes to the network for agreement. Please see GASAs Best PracticePIN Security & Key Management Recommendations, p.27-28, parts 4.1 and 4.2 for detailsof recommended key management regimes.

4.5 Cryptography Best Practice Recommendations

4.5.1 Objective

The cryptographic algorithms and key lengths shall be such that the likelihood of findingthe key, or the data it is protecting, is low within the life of the Key.

The objective of key management is to provide the users with the keys that they need toperform the required cryptographic operations and to control the use of those keys. Itensures that the keys are protected during their lifecycle, minimizing the opportunity for abreach of security, and the consequences of a security breach, and maximizing theprobability that any illicit access or change to keys is detected.

4.5.2 Recommendations for Algorithms

a)

Only algorithms approved by the Network for PIN block encryption should be used.Currently only the Data Encryption Standard (DES) algorithm is permitted.

b) The connection between the member host and the network should use Triple DES, asdefined in ANSI X9.52.

c) The connection between the ATM and Acquirer host should use a hardwareimplementation of Triple DES, as defined in ANSI X9.52 and according to industrydecreed timings.

4.5.3 Recommendations for Key Length

a) Only Key lengths approved by the network should be used.b) Double length (112 bit) DES keys (Zone PIN Keys and Zone Master Keys) should be

used between each member and the network.

c) All TMKs and TPKs should be double length (112 bit) keys, according to industrydecreed timings and standards, or use an approved more secure encryption method.



41/66

Chapter 5

Data & Transactional Security

5.1 Introduction

The purpose of these recommendations is to protect ATM networks, their members andtheir cardholders, and ATM owners, from attacks designed to compromise sensitive data ordefraud financial institutions and their cardholders.

This protection takes into account not just the direct financial losses that may be incurred,but also the potential reputational damage and its impact on customer confidence in the

ATM network and ATMs in general.

5.2 Principles Underlying Information Security

When developing and devising a Security Policy the following points should be taken intoconsideration:

The level of security to be achieved should be commensurate with: the sensitivity of the data; the risk of the data being compromised; the impact of any compromise; the practicality and cost of providing the security measure.

The prevailing legal & regulatory framework should be adhered to. Information security controls sho

lifecycle introsecuritymanual

Documents