Are Your ATMs Ready for PCI DSS 4.0 Changes?

Political unrest, natural disasters, economic turmoil and fraudsters with new AI capabilities mean security and compliance are top concerns for any financial institution.

Protecting your organization and its shareholders requires a focused, well-coordinated, multi-layered strategy and precise execution. For vending fleet owners, this means keeping all of your operational components—including vending hardware, application software, network infrastructure, and authorization systems—in top working order at all times.

And to ensure that all players in the payments industry work together to protect the integrity of the entire financial system, there is a complex web of network and card brand mandates, as well as national, regional and global legislation that aims to help develop, promote and, in many cases, enforce the rules and standards that we all live by every day.

The Payment Card Industry Security Standards Council is one such industry organization. Founded in 2004 by several major card brands, this group is dedicated to promoting security in the payments industry by protecting cardholder data and combating fraud. Their first set of standards, the PCI Data Security Standard v1.0, was published in 2004.

The payments industry has evolved significantly over the past 20 years, and so has the PCI standard. The current version of its standards, PCI DSS v4.0, was released in March 2022 and covers a wide range of topics designed to help organizations secure the payment system, including a few items that could make 2024 a particularly challenging year for ATM fleet owners.

It’s time to fasten your seat belt

Below is a brief summary of some of the most significant issues facing ATM operators in their ongoing quest to maintain the security and compliance of their fleets.

• Under PCI DSS v4.0, ATM deployers must meet new security requirements for keypads and PIN blocks. Specifically:
• All ATMs that can be upgraded must be equipped with current-generation Encryption PIN Pads (EPPs) by December 31, 2024. Devices that cannot be upgraded will need to be replaced.
• All ATMs must also be updated with the necessary firmware/software to support processing of TR-31/TR-34 PIN blocks.

Unsurprisingly, these stricter security requirements will force the retirement of legacy applications and ATM hardware that cannot be upgraded to support the new mandates.

NCR Atleos previously announced that it would end support for several SelfServ series ATM models, as well as the Aptra Edge app, at the end of 2024.

Diebold Nixdorf also announced that December 31, 2024 will also be the end-of-life date for its Optiva vending machine line.

In other end-of-life news, Microsoft announced that “Windows 10 will reach end of support on October 14, 2025. The current version, 22H2, will be the final version of Windows 10, and all editions will continue to be supported with monthly security updates until that date.” (It’s worth noting that support for version 21H2 ends earlier, on June 11, 2024.) Any devices still running Windows 10 will need to be upgraded to one of the Windows IoT Enterprise LTSC versions.

And one last thing to think about… Assuming you already have TLS 1.2 enabled across your entire fleet, it’s not too early to think about TLS 1.3. NIST has already mandated its use by all GSA applications and systems, requiring TLS 1.3 support by January 1, 2024. It won’t be long before your IT and network security teams add this upgrade to your priority list.

Test, test, test!

Of course, every ATM business is different, and each company will need to find its own path to navigate the challenging year ahead. One thing is for sure, though: there’s still a lot of testing to do. Organizations that have already invested in modern testing tools and technologies will have a significant advantage over those that haven’t.

If your business still relies on manual ATM testing, you may want to consider the benefits of ATM virtualization and automation. Faster execution, expanded test coverage, improved quality, greater control and collaboration, and remote access to the ATM test environment will help your developers, testers, and QA resources succeed in 2024.

It’s time to invest in next-generation testing solutions to help you maintain the security, availability and compliance of your ATM fleet, while ensuring you deliver the best possible customer experience at the lowest cost.