ATMs are today more popular than bank branches for the cash transactions and other support services it offers. With the growing sophistication of cybercrimes, ATM networks are equally exposed to risk. This is when an ATM Security Assessment comes into the picture to help identify weak areas in an ATM network. It includes a series of assessment processes that scan the entire ATM ecosystem as a whole and not just the machine. The assessment includes identifying software, hardware, and communication vulnerabilities, design vulnerabilities, and process vulnerabilities. It prevents the vulnerability exploit of Trojan Skimmer and Ploutus attacks and limits unauthorized cash withdrawals. ATM Security Assessment is one way of detecting risk exposure and protecting payment card data.
Evaluate the network design of the ATM/POS environment analyzes the security controls in place and the connectivity between the ATM/POS environment and the bank network.
Evaluate the security of systems in the ATM/POS environment including routers, firewalls, control system servers, database systems, and ATM switches.
Assess the configurations of routers, firewalls, and ATM/POS servers against known industry best practices while looking for known vulnerabilities.
Testing the payment and non-payment application on the ATM, as well as the communication in between, and to the backend systems.
Identify systems with dial-up and remote access capability that could allow an attacker to gain access to the ATM/POS network.
Evaluate the current policies and procedures for critical infrastructure against known best practices according to the RBI/NPCI security standards.
All four areas of ATM security shall be assessed: Physical security, Network security, Application security, and Operating system Security.
Analysis of the ability to recover from a cyber-attack and physical security of cyber assets.
Technical and Executive staff briefing as well as a detailed report containing the test results. Evidence and recommendations separated into tactical and strategic categories shall be provided.
Interviews with managers, operators, engineers, and system administrators.
The ATM ecosystem consists of a high number of vendors who impact the operational security. Often, there are large gaps between the desired and needed security posture and the actual one due to vendors who consider security a low priority.
Our key USP - Support to your team to understand the vulnerabilities -> exploits; Strategies in the remediation of the vulnerabilities identified.
Yes. ISO 9564 is a Standard that outlines minimum security measures required for offline PIN handling and PIN data in an offline environment. The Standard applies to card-originated financial transactions that require offline PIN verification. This is also applicable to institutions responsible for implementing techniques for the management and protection of the PIN at Automated Teller Machines (ATMs) and acquirer sponsored Point-of-Sale (POS) terminals. Apart from the ISO9564 Standard, PCI Council too has released a guide to give a very practical approach to ATM Security.
Our consultants will work with you to understand your requirements and formulate a long term strategy (1-2 years). The strategy is then further broken down into monthly/quarterly milestones for effective progress tracking and delivery management. This will include Compliance and Governance (ISO 27001, SOC 2, PCI DSS, GDPR, CMMC, HIPAA, etc) process compliance, Vulnerability Assessments, Penetration Testing, and Application Assessments. The scoping would include policies and procedures, all ATMs, backend switch, vendors meant for ATM Servicing, and other processes such as Cash Replenishment to name a few.
The ATM Security Assessment involving regular ethical Hacking tests and vulnerability scanning on the ATM’s network including the wireless access point presence testing, Black box Penetration Testing, Malware analysis, and Source Code review of the ATM’s firmware should be performed annually.
An audit is for a point in time. Reports are typically valid and accepted by regulatory bodies for about a year.
Unless we are appointed by the Regulator to audit the ATM processes of a vendor, we submit the reports only to you (ATM vendors/banks) who appoint us for the internal audits.