What Keeps ATM Execs up at Night?
Complying with new Americans with Disabilities Act (ADA) requirements and fighting fraudsters who put skimmers on their machines rank high on the to-do lists of ATM managers.
The findings come in a new report from Aite Group LLC based on a second-quarter survey of executives from 20 of the nation’s 150 largest banks that in aggregate manage 55,902 bank-owned ATMs, or 20% of the nation’s total. Aite compared this year’s results with those from a similar study it did in 2009.
Compliance with regulations and standards ranked top among 15 issues for which Aite asked the executives to rate on a scale of one, for not at all a priority, to five, for high priority. Ninety percent said “maintaining compliance” was a priority or high priority.
Much of that priority arises from the need of ATM deployers to meet new requirements in 2010’s update of the ADA that took effect in March and have standards for new construction and alterations that are effective March 15, 2012.
Aimed at making ATMs more usable for disabled people, the standards set specifications for speech output, keypad controls, screen displays, and Braille instructions. Meeting the specs will require upgrades in both hardware and software, says David Albertazzi, senior analyst at Boston-based Aite Group.
New ATMs typically meet the standards, but older ones, especially those still running International Business Machines Corp.’s now discontinued OS/2 operating system, often need upgrades, he says.
Recognizing the priority ATM managers place on ADA compliance, the ATM Industry Association (ATMIA) in August came out with a compliance guide compiled by Tremont Capital Group, a consulting firm that specializes in the ATM business.
ATMs running Microsoft Corp.’s Windows operating systems have much more graphical and user functionality and have steadily gained market share in recent years, but a fair number of OS/2 machines remain. Aite found that 16% of the machines in its survey base still use the IBM system, down from 29% in 2009. For both years, the rest of the machines are Windows-based.
While small institutions that don’t have deep technology resources were more likely than big banks to have ATMs remaining on OS/2, Albertazzi says he was a little startled that so many machines still use the old system. “You’re talking about mid-‘80s technology, so yes, it is still somewhat surprising,” he says.
After maintaining compliance, managing risk is high on ATM managers’ minds, cited by 85% as a priority or high priority at their institution. And 70% said they were concerned or extremely concerned about ATM skimming, double the number with such concerns in 2009.
This increase comes against the backdrop of a steady stream of media reports about skimming, with skimmers becoming more sophisticated and harder for cardholders to detect. In addition, 60% of Aite’s respondents were concerned about the use of counterfeit cards at ATMs, up from 41% in 2009.
“There is a fairly large concern around fraud at the ATM, and the interesting thing is that there are more kinds of new threats that were not present in 2009,” says Albertazzi.
Some 31% of the ATMs covered in the survey had an anti-skimming solution in place last year. Respondents estimated the number covered would rise to 40% this year and 45% in 2012.
In other findings, respondents representing 12% of the survey’s ATMs said their machines could accept envelope-free bulk-check deposits in 2010, with the share expected to increase to 17% this year and 26% in 2012.
Conversely, 73% of the represented ATMs took envelope deposits in 2010. The respondents expect the number to decline to 66% in 2011 and 59% in 2012.
Forty-one percent of respondents said their senior management regards their ATM channel as a differentiator, up from 27% in 2009. On the flip side, 32% said senior management regarded ATMs as a “table stake,” or a service the bank should have just to be competitive with rivals, down from 50% two years ago.
Some 23% of banks consider their ATMs to be a profit center, unchanged from the earlier survey, while 5% this year regard ATMs as a “necessary evil,” up from none in 2009.
Is Visa’s EMV-NFC Push All About … Visa?
No. 1 payment card network Visa Inc. in August announced three initiatives to spur adoption of so-called EMV contact and contactless chip cards and near-field communication (NFC) mobile payments in the U.S. But it may be Visa’s ambitions that will be advanced the most by the initiatives.
Visa’s plans spawned intense debate about who would benefit the most. Merchants, merchant acquirers, and card issuers might welcome the reduced fraud on chip cards and possibly the expanded marketing, loyalty, and payments possibilities of NFC-enabled smart phones.
But Visa stands to gain as it jousts with everyone from its network rivals to Google Inc. and PayPal Inc. to countless tech startups seeking a piece of the mobile-payments action.
“This is all about Visa getting NFC at the expense of merchants,” says Gartner Inc. vice president and technology analyst Avivah Litan. Nonetheless, she says EMV is “overdue” as a replacement for the fraud-prone magnetic stripe. The U.S. is the only major country that hasn’t yet committed to EMV.
Visa’s initiatives include:
– Expansion to the U.S. of the Technology Innovation Program (TIP) that Visa announced in February for international merchants. Under TIP, Visa eliminates the requirement that merchants annually validate their compliance with the Payment Card Industry data-security standard (PCI) provided that 75% of their Visa transactions originate at chip-enabled terminals.
To qualify for TIP, which takes effect Oct. 1, 2012, point-of-sale terminals must be enabled to accept contact and contactless chip cards as well as NFC contactless payments from mobile devices. Merchants still are expected to meet PCI’s rules.
– A requirement that U.S. merchant acquirers and sub-processors be able to support chip transactions no later than April 1, 2013.
– A liability shift for domestic and cross-border counterfeit POS transactions effective Oct. 15, 2015.
On this last point, Visa says card issuers today largely absorb the costs of counterfeit fraud. But with the liability shift, if the customer presents a contact chip card to a merchant that at a minimum has not installed contact chip card terminals, liability if the transaction proved fraudulent could shift to the merchant’s acquirer.
The acquirer most likely would pass the cost to the merchant. Gasoline retailers have until Oct. 1, 2017, to upgrade automated fuel dispensers because of the complexity of integrating payment terminals into pumps.
The initiatives are aimed at the point of sale, and Eduardo Perez, Visa’s head of global payments system risk, says they don’t mean Visa will require PINs on chip card transactions, as is common in EMV schemes, often referred to as chip-and-PIN, in other countries.
Still, EMV could greatly reduce counterfeit card fraud as well as the increasing problem of U.S. travelers being unable to use their mag-stripe cards overseas.
“By encouraging investments in EMV contact and contactless chip technology, we will speed up the adoption of mobile payments as well as improve international interoperability and security,” Jim McCarthy, Visa’s global head of product, said in a statement.
Visa’s TIP incentive, however, may have little value if other networks don’t follow suit, since each network requires PCI validation. “Even if you’re off the hook for validation for Visa, you’re still required to report to MasterCard,” notes Litan.
But Steve Elefant, chief information officer for merchant acquirer Heartland Payment Systems Inc., notes that Visa tends “to drive a lot of things that happen in the industry. It remains to be seen on the PCI side, but I do believe that EMV will be coming to the U.S. and will be supported by all of the major brands.”
A MasterCard spokesperson says that, “Obviously, Visa’s decision will impact market direction and we will continue to consider our actions accordingly.”
No more than 150,000 payment terminals in the U.S. accept contactless cards, and one estimate put the cost of a full U.S. EMV conversion in the billions. Visa estimates that the incremental cost for adding EMV chip card capabilities to a new terminal is about $30.
Heartland’s Elefant says the cost would be under $100, but adds that EMV won’t eliminate card fraud because data are still transmitted in the clear. Merchants will still need terminals that encrypt or tokenize card data, such as Heartland’s E3, he says. “This is a seven- to 10-year rollout,” he says. “We don’t ever expect mag-stripe cards to go away.”
Furthermore, few mobile phones have NFC capabilities today, though experts believe the number will boom in coming years.
Visa’s incentives may enable the network to edge out powerful potential rivals in NFC payments, such as Apple Inc. and Google, that could get between merchants and the card networks, according to Henry Helgeson, co-chief executive of Merchant Warehouse, a Boston-based independent sales organization.
Google strengthened its hand last month with its $12.5 billion deal for Motorola Mobility, a deal that puts the Web search giant in the handset business in a way that could potentially support Google’s NFC-linked mobile wallet.
Not only might moves like that divert transactions away from Visa, but it also might undercut the case for PCI, which Visa had a huge role in developing. Annual PCI audits can cost large merchants millions of dollars, Helgeson notes, so TIP and the liability shift could be powerful reasons for U.S. merchants to stick with Visa as the leader in EMV and mobile payments, he says.
“All of these things are coming together now,” says Helgeson. “It’s beautifully choreographed by Visa.”
Data Breaches And the Malware Epidemic
While the payments business continues to fret about a seemingly endless string of data breaches, new information emerged last month that helps explain how such pernicious leaks happen, and why they’re happening with increased frequency.
While notable breaches like the one at Sony earlier this year steal headlines, cybercriminals are pilfering accounts at organizations large and small.
One big reason is that malware, or bits of code planted on victims’ computers to collect logon credentials and other sensitive information, is booming, according to the Anti-Phishing Working Group, an 8-year-old organization that tracks phishing and malicious code. The APWG’s latest trend report, covering the second half of 2010, indicates more than 10.4 million new malware samples were registered by Glendale, Calif.-based antivirus vendor Panda Security, a contributor to the report, or about 17% of all samples detected since 1990.
“Cybercriminals’ crimeware development efforts were more than redoubled” during the period, the APWG says in a statement accompanying the report.
Some 55% of the malware consists of so-called Trojans, which are aimed specifically at taking control of bank accounts belonging to businesses and consumers. The Trojans, which are undetectable, can allow fraudsters to remotely initiate funds transfers or make bogus bill payments.
At the same time, incidents of so-called spear-phishing are also rising fast. In this technique, fraudsters target specific employees within companies who are known to have control over funds movement. As in conventional phishing attacks aimed at consumers, these victims receive e-mails intended to gull them into revealing key credentials or to download malware.
While such incidents are harder to count than the consumer variety, the APWG says they began to increase in the latter half of 2010 and continue to boom this year.
“There are an increasing number of reports where spear-phishing is used as part of a sophisticated attack to gain access into a corporation’s network by infecting a targeted employee’s computer,” Dave Jevans, chairman of the APWG and of the security firm IronKey Inc., Sunnyvale, Calif., said in the APWG statement. “This trend is accelerating in 2011, and is responsible for many high-profile corporate data breaches.”
What’s more, these spear-phishing e-mails “usually evade” filters set up to stop spam and viruses, the APWG says.
The effectiveness of both malware and spear-phishing was thrown into relief by a notice posted this spring by the Federal Bureau of Investigation. In it, the FBI said it is investigating cases in which fraudsters attempted to siphon $20 million out of corporate accounts in the U.S. between March 2010 and April 2011; actual victim losses totaled $11 million.
The fraud, made possible in part by spear-phishing, compromised computers used by officers at small and medium-size companies with access to funds. Fraudsters transferred the cash to accounts belonging to legitimate “economic and trade companies” in China, near the Russian border, the FBI said. Wire transfers ranged from $50,000 to $985,000 each.
The cybercriminals used several types of malware, including the infamous ZeuS code, which can steal legitimate multifactor credentials that allow criminals to log into online-banking sites with actual names, passwords, and token IDs, according to the FBI.
By contrast, conventional phishing activity dropped over the six months ending in December. Reports received by the APWG slid from 26,353 in July to 21,020 in December. The December volume is only about half the record high of 40,621 reached in August 2009.
Similarly, the number of hijacked brands ended the year at 279, little changed from July’s 274, though the number spiked to 335 in September. The all-time high of 356 occurred in October 2009.
While payment services had been the most targeted business sector earlier in 2010, financial services took over this dubious honor in the second half, accounting for more than half of all phishing attacks in the fourth quarter. Newer sectors like social networking (4% of attacks) and gaming (5%) also registered as significant targets in the quarter.