bank branch security in the 21st century...solutions to the retail and banking industries. the...

Developed and Published by:

A Guide from ATM Marketplace and Self-Service World

INSIDE: Financial institutions throughout the world are investing in more holistic and

dynamic security systems. Ensuring that account information cannot be breached and

implementing measures that make customers and members feel safe while transacting

with an FI in the branch or at the ATM are both growing priorities for the industry.

Sponsored by:

Bank Branch Security in the 21st Century

TM

http://www.atmmarketplace.com

http://www.selfserviceworld.com

http://www.atmmarketplace.com/storefronts.php?sf_id=4

A Guide by ATM Marketplace and Self Service World | BANk BrANch SEcurITy IN ThE 21ST cENTury | Sponsored by Wincor Nixdorf 2

Contents: Bank Branch Security in the 21st Century

Page 3 About the Sponsors

Page 4 Introduction | Security is an ongoing and growing concern

Page 6 Chapter 1 | The true meaning of channel integration and holistic security

Expert commentary by uwe krause,

Wincor Nixdorf International

Where teller meets ATM

Providing total management

Page 10 Chapter 2 | Security products: A 360 perspective

Protecting the pieces

Protecting PINs and card data

Ink-staining and GPS

Branch protection

1 Chapter 3 | Bringing it all together

Page 24 Chapter 4 | Changing and evolving security demands

Page 26 Appendix | Additional stories from ATM Marketplace and Self-Service World



Sponsors:

Published by NetWorld Alliance© 2008 www.networldalliance.comWritten and edited by Tracy kitten, senior editor, ATM Marketplace.com

Dick Good, cEO

Tom Harper, president and publisher

Bob Fincher: executive vice president and general manager, Technology Division

Joseph Grove, vice president and associate publisher

Wincor Nixdorf is one of the world’s leading suppliers of IT solutions to the retail and banking industries. The company’s portfolio of hardware and software — as well as consulting, maintenance and other services — aims at reducing the cost and complexity of business processes, while improving customer service. Wincor Nixdorf is the world’s second-largest supplier of ATMs and the world’s third-largest supplier of POS systems. Wincor Nixdorf has a presence in more than 90 countries and is based in Paderborn, Germany.

ATM Marketplace, owned and operated by Louisville, Ky.-based NetWorld Alliance, is the world’s largest online provider of information about and for the ATM industry. The content, which is updated every business day and read by business and industry professionals throughout the world, is free.

About the sponsor

Bank Branch Security in the 21st Century



http://www.atmmarketplace.com


Introduction

For years banks viewed security from a siloed perspective. Today, they’re thinking about it more

holistically, and for good reason. News of security breaches has flooded the headlines over the last 18 months. And the June 2008 announcement of a massive ATM-server breach at citibank is just one that comes to mind when banking security crops up in conversation.

For financial institutions throughout the world, security considerations comprise more than knowing an ATM network is equipped with antiskimming devices and technology. It also means ensuring that ATM enclosures are equipped with attack-resistant safes and electronic locks. And those ATMs and their enclosures must be strongly anchored to foundations and outfitted with alarms to protect them from vandalism, theft and electronic or mechanical tampering.

Security also means conducting video-surveillance in the branch, connecting individual locks to recording and building-monitoring systems, creating a heavily secured online-banking system, and incorporating a well-thought-out reaction plan when a breach does occur.

In short, security is about ensuring that all of an FI’s banking channels are communicating with one another, so tracking of account activity and cash can occur simultaneously, raising red

Tracy kitten, senior editor,

ATM Marketplace

“Recent data breaches have illustrated that hackers will often

compromise large amounts of data and then maintain it in their

criminal inventories for up to a year or more before initiating a

sell-off of card data to other willing purchasers. The time delay from

breach to actual unauthorized withdrawals and purchases

provides the fraudsters with a greater cushion of time for stolen

card data to be sold, counterfeited and used all over the world.”

— Fair Isaac Corp.

Security is an ongoing and growing concern

flags when something goes awry.

Minneapolis-based Fair Isaac corp., in its March 2008 “risk Management for ATM & card compromises” white paper, states that fraud across numerous banking channels is leading FIs to increase and enhance their security measures at the ATM and beyond.

Fair Isaac develops credit-scoring systems from statistics-based predictive tools. The company’s



Introduction: Security is an ongoing and growing concern

analytic and decision-management products and services include financial risk and database management.

“A lack of preparedness with regard to physical ATM security exposes financial institutions to greater risk,” Fair Isaac writes. “Increasing security at the ATM level after a security compromise is often the path many financial institutions take. Simply assuming that fraud risk is low based upon a lack of previous fraud exposure is an unwise security methodology. Physical security, premises monitoring and accurate video surveillance are all considerations that are best addressed when fraud is minimal.”

From the most basic strategies, such as ensuring an ATM’s master passwords are reset so the ATM cannot easily be reprogrammed to dispense twenties instead of ones, to the more complex, such as integrating banking channels to quickly detect when a card has been compromised, FIs throughout the world are placing greater emphasis on overall security.

Michael Engel, director at Wincor Nixdorf International’s products and solutions-development, says FIs should analyze their risk potentials in advance and find strategic solutions, before a breach, to combat potential risks. And security should focus on all of the different processes taking place in a

bank, not just the ATM channel, for instance.

Fair Isaac writes: “Fraud activity schemes are always changing. recent forms of fraud that seem to be growing trends include targeting cards with upcoming expiration dates, reselling bank identification numbers, and prolonging the sale or counterfeiting of stolen card data. … recent data breaches have illustrated that hackers will often compromise large amounts of data and then maintain it in their criminal inventories for up to a year or more before initiating a sell-off of card data to other willing purchasers. The time delay from breach to actual unauthorized withdrawals and purchases provides the fraudsters with a greater cushion of time for stolen card data to be sold, counterfeited and used all over the world.”

Because of advances in technology, FIs have greater opportunities today to detect those types of breaches much sooner than they could in the past.

“The opportunity here is for issuers to apply to mass-compromise detection and response the same kind of analytic precision they use in other areas of their business — acquisition, credit-line management, transaction authorizations, retention — differentiating customers by risk in order to assign appropriate risk-based strategies,” according to Fair Isaac.



Chapter 1: The true meaning of channel integration and holistic security

Nicole Sturgill, research director of delivery channels for Boston-based financial consultancy

TowerGroup, says financial institutions are taking a more “enterprise-level” view of their security. But tying all of the pieces together poses a number of challenges since banking channels have historically been siloed and managed independently.

“Banks are taking an enterprise-level view of all of this,” she said. “We’ve got all of these pieces, with credit cards, ATMs, etc., and we have to stop and ask, ‘Can we pull all of this together?’ The answer, however, is that we need to because pulling it all together really makes sense.”

Sturgill points to the ATM as an example.

“ATMs are a wealth of information,” she said. “You’ve got every transaction date-stamped at the ATM, and when you tie that with the branch data, you see that Joe is at the branch on a certain day, but the same card he uses at the branch is being used at an ATM somewhere else. That’s where enterprise-risk management comes together. If you kept things separate, you might not catch something like that, at least not right away. But when you bring all of that together and put all that data in one place, you pick up on so much more, and you can understand and react to security breaches more readily.”

Enterprise-risk management is something banks are taking seriously, according to TowerGroup’s annual Top 10 Survey. This year, security made the top ten among U.S. FIs.

Rodney Nelsestuen, another TowerGroup analyst, has closely followed enterprise-level risk management for the last several months. Interest in enterprise-level risk management is growing among FIs throughout the world, he says. And the interest, he added, was spurred by the mortgage crisis.

If FIs had better analytical tools in place today, they could have avoided some of the pitfalls that caused the proverbial bottom to fall out from the mortgage side of the house, Nelsestuen says.

“With the credit crisis, we saw a complete breakdown in internal processes,” he said. “Sometimes you will have exceptions in the system, for one reason or another. But pretty soon, all of the loans could have exceptions. And then before you know it, you’re approving everything, and it leads to a breakdown of the profile. So how do you model the perfect storm when you have borrowers that can’t pay? It’s that line of thinking that’s making analytics more important.”

Tie credit/loan losses with losses from security breaches, and it’s easy to see why FIs are taking holistic security and analytics seriously.



Where teller meets ATM

A number of companies are encouraging more sound and dynamic methods for enterprise-level channel integration. All three of the world’s leading ATM vendors — Germany-based Wincor Nixdorf International; Dayton, Ohio’s NCR Corp.; and North Canton, Ohio-based Diebold Inc. — have developed or are working with partners to market branch solutions that are touted for better connecting the teller and self-service channels.

Wincor Nixdorf’s ProClassic/Enterprise suite, which has been on the market for a few years now, is praised by Wincor Nixdorf executives for its Net-centric approach to branch and ATM management, which administers these functions from a central location. The suite is also complemented by a number of individual security products — which are part of the PC/E security offering.

That range of individual security products includes communication security; terminal security, which includes intrusion protection and access protection; and key-loading security, which includes key management and key transportation.

For example, Wincor Nixdorf’s PC/E Platform Security Agent prevents software components from being installed or modified without authorization.

Through a partnership with Cisco Systems Inc., Wincor Nixdorf developed the PC/E intrusion-prevention solution, which looks for patterns to detect security breaches.

“With the agent we’ve designed, we have locked down the whole system — closed it off to only allow approved transactions,” said Michael Engel, director at Wincor Nixdorf International’s products and solutions-development. “If the system recognizes anything else that falls outside the pattern, such as a malicious code or unauthorized disk or network access, then we lock it out. It’s just one example of how we are trying to think in a different way about enterprise security.”

The major benefit of the solution, Engel says, is that it recognizes known and unknown threats and provides overall protection. Based on behavior patterns, it works on the principle that anything that is not expressly permitted is forbidden.

In combination with this, the PC/E monitoring solution enables monitoring of self-service machines to prevent financial damages caused by equipment downtime as a result of specific risks.

Additionally, the cash-management component of PC/E guarantees additional security since it optimizes the amount of cash that has to be




replenished at the ATM.

“It helps reduce the chance of violent attacks against employees and cash-in-transit staff since it controls who has direct contact with cash, where filling and emptying self-service machines is concerned,” Engel said. “This all together makes attacks on ATMs less attractive for criminals.

“This reduces the chance of violent attacks against employees and CIT (cash-in-transit) staff,” Engel said. “At the same time, the amount of cash that could get stolen is limited, making ATMs, especially at low-usage locations, less interesting for criminals.”

Engel stresses the importance of running ATMs and other self-service terminals from the same Net-centric architecture, so that all of the information an ATM collects can be stored and recalled, allowing financial institutions to keep an ongoing watch on its self-service activity.

In an increasingly competitive market, retail banks are constantly looking to improve their competitive edge, increase productivity and security, and optimize their processes to deliver a better return of investment.

One process that has remained relatively unchanged since the introduction of ATMs into the banking environment is the manual process of distributing and loading keys. In

most FIs, master key distribution remains a human-intensive and costly process. But FIs are learning that automating this process can help them significantly reduce costs, not to mention give them more control.

Remote key loading also enhances security. PC/E key loading, for instance, allows master keys to be distributed within a multivendor environment.

“Security compliancy is no longer a goal. It is now a reality,” said Mojgan Bringemeier, who oversees security solutions for Wincor Nixdorf. “A unique ATM key policy, together with Triple-DES support, can be implemented and administered from a single point, reducing costs and unnecessary visits to ATMs. It is a win-win.”

NCR also offers comprehensive security solutions that it markets as a way to enhance overall security. NCR Secure, a trademarked umbrella, encompasses a number of NCR’s security visions, including its work to continue building upon the foundations set by NCR’s Aptra software for the self-service channel.

NCR says Aptra software addresses future-proofing security for the modern ATM — one that runs on Windows. NCR is integrating new technology from software partner Solidcore and tailoring it for the ATM environment.

Add NCR’s branch solutions such as




Branch Assist, which works to connect the teller to the self-service channel, and NCR says it is pushing FIs toward more holistic security.

Diebold has similar offerings, saying, in fact, that it has been a leader in security for more than 149 years. Under its Diebold Security trademarked brand, the company promotes integrated solutions and monitoring.

From a hardware perspective, Diebold’s Opteva ATM line and Agilis ATM software include a number of security features that can be used to thwart skimming and shoulder-surfing. From a more comprehensive perspective, the company touts its event-monitoring services, which are based on established protocols. Within a branch, event monitoring covers ATM-status monitoring and site-monitoring, the company says.

Providing total management

The one common thread that ties all of the vendors together is that they agree a siloed-security approach is no longer viable.

Security measures for the self-service channel, the counter, the teller and the branch itself all should fall under one security umbrella. Doing so, however, requires a strategic and intentional

plan — one that incorporates event monitoring and tracking, video surveillance and preventative measures, such as the installation of antiskimming technology at the ATM.

“Wincor uses one concept for security, which includes video surveillance and antiskimming,” said Uwe Krause, head of marketing for Wincor Nixdorf’s banking division. “We bring video to the ATM and to the teller. And then we have an administrative component by which we offer the complete management of the branch; it is total branch management. And through the security infrastructure, we are able to provide our bank clients with consulting services.”




Chapter 2: Security products: A 360 perspective

Security is a basic need of our society and is of growing sig-nificance, a result of globaliza-

tion and an increasing dependence on communication technologies. Yet many organizations underestimate their own security needs.

External audits uncover only some of the weak spots. Every company needs to know that security is an ongoing process. In the financial sector, which unlike no other has become the target of high-tech criminals, security is now a top priority. The reason why banks are coveted targets is simple: They have cash.

Criminals are now focusing their at-tacks on the various electronic and mechanical systems of banks — particularly ATMs, IT systems, data networks and cash transport facilities — following moves to reduce cash levels in their branches. Another troubling development is the dramatic rise in identity theft with bank cards and PINs,” according to Uwe Krause, director of banking marketing, Wincor Nixdorf International

Criminals are becoming ever more imaginative when it comes to steal-ing cards and identity codes required to fetch cash from ATMs around the world. Subsequently, many bank customers are increasingly concerned about the security of their confidential data and savings.

For this reason, it is absolutely essential for banks to prevent attacks on their sys-tems and customers’ data. Banks should be considering secu-rity concepts that support them in a preventive way, especially since an ar-senal of robust and intelligent defense instruments and security measures is now available to financial institutions.

More and more, companies that specialize in banking, such as Wincor Nixdorf, are working with partners to cover the entire security spectrum — from device protection to IT-system and branch/building security, as well

as consultation and service throughout each security phase.

The intelligent combination of innova-tive core technologies is a priority.

“Criminals are now focusing their attacks on the various electronic and

mechanical systems of banks — par-ticularly ATMs, IT systems, data net-

works and cash transport facilities — following moves to reduce cash

levels in their branches.”

— Uwe Krause, director of banking marketing,


uwe krause, director of banking marketing, Wincor Nixdorf International



Self-service systems must be secured with software that inhibits unpredict-able local and network attacks. And the increasing use and integration of video surveillance in IT environments is quickly becoming a trend in the banking world. These systems can be linked to a control center that monitors all IT systems simultaneously, provid-ing a complete picture of the network operations.

And, of course, protecting ATMs against vandalism and manipulation is always a priority. With new technol-ogy on the market, banks are leaning on ATM partners to use their partners’ know-how in the area of image rec-ognition, for instance, to offer greater protection against manipulation in the area of self-service technology.

Protecting the pieces

Like Wincor Nixdorf’s Uwe Krause, head of banking marketing, Rob Evans, NCR’s director of industry marketing, says financial institutions are leaning on the expertise of bank-ing partners for more holistic secu-rity approaches. But how holistic an approach they take depends on a number of factors — namely, size, geographic location and investment priorities.

“When we say security, it probably means a lot of different things to a lot of different people,” Evans said.

“When we talk about branch integra-tion, there are many customer require-ments that we have to think about, like attaching a customer to a debit-card account to identify him or her in a branch. That is one place where you can certainly say we are in a better place for securing the branch environ-ment than we were five years ago.”

But it is important for FIs to think about the type of security they use, as well as the types of security they want to invest in.

“Asian institutions, for instance, are getting a lot more thoughtful and inten-tional about the types of things they do to make sure that the self-service channel does not become the hackers’ point of entry,” Evans said. “We see a similar trend in the U.S. But, overall, I think financial institutions throughout the world are approaching security with the entire enterprise in mind, not just the self-service channel.”

Protecting the self-service channel is one place to start since ATM-skimming attacks and ATM ram raids and thefts continue to be top-of-mind concerns for FIs throughout the world.

Rob Leiponis, president of Parabit Se-curity Systems Inc., a New York-based provider of security products and services for electronic-delivery sys-tems, says while he unfortunately sees some FIs cutting their overall spends on surveillance equipment within their





branches — namely because of profit losses related to the mortgage slump — he does see them continuing to invest heavily in security equipment for the ATM/self-service channel. And it makes sense, he says.

“Overall, when we look at the security of internal systems, like the back-end security, I don’t see banks cutting back, and that’s a good thing,” Leipo-nis said. “From a self-service perspec-tive, they are definitely investing in more security, and they are looking at their security at self-service more closely than they would in a staffed branch environment. If you were go-ing to cut back on your spending, it definitely would not make sense to cut back on security spending for the self-service channel. It would be better to cut spending somewhere else, and most banks realize that.”

The one-time installation costs associ-ated with putting in surveillance equip-ment have hurt sales, Leiponis says, since installation in a branch is costly.

“I’d say we’re down 20 to 30 percent from where we were last year at this time with our video-surveillance sales,” he said.

And while not all industry insiders are seeing similar trends, they do agree that FIs will invest more heavily in security solutions, despite the eco-nomic crunch, because their economic strength in the future will directly relate

to the number of security and analyti-cal tools they have in place — tools that will enable them to detect breach-es as well as fraudulent data, such as falsified information submitted by loan applicants.

Protecting PINs and card data

The world-over, ATM skimming re-mains the number one ATM-security concern. From the jitter feature, which scrambles the CVV/account-holder data it pulls from a card’s magnetic stripe as it moves through an ATM’s card reader, to features and enhance-ments that detect when an ATM’s fascia has been tampered with, FIs throughout the world continue to invest in technology that can help them con-trol ATM skimming.

In 2003, Wincor Nixdorf was recog-nized by the ATM Industry Association for its ATM security innovations, which included the company’s antiskimming devices.

Beyond antiskimming technology, Wincor Nixdorf’s intelligent card-reader solution has been touted for its ability to detect intrusion mechanisms that are used to trap cards once they have been inserted into an ATM’s card reader.

This security module is installed inside the ATM and does not hamper the ATM’s usual operation of the machine




in any way. By communicating with the ATM’s control software, the module enables immediate action to be taken if and when an attack is detected.

“While the types of ATM attacks we often see may differ from market to market around the world, we do see some similarities, such as skimming,” said Wolfgang Hamann, senior securi-ty product manager for Wincor Nixdorf. “The difference is in the number of attacks we see in different markets throughout the world. You do have skimming in the U.S., but we continue to see a lot more of it in Europe.”

In Germany, for instance, ATM opera-tors are required to comply with the country’s Data Protection Act, which says ATM skimming must be combat-ed with all technical means available.

One technology unique to Germany is the ATM-card security token — a token or indication system that is assigned to each ATM card in the country. If a card is issued in Germany and does not have this token, then it cannot be used by a German accountholder at an ATM within Germany.

The measure has helped reduce the number of “white” or duplicated cards created by criminals through skim-ming attacks, although the measure can only control withdrawals made in-country. So white cards can still be created and used in other countries, and foreign visitors to Germany also

do not have the same indication sys-tem, Hamann says.

In Europe, Hamann says, Wincor Nixdorf’s customers are always up-dating their antiskimming solutions,

often adding video surveillance to their ATMs to help catch fraudsters when ATM-skimming attacks occur.

In the United Kingdom, where a number of ATMs and POS devices no longer conduct transactions using the mag-stripe, skimming attacks are finally beginning to see some decline. The advent of EMV — the Europay, MasterCard, Visa standard for chip-based card transactions — is having an impact, although antiskimming technology at ATMs is still something

Wincor Nixdorf’s antiskimming technol-ogy is used throughout the world. It prevents

data from being illicitly obtained and detects

different types of intrusion-mechanisms,

allowing a bank to react immediately to any

recognized skimming attack.

Phot

o co

urte

sy o

f Win

cor N

ixdo

rf In

tern

atio

nal




U.K. banks are heavily investing in.

“Next year we are launching a solu-tion that allows us to monitor the ATM remotely, and therefore react very quickly when an ATM has been tam-pered with,” Hamann said. “We will use the video technology to monitor the area around the ATM, which also will help us identify people who abuse or vandalize the ATMs.”

Additionally, Hamann says, Wincor Nixdorf offers facility-security solutions that include video surveillance that are directly connected with Wincor Nix-dorf’s security center.

Rob Evans, NCR’s director of industry marketing, agrees security concerns and the technology used to combat security breaches vary from region to region. Even within North America, variances in crime and regulations exist, making some types of crimes in certain markets easier for criminals than others. In Canada, for instance, Interac is regulating and requiring the use of PIN shields to protect user PINs at the ATM.

Interac Association is Canada’s lead-ing payments network. Interac pro-cesses the majority of Canada’s ATM and POS transactions.

“In different markets you have differ-ent certifications required by Visa and MasterCard, for instance,” Evans said. “And then, of course, you don’t have the same things going on in every

market — certain markets have certain types of security problems, like skim-ming and ram raids.”

Wincor Nixdorf’s Hamann says regula-tion, driven by differing types of ATM attacks and crimes, does have a direct impact on the types of security solu-tions used in different parts of the world.

“A lot of this is driven by regulation in certain markets,” he said. “We have customers in some countries that outfit all of their ATMs with PIN shields.”

In the United States, physical attacks on the ATM are more commonplace. Ram raids, for instance, are getting more attention from the industry, as their frequency in the states continues to rise, Evans says.

And while some parts of Europe, such as the U.K., also have concerns about ram raids, the concern pales when compared to skimming threats.

Wincor Nixdorf’s PC/E Communication Secu-

rity, for virtual private networks, is a software solution that manages, generates and distrib-

utes certificates for the mutual authentication of parties within an IP

network.

Phot

o co

urte

sy o

f Win

cor N

ixdo

rf In

tern

atio

nal




Hamann says the use of video-sur-veillance equipment is on the rise, not only in bank branches, but also at the ATM. It’s being used for a number of reasons, including helping law en-forcement catch criminals who tamper with ATMs for skimming, identifying when an ATM theft is being attempted, or simply enhancing communications between FIs and ATM users.

Wincor Nixdorf, for instance, sees ATM-surveillance equipment as an im-portant security feature that should be used to determine when users have entered the so-called “privacy area.”

“When a user enters this area, he gets a message on the ATM that tells him he needs to be aware of what is going on around him, such as when some-one is standing behind him,” Hamann said.

Nicolle Sturgill, an analyst with Tow-erGroup, says beyond the practicality of things like video surveillance at the ATM is the whole idea of building con-sumer confidence.

“From a physical-security standpoint, a big focus has been made on ensur-ing that the consumer feels safe at the ATM,” Sturgill said. “Triple DES and EMV are happening on the back-end, but the physical safety on the front-end at the ATM, I think, is going to become a bigger issue. That feeling of security is going to become so much more important and could lead to more

banks placing ATMs in branch lobbies, where customers have to swipe their cards to get in after business hours.”

Hamann agrees the goal, beyond en-suring PINs and ATM users are safe, is to build consumer confidence and trust in the ATM channel.

Ink-staining and GPS

The rise in ram raids has spurred greater demand for solutions that help law enforcement track ATM thieves, or at least make ATM thefts unattractive.

Ink-staining technology, which is trig-gered within an ATM’s cash cassettes when the machine is jostled or moved, renders notes unusable. It’s a technol-ogy that’s been around a long time and has been used for years as a way to track down bank thieves, since the ink can’t really be washed off — from bank notes or from the skin.

A number of players provide services in this space.

Wincor Nixdorf offers an ink-staining module that resides within the cash cassette. If the cassette is handled in-correctly — meaning opened by force — the cash is sprayed. The company says it’s using ink-staining technology to cut down on ATM thefts, as well as internal thefts committed by cash carri-ers and ATM-service providers.

NCR, which opened an ink-staining




subsidiary, Fluiditi, in 2000, sees pock-ets of interest in ink-staining technol-ogy. NCR sold its Fluiditi subsidiary to Oberthur Cash Protection in early 2007.

“With ink-staining, we have interest,” Evans said. “In the U.S., we have yet to do a large-scale deployment of this type of technology, even though we are increasingly seeing more ATM thefts here. In Europe, however, it has been successful, such as in the U.K. And I think some of that has to do with the way the banks are insured in Eu-rope. For instance, Fluiditi is cheaper than investing in a bigger, heavier safe. And from an insurance perspec-tive, both (ink-staining and heavier safes) are seen as curbing crime, so ink-staining is a wise investment.”

In the States, however, only the use of larger, heavier safes results in lower insurance rates — another likely reason why, Evans says, investments in ink-staining haven’t taken off in the United States.

But, Evans adds, the rise in ram raids in the United States could lead to an altered way of thinking, not only about ATM insurance but also about the deployments themselves.

“I think there are two fundamental trends, and one trend is fundamentally different than it was 10 years ago,” he said. “Over the last 10 years we have seen entrepreneurial types placing

ATMs because they said ‘Hey, we can charge a fee.’ As a result, less expensive, smaller ATMs have hit the market, so over time the average security profile dropped off tremen-dously. The safes have gotten lighter, for instance, and the criminals have figured some of that out. Another issue is poor deployment choices — ATMs are being placed in locations with no surveillance, for example. So we’ve made it easier for criminals to walk off with ATMs.”

The other trend is on the software side, where ATM deployers are brac-ing themselves for the next security threat, Evans says.

In addition to ink-staining, global positioning systems, or GPS, also are gaining some ground in the ATM world. While the technology is some-times limited, such as when an ATM is placed in a van, where the van’s metal exterior blocks a satellite’s abil-ity to continue tracking the ATM’s GPS device, it has allowed financial institu-tions and law enforcement to recover stolen equipment, sometimes with the cash still intact.

GPS has gained marginal success in the United States and Europe.

BranchProtection

Protection within the branch also is a growing concern. Parabit’s Leiponis




says FIs should be doing what they can to help law enforcement by install-ing video surveillance that covers an entire branch.

“A single camera typically covers a 10-to-15-foot area,” Leiponis said. “To ensure an entire branch is covered, a bank should have an algorithm that says, ‘This is the number of cameras you need to have for appropriate cov-erage.’ Banks should be interested in doing as much as they can to ensure they are helping with investigations when security is breached, and some governing body should help with this type of enforcement.”

And then, not all branches are equal. Geography plays a role. Branches in higher-crime, urban areas might need to install more surveillance than, say, branches in suburban areas, he says.

“There should be some standard that says there should be a camera that covers every teller, or if you have a certain number of tellers, then you should have a specified minimum number of cameras. That would also help to address internal theft.”

Taking all banking channels into the security fold is something Diebold also is working hard to promote.

Jim Merrell, director of self-service marketing for Diebold, says layered security is the only approach that can fully cover an FI.

“Beyond the ATM and the card, you have to think about the customer and the environment they transact in,” he said. “We are continually thinking about the overall branch environ-ment, with surveillance and the overall broader perspective included. We are seeing a greater level of interest in overall security, and this includes tremendous growth from the IT side of the business.”

“With IP-connected technology, we are seeing a large change in the in-

dustry, where the video and the access control and the self-service channel are all being tied together.

All of this equipment is on our in-ternal network for the banks we

(Diebold) work with. And they are all very interested to know if we are

putting things on our network that could create unforeseen security

issues. These are good discussions to have because in an IP-connected environment, things are different.”

— Scott Haroff, chief information security architect,

Diebold Inc.




All three dominant banking players — Diebold, NCR and Wincor Nixdorf — are making strides toward over-all branch security. And all three are deploying products that help FIs better integrate the security technology they use at the self-service channel, for instance, with the branch teller.

But TowerGroup’s Sturgill points out that it’s important for each bank-ing channel to have security that is independent of other channels. For instance, one method for monitoring both branch activity and self-service activity is not sufficient because if the system is breached, then all channels are affected.

Scott Haroff, Diebold’s chief informa-tion security architect, says IT special-ists are taking a greater interest in ensuring channels communicate, but they also employ their own security methodologies.

“With IP-connected technology, we are seeing a large change in the indus-try, where the video and the access control and the self-service channel are all being tied together,” he said. “All of this equipment is on our internal network for the banks we (Diebold) work with. And they are all very inter-ested to know if we are putting things on our network that could create unforeseen security issues. These are good discussions to have because in an IP-connected environment, things are different.”

Although the ATM can remain on a “closed” channel, which operates on a separate network from the rest of an FI’s operations, it still often com-municates with the branch’s normal systems. That means ATMs are more connected to backend systems than they were before the advent of Win-dows, so FIs do have cause for some concern, Haroff says.

“But even though they are connected,” he said, “we see many banks putting their ATMs on VPNs or virtual private networks, and we feel confident that is a secure direction for the industry to move in.”

With the emergence and wide-spread rollout and availability of public broad-band networks, such as DSL/ADSL, and the cost advantages broadband delivers, more terminal operators are reviewing or have migrated their infrastructures to public broadband networks, or PBNs.

To ensure confidentially and integrity, virtual private networks, or VPNs, are implemented for self-service channels. Using VPNs, parties can communicate securely within a PBN.

VPNs require secret keys and public keys for a secure connection to be created. A VPN also demands that both terminals and IT centers receive copies of the public keys.

Within the PC/E suite, a secure end-to-end network connection can be




created between ATMs and their host/switch, says Wincor Nixdorf’s Mojgan Bringemeier, who oversees security solution. The communication security solution allows for the automation of an otherwise manual and human-intensive process.

Wincor Nixdorf says PC/E communi-cation security allows self-service ter-minal operators to benefit from of price advantages and quality of service, also known as QoS, offered by PBN suppliers. At the same time, the PC/E also uses security devices inherent to all ATMs and other self-service termi-nals, such as encrypting PIN pads, Bringemeier says.

Both Diebold and Wincor Nixdorf see investments in VPNs on an upswing.

Additionally, FIs are investing more heavily in technology that verifies and determines identity.

According to a special January 2008 edition of Banken + Partner, a Ger-man business-strategy and manage-ment magazine, the use of biometrics within the branch is quickly becoming a popular idea.

Though the reliability of various bio-metric methods is still being reviewed, biometrics’ use as a way to comple-ment existing security measures, such as the PIN at the ATM, is gaining acceptance.

“The higher the losses from theft

and the further biometrics systems advance, the more likely it will be for these solutions to penetrate the bank-ing sector,” Banken + Partner writes.

Diebold’s Haroff agrees, saying FIs are incorporating more biometrics technology into their systems — from securing vault access to securing laptops.

“From a biometrics standpoint, I am working with a number of customers right now that want to ensure laptops used within the bank are secure with biometrics,” Haroff said. “Some are even using smart cards, too.”

The ProTect/Work Enterprise is a software solution that enables user-authentication via fingerprint or a combination of a finger-

print scan and a smart-card read. The solution, one of Wincor Nixdorf’s biometric solutions, authenticates users through a

single sign-on using a fingerprint, which can include an ID mouse with an integrated finger-tip sensor. The sensor can be used to

securely access PC work stations. Biometric — such as fingerprint — sensors also can be integrated into front-office terminals.

Phot

o co

urte

sy o

f Win

cor N

ixdo

rf In

tern

atio

nal



Wincor Nixdorf is seeing greater inter-est in its biometric-fingerprint technol-ogy as well, Hamann says.

“ProTect Work/Enterprise, which incorporates fingerprint technology for user-identification, is becoming increasingly interesting for our customers,” Hamann said. “Recorded biometric-reference features are stored in an encrypted form at front-office workstations, and the solution allows branch operators to authenticate staff members by using fingerprints or smart cards to access PCs used in the office.”

Other biometric equipment can also be integrated for specific projects.

“We have implemented different bio-metric solutions into our ATMs as part of different projects,” Hamann said. “For example, in India, our customers are using fingerprints to authenticate ATM users. We also have integrated vein scanners into our customers’ systems.”

Biometric uses such as palm readers are part of the PassVault package Die-bold has been promoting since 2000.

Banking and retail are expected to be target industries for large investors of biometrics solutions in the near future.

According to the International Biomet-ric Group, global sales of biometric systems are expected to reach $7.7 billion by 2010, an annual growth rate

of 30 percent. And fingerprint technol-ogy, which currently holds about 40 percent of the overall biometric mar-ket, is expected to lead the charge.

“For banks, customer authentication is becoming increasingly important as the share of banking tasks without personal contact with a bank em-ployee increases. Biometrics methods could be implemented in ATMs, card-based payments, Internet banking and brokerage, and telephone banking to provide secure customer authentica-tion,” according to Banken + Partner.




Rodney Nelsestuen, research director at TowerGroup, says integrated security and risk-

management solutions are expected to grow significantly from 2006 to 2009.

TowerGroup estimates risk-management spending throughout the world will increase by 5.8 percent on compound annual growth rate between 2006 and 2009.

“They need a broad view, from an integrated perspective, of what’s going on at the branch and across every channel,” Nelsestuen said. “In the past, they were looking at what was going on in each channel, but they weren’t looking at it from a holistic perspective. So understanding all the risks in an enterprise is one thing, but tying it all together is another.”

To that end, IT spending is expected to increase over the next 12 months, up approximately 4 percent. And spending in analytical tools, Nelsestuen expects, will increase by 11 percent from 2006 to 2009.

“It’s very difficult for banks to integrate all of this because of problems between channels and problems that have arisen in the deposit space, for instance, as a result of mergers and acquisition. You could have dozens of deposit systems that aren’t integrated, and the more systems you have, the more silos you have, and, thus, the more vulnerability you have.”

Chapter 3: Bringing it all together

“At the end of the day, security it-self is such a broad topic. It goes

from the vault to the video surveil-lance, so we need to take a holistic

view while also being experts in our stake of the game.”

— Michael Engel, director of products and solutions-development,


Concerns about those types of infrastructural challenges are echoed by Michael Engel, director of products and solutions-development for Wincor Nixdorf International.

“At the end of the day, security itself is such a broad topic. It goes from the vault to the video surveillance, so we need to take a holistic view while also being experts in our stake of the game.”

Bringing all channels into the security fold, even from a consideration standpoint, is challenging because banking channels have been independent for so long. Challenging as it may be, the industry is making progress, Engel says.

“The basic idea that we are looking at is trying to achieve a Net-centric architecture,” he said. “That means



you have a central place where you consolidate your branch security. And you have your ATM and other channels touch this same architecture.”

The must-haves — antiskimming, video surveillance, etc. — are the easy part, he says.

“Now we are looking at tying all of this together. With PC/E we have a chance to step-by-step consolidate the management of the different banking-delivery channels and provide integrated end-to-end security,” Engel said. “Having, for example, an integrated video solution is a good start, but figuring out how to react to what the cameras are picking up is the challenging part: Is that a suspicious gesture? Is that a face that we know is on a blacklist? What to do now with this information? Who do we need to inform? So you have to have some logic, some intelligence that is able to interpret this kind of information. This is event-based management at the core, and this is where the Net-centric architecture of PC/E comes into play.”

But attaining that kind of holistic harmony will take time, says TowerGroup’s Nelsestuen, because of existing, siloed infrastructures.

NCR also is focusing more attention on operating-system security, says Rob Evans, NCR’s director of industry marketing.

“With Windows, in some ways it’s a blessing and at the same time it’s something you really have to think about,” Evans said. “I think it would not be overstating to say there have been a number of problems with Windows, since the potential for attack existed even on OS/2.”

The difference now, however, is that everyone understands Windows and Internet protocol, making the potential for an attack more likely, he says.

“The difference then (with OS/2) was that not too many people could look at transaction script and understand what it was,” Evans said. “Today, everybody and his brother understand how IP and networks work, so for everything we do, we have to think about security for the infrastructure.”

Jim Merrell, director of global product marketing for Diebold, says that when broken down to its most basic, the new environment, like the old, means FIs have to ensure they encrypt every transaction.

“Take the ATM as an example,” Merrell said. “The biggest thing at an ATM is detecting attack devices and then looking closely at encryption inside the ATM — of the PIN when it’s entered and the transaction when it’s sent to the processor.”

That same line of thinking holds true for all banking transactions, ensuring




that they are watched every step of the way, Merrell says.

Nicole Sturgill, another TowerGroup analyst, says security concerns are taking on new levels of complexity.

“Before, for instance, it was just signature cards, and now we’re looking at how to keep PINs secure,” she said. “So the complexity of card transactions, for instance, because there are so many ways of initiating transactions, has become much more complex. How do you combat any kind of fraud in a way that keeps systems separate yet connected? How do you take a top-level view to get your arms around all of it? It’s a lot to take on.”

Debra Cobb of Fair Isaac Corp., which is working with FIs to enhance their security tracking and analytics, agrees that as the banking touchpoints for consumers continue to increase, so too will the necessity for FIs to think about more dynamic yet uniform ways to track what’s going on where.

“With multiple access points to a customer’s account — including ATM, online and branch — banks are recognizing the need to evaluate fraud across channels, with large banks being the first to make strides in this area,” Cobb said. “One of the key technologies that enables institutions to identify potential fraud or compromise is profiling, which aims

to identify what is ‘normal’ behavior versus what is ‘unusual’ behavior that may indicate fraud.”

Cardholder profiling was developed by Fair Isaac more than a decade ago to help the industry tackle payment-card fraud. Since that time, Fair Isaac has introduced other profiling behaviors associated with payment transactions to enhance its big-picture view for identifying or determining the so-called riskiness of a transaction, Cobb says.

“For example, device profiling is used to analyze card-present terminals, such as ATMs and POS devices,” she said. “It builds specific characteristics of activity that can then be utilized to determine how unusual a transaction is for the cardholder, based on the terminal’s behavior. Merchant profiling is also used to identify riskiness associated with specific merchants, which is particularly crucial for card-not-present transactions.”

And the same kind of profiling can be applied to teller transactions and demand deposit accounts.




In the future, financial institutions are more likely to rely on consulta-tion services provided by compa-

nies that specialize in analytics and banking technologies.

Managed services are increasing, representatives from Wincor Nixdorf International and Diebold Inc. agree.

“We are seeing growing interest from banks in the area of managed ser-vices, and we are doing more to help them monitor their overall networks,” said Wolfgang Hamann, senior product manager of security for Wincor Nixdorf International.

Wincor Nixdorf is working with numer-ous partners, including IBM in Canada, to provide end-to-end services.

And for companies like Diebold and Wincor Nixdorf, it’s not just the trans-action monitoring that will make a difference in the future, but also the continued consultation that industry experts like Diebold and Wincor Nix-dorf can provide.

“Banks have to have the technol-ogy, for instance, that allows you to share information between branches, and perhaps even between different banks,” said Scott Haroff, Diebold’s chief information security architect. “We are developing these types of systems for them, both internally and through work we do with partners. But the important part of all of that is the consulting that comes after the system

Chapter 4: Changing and evolving security demands

is in place. It’s more than just selling a solution. Banks have to have support to use the system.”

Alan Walsh, vice president of banking for Wincor Nixdorf USA, says a num-ber of emerging banking technologies will continue to push FIs to seek out more specialized vendors.

“The emergence of advanced-branch-automation technologies has resulted in significant advancements in branch security for both financial institutions and their customers,” Walsh said. “The introduction of automated teller safes, for example, greatly increases branch security with the elimination of the cash drawer. And with cash always in a secure ATS environment, financial institutions have the freedom to securely deploy a more open and customer-focused branch design. At the consumer level, bulk-deposit ATMs allow bank customers to deposit up to 50 checks at a single time through a single slot in just a very few moments, thereby minimizing customer time at the ATM and significantly increasing the security factor.”

As transactions, such as intelligent deposit, become more commonplace, the IT that supports those envelope-free deposits will continue to become more complicated for FIs to manage on their own.

Rodney Nelsestuen, a research director with TowerGroup, says FIs are increasingly moving toward



process-orientation risk management. It’s a move that not only involves IT management, but also analytics and business-process management.

“Financial-services institutions face a growing challenge in managing the mountains of data proliferating across their systems, applications, and people,” TowerGroup writes in a report about Nelsestuen’s industry report, “Back to Basics, Into the Future: Risk Management and Growth Through Enterprise Intelligence.”

“Most institutions today launch a host of disjointed efforts to extract intelligence, whether for new busi-ness and growth opportunities or risk management purposes, from data within ‘siloed’ business and technology areas,” the report states. “TowerGroup advocates enterprise intelligence as a different and more holistic approach to discovering, mining, managing and leveraging data to achieve business goals.”

TowerGroup says the migration toward an enterprise view “will enhance man-agement visibility across the institu-tion.”

Today, potential risks are identified by numerous data sources, including the ATM, but risk managers, often siloed themselves, tend to take narrow views of their individual systems — looking only for trends that impact their areas or channels.

But a more comprehensive view of risk is quickly becoming necessary to identify and address early indicators that threaten an FI’s security.

“Today’s bank branch is infinitely more technologically advanced and secure than branches of less than a decade ago,” Walsh said. “And the tech-nologies already being developed for introduction in the very near future will continue the trend that enables banks to focus their attentions on providing the highest level of service to best meet the needs of their customers. Technologies that simplify best prac-tices for bank security have an imme-diate and lasting impact on a financial institution’s ability to succeed in a highly competitive marketplace.”

Chapter 4: Changing and evolving security demands



ATM security in Asia moves to veinsATM Marketplace, March 12, 2008

By Lynn Walford, contributor

Last year, Frost & Sullivan rec-ognized Fujitsu for its so-called “revolutionary” approach to

biometric-product technology. The product: Fujitsu’s palm-vein-authenti-cation device, PalmSecure.

PalmSecure picked up kudos from Frost & Sullivan for its high level of security and consistency, as well as its ease-of-use and its contactless pro-cess.

In January, Fujitsu demonstrated new PalmSecure products at the Con-sumer Electronics Show in Las Vegas, displaying what some industry experts say could lead to greater acceptance of biometric-security options in the United States.

VPR, or vein-pattern recognition, for financial-transaction verification is still relatively new, says Victor Lee, a con-sultant with New York-based Interna-tional Biometrics Group.

In 2007, VPR only accounted for 3 percent of the biometric market, even though Fujitsu developed its VPR technology in 2004.

Today, it’s edging its way up to com-

Appendix: Additional stories from ATM Marketplace and Self-Service World

According to Fujitsu, based on data from 140,000 palms, the VPR system has a false-acceptance rate of less than 0.00008% and a false rejection rate of 0.01%.

The VPR can authenticate users from: ► all age ranges, from 5 to 85 ► various occupations ► different ethnicities

The data is not adversely impacted by lifestyle, providing accurate information for users after they’ve been drinking alcohol, have taken baths, have gone outside, or have just awoken.

prise more than 10 percent of that market, IBG says. Asia and North America are expected to be the largest global customers for biometric prod-ucts and services.

“Vein-pattern-recognition adoption is increasing, and it is the most state-of-the art authentication technology today,” Lee said.

Evidence of some acceptance of biometrics-security technology in the financial space is already evident. Last year, Shinkin Central Bank in New York installed a biometric access-con-trol system designed by Hitachi that uses vascular biometrics, technology similar to the VPR product designed by Fujitsu.



Security prevails

Escalated concerns about fraud, identify theft and security leaks have prompted consumers throughout the world to pay closer attention to how their money is being managed and protected, and U.S. consumers are no exception.

Chuck Wilson, deputy general man-ager of Allen, Texas-based Hitachi Security Solutions, says, as fraud concerns escalate, North American financial institutions will search out more reliable security methods.

He points to Japan, which was quick to adopt and enforce the use of biometrics-security products to au-thenticate financial transactions, as an example. North America will likely follow the same route, he says. Japan was simply ahead of the curve.

In the early 2000s, Japan’s financial industry saw high rates of ATM-related fraud, namely fraudulent ATM with-drawals and other scams related to cloned cards.

“At that time, there was no withdrawal limit, and banks didn’t guarantee losses due to theft,” Wilson said. “Customers were held responsible for securing their PINs. By 2005, funds stolen (totaled) over (U.S.) $8 million.”

Japan’s growing fraud soon grabbed media attention, Wilson said, and the financial industry was caught with egg

on its face because FIs made consum-ers vulnerable, and they weren’t offer-ing any protections.

After the government shifted ATM-loss liability to the banks in February 2006, Japanese FIs quickly searched for security alternatives, and biometrics seemed like the most viable solution.

In 2004 and 2005, Fujitsu’s palm-vein technology was adopted in Japan by Suruga Bank, the Bank of Tokyo-Mit-subishi, Hiroshima Bank and the Bank of Ikeda.

“Palm-vein-pattern recognition has a .00008 percent false-acceptance rate and has been extremely successful in Japan,” said Gerald Byrnes, manager of biometrics for Fujitsu in Sunnyvale, Calif.

Today, more than 92 percent of Ja-pan’s banks use vein-pattern recogni-tion, Wilson said, adding that “adop-tion by the Japanese banks resulted in sharply reduced fraud.”

But adoption in North America, espe-cially the United States, could take longer than companies like Fujitsu would like.

Movement has been made in other parts of the Americas, such as South America. This year Banco Bradesco, Brazil’s largest private bank, is incor-porating palm-vein technology into its ATM system. The bank tested the solution in 2006.




The situation in North America, how-ever, could be a different story. And recent events support that theory.

Just last week, U.S. biometrics-tech leader in the financial space, Pay By Touch, started auctioning off pieces of its business, after declaring bank-ruptcy. Pay By Touch, which paid $82 million for its BioPay Paycheck Secure business in 2006, sold the business to a Phoenix-based management group for just $4.2 million.

The finger is the rub

What’s held biometrics use back in North America, as well as other mar-kets such as the United Kingdom, is that most solutions have relied on fin-gerprint readers. One need only look to the miserable failure experienced by Pay By Touch to see that at least in the States, a “touch” doesn’t go over well.

Simply put, many U.S. consumers don’t like to give out their fingerprints, say experts like Byrnes, Wilson and Lee, for a number of reasons — none of which have been definitively pin-pointed by any scientific facts. The assumption is that U.S. and U.K. consumers associate fingerprints with government control, and they want no part of it.

Another consideration: Fingerprints can sometimes be difficult to read, and

they also pose their own vulnerabilities to security breaches.

Other issues with fingerprints also come into the biometrics debate.

For one, fingerprints are more difficult to obtain from people of Asian descent because of less-defined ridges in Asian hands, especially among wom-en. Additionally, between 2 percent and 5 percent of the general popula-tion has some physical limitation that hinders fingerprint imaging. Doctors who wash their hands frequently, hair stylists who work with chemicals, and others who work in trades that require frequent hand-washing can have fin-gerprint erosion, Wilson says.

Fingertips also become dirty, oily or cut, and dirt and oil tend to obscure finger images. Fingerprints can be lifted and copied, and industry con-cerns about the ability to read prints from a dead, severed hand still plague the technology.

VPR is different, Wilson said. And because of its high rates of authenti-cation, more U.S. FIs will be open to using it.

“There is great security in this kind of authentication, called triple-factor security because it uses a PIN (some-thing you know), a smart card (a physical token; something you have) and a biometric (something you are) all at the same time,” Wilson said.




It’s also hard to copy.

VPR compares vein patterns in the palm to individual-user patterns saved, for example, in a database or on a smart card. Because the patterns exist inside the body, they cannot be stolen or copied.

The patterns are read and photo-graphed via the reflection of infrared light. Hemoglobin in the blood reflects the light.

One interesting aspect of hemoglo-bin is that it reflects and absorbs light differently, depending on whether it is deoxidized — meaning it has already carried oxygen to the body’s tissues. Deoxidized hemoglobin absorbs the light, reducing the light’s reflection rate and causing the veins to appear as a black pattern.

How it determines viability, such as whether or not the palm alive, is equal-ly interesting.

When the body cools — because of a lowered ambient temperature — blood vessels, particularly the capillaries, contract, decreasing the blood flow in the body. The slowed flow increases the hand’s light transmittance, so less light is absorbed by the hemoglobin, allowing light to pass through more easily. The more light, the less heat.

Because it’s based on reading through infrared light, this technology is contact-less — a big seller for FIs, says Lee.

Fujitsu’s solution, for instance, allows ATM users to hold the palms of their hands over a reader on the ATM. The reader emits near-infrared light — the same wave-length spectrum used in TV remote controls — and reads the vein patterns.

ATM transactions are verified by matching the VPR to patterns saved on a smart card.

Like Lee, Ariana-Michele Moore, an analyst with Boston-Based Celent LLC, is intrigued by VPR. She’s just not ready to say one way or the other how likely it is to take off in the United States.

“(VPR) has interesting potential and is intriguing,” Moore said.

But, she added, many are concerned about how their personal data is stored and used. And research has not determined the long-term effects of exposing a palm to near-infrared light.




“There is a change in the ATM indus-try. Dropping transaction volumes and industry pressures are forcing

ATM players to explore other sources of revenue. They’re getting excited

about advanced functions, such as billpay, and we’re happy about

that.”

— Hamed Shahbazi, CEO of TIO Networks Corp.

Advanced functions and the futureATM Marketplace, Feb. 28, 2008

By Tracy Kitten, editor

ATMIA Conference 2008 came to a close last week in New Orleans. Long-time attendees

and ATM Industry Association veter-ans said it marked the end of one of the association’s best conferences, not only because of expected record-attendance numbers but also because of the show’s theme and tone.

Mike Hudson, the former general manager of NCR EasyPoint LLC who recently joined Australia-based Sym-stream Technologies as its Americas vice president and managing direc-tor, said the show’s timing and well-planned agenda likely pulled in a better crowd than previous years.

“I think the sessions attracted a lot of people, and I just think more people have time to focus on building their business than they have in the past,” Hudson said. “This industry ebbs and flows. With all of the focus we’ve had on Triple DES and compliance and mandates, it’s been hard for ATM com-panies to think about the future. Now, we’ve moved past that. Take a look around: There is so much energy, so much going on. People are showing off new equipment, new technologies,

and the industry is excited about it.”

Bill Dunn, vice president of sales for Tranax Technologies Inc., shared a similar sentiment. He said indepen-dent sales organizations in the ATM space are reaching and expanding their visions. They’re trying new things, and they’re hungry to learn how they can take their businesses from point A to point B in the 21st century.

“We have gotten a lot of interest in our check-cashing system and our billpay solutions,” Dunn said. “This has been the best ATMIA show for attendees coming by our booth to look at what we’re offering, and I think the reason is obvious. Why? Because there is a lot going on in the industry right now. There is a lot of competition, and those who are here want to see what is new and how they can differentiate




themselves with new technology.”

Dunn also said ATM ISOs are looking for solutions that will keep them in the cash business and offer opportunity to reshape the ATM business.

“I think we’ll see more ATM ISOs main-taining control of their ATM networks,” Dunn said. “And with more advanced functions, it’s more or less a neces-sity.”

The function

Self-service bill payment is one such function. It’s not something industry insiders merely talk about — many of them have deployed it in the field. It’s proven technology, Dunn said. And in Dunn’s mind, check cashing, which involves a mix of self- and full-service, will follow the same path of accep-tance.

“The check-cashing solution we have with VALID Systems is getting a lot of attention. VALID Systems knows this business, and what we’re doing with it is not in beta — it’s being used in the field right now. We’re in selling mode.”

The VALID-Tranax solution incorpo-rates self-service with a teller, so the transaction time at the ATM is the same as a basic cash withdrawal. The cashier or clerk scans the check and then prints a receipt for the customer. On the receipt is an ATM-transaction number, which the customer enters at

the ATM, along with the amount of the check. And voila: Cash is dispensed.

Though check cashing that includes a mix of self- and full-service might not be the golden ticket, check cashing in some form at the ATM or kiosk likely is, said George McQuain, president and chief executive of Florida-based ISO Global Axcess Corp. (dba Nation-wide Money Services).

“Check cashing is something Global Axcess is closely reviewing,” McQuain said.

And now that the company is over the Triple DES hump, it’s ready to reinvest in its business, he said.

“We’ve completed our Triple DES upgrades,” McQuain said. “Now that we’ve made that investment and com-pleted our upgrades, we’re free to do more sales and to use our resources in other areas.”

Most of GAXC’s ATMs are in grocery stores and c-stores — ideal venues for check-cashing services, McQuain said. But the company hasn’t made any moves, yet.

GAXC obviously is not alone in its in-terest. A presentation, hosted by Palm Desert National Bank’s Electronic Banking Division, TIO Networks Corp., VALID Systems and the Center for Financial Services Innovation resulted in a standing-room-only crowd. The presentation, “Hybrid ATMs & Retail




Revenue,” was definitely a topic of interest.

“There is a change in the ATM indus-try,” said Hamed Shahbazi, president and CEO of TIO Networks. “Dropping transaction volumes and industry pressures are forcing ATM players to explore other sources of revenue. They’re getting excited about ad-vanced functions, such as billpay, and we’re happy about that.”

John Templer, the president and CEO of VALID Systems, said self-service check-cashing is finally taking off.

“It’s profitable for the retailer or c-store, and it’s something we’ve been doing for a long time,” he said. “We take a teller-assisted approach, but it really is just the first step.”

Tapping cash-preferred customers is the core interest, said Shahbazi, and it’s an interest that is being fueled by a number of simultaneous influences.

Economic shift

ATM industry pressures, which have been rocking the industry’s foundation for the last few years, are part of it. But so is the U.S. economy.

“The economic downturn in the U.S. and the globe may push some con-sumers into that sub-prime category, and it’s in that category that we find the cash-preferred,” Shahbazi said.

“Our terminals have had some of the best transaction volumes on record in the last few weeks, and we don’t have a really good reason for it. I do think the economy could have something to do with it, and I expect our volumes to continue rising as we see more consumers moving into that cash-pre-ferred category.”

For years the industry has wrestled with the notion of advanced functional-ity, arguing that basic cash dispensing is the best option for the ATM.

But is that perspective changing?

“I think advanced functions are help-ing the (ATM) industry,” Shahbazi said. “What we really need in this industry right now is innovation, and advanced functions will get us there. Interest in our product is picking up. For some, advanced-function hardware is too expensive. For others, they see it as a long-term investment.”

All signs point to change. It’s a time of rebuilding, most would say.

A new beginning

It’s that perspective that made the conference’s opening address, deliv-ered by industry veteran J. Michael Brown, so fitting.

As Brown spent the better part of an hour sharing his gut-wrenching experience as a Katrina survivor in




New Orleans, the audience fell silent. Soon, however, it became evident to those listening that ATMIA’s theme for Conference 2008 — “Rising Again” — meshed well with the rebuilding of New Orleans and the life of a local bank and trust’s president and CEO.

Since Katrina, Brown has made many changes, in both his personal life and his professional life. The tragedy led him to identify new business oppor-tunities for his bank, First Bank and Trust, that are helping build a stronger financial foundation for the future.

“Ultimately,” Brown said, “the bank was not prepared for how bad the storm was going to be. We lost every branch except our branch in Ba-ton Rouge. We didn’t have the right software at the backup site, and we didn’t have a good plan in place. Now we have remote-deposit capture, and it’s a lesson we learned from Katrina. It’s a wonderful technology that would have resolved a lot of our problems, had we had it in place then. We’ve learned from the experience, and we’re better for it.”

A glimpse from the floor

Wincor Nixdorf International showed off its new SlimCash, a “slimmed-down” version of the ProCash 1500 that’s designed for off-premises deployments. The new ATM is being marketed in the United States for its

ISO appeal, but it’s also garnering attention from bankers, said Kevin Bienemann, Wincor Nixdorf USA’s ISO channel sales director.

“This show is not just ISOs. We’ve had people from U.S. Bank and PNC here expressing interest in this machine,” he said. “Banks and ISOs are looking for more functionality for more revenue generation.”

The SlimCash comes equipped with two cash cassettes, each holding up to 1,200 notes.

GRG Banking Equipment Co. Ltd., which expects 2008 to be its year for a big U.S. push, showed off its H22 TTW or through-the-wall ATM. The company expects ISOs and financial institutions to take an interest in it. In China, GRG has installed about 30,000 H22 ATMs.

GRG is working with Global Cash Services, the new consulting company founded by former Triton heads Brian Kett, Bill Jackson and Jeff Barrow, to market its products in the States.

Triton Systems said it’s sticking to the products the market wants; 2008 will be the year that the company spends perfecting and promoting its RL 2000 and FT 7000 lines.

“We think the RL 2000 is really a rebirth of what made Triton great with the 9600,” said Triton’s new CEO, Bill Johnson. “It will be the staple of our retail line.”

The RL 2000 is touted for its stan-




dard 10-inch color monitor and SDD or single-denomination dispensing mechanism.

“It’s a reliable machine, like the FT 7000,” which is designed for the FI space, Johnson said. “We’re working to push the FT 7000 through our VARs (value-added resellers), and we have several hundred out in the field right now, in both the domestic market and internationally.”

Nautilus Hyosung showed off its new MoniMax line, which it’s now pushing in the market beyond the well-known Mini-Bank series.

“From here forward, MoniMax will comprise all of our ATMs except for the Mini-Bank 1500 and 1800,” said Randal Lawrence, Nautilus Hyosung’s new U.S. marketing manager.

The MoniMax 5300, which is expected to hit the market during the second half of the year, is designed to meet the needs of both the retail and bank-ing markets. Equipped for the show with a sidecar for advanced functions like check-cashing and billpay, the 5300 comes with a standard 15-inch touchscreen LCD and can hold up to 6,000 notes.

Also expected to hit the market soon is the Mini-Bank 1820, part of the 1800 series. It’s a sleek Windows-based ATM that comes in at a price point comparable to the 1500, Lawrence said.

“We’re pushing it to the retail market because of its small footprint and fresh design,” he said. “I’ve heard our cus-tomers say retailers will like it because of how it blends in with the rest of the retail environment. It really does have a nice look.”

Columbus Data Services said its self-service card dispensing program, which it announced last year through a deal with Tranax, is gaining attention in malls.

“We got off to a slow start, because self-service gift-card dispensing is something new for consumers,” said Ron Schuldt, president of CDS. “But we’re using a wrap now to tell us-ers what they need to do to use the machine, and we expect that to make a big difference. There is interest out there; you just have to market it.”

CDS has only deployed its card technology on the Tranax c4000, but Schuldt said the technology can be deployed on any Windows-based ATM or self-service terminal.

That said, where Schudlt expects his company to see the biggest growth in 2008 is through its payroll-card busi-ness, which is part of CDS’s Pay N Go program.




The future of the ATM industrySelf-Service World, Feb. 28, 2008

By Eben Esterhuyse and Mark McMurtrie, contributors

Eben Esterhuyse is a product man-ager and Mark McMurtrie is a market-ing director for Postilion, a company that provides integrated solutions for self-service banking and payment processing.

The ATM is now more than 40 years old, with the first transac-tion being made at a branch of

Barclays Bank in Enfield, London, on June 27, 1967. Since that time, ATMs have gone from being an exciting new technology to a tried-and-trusted part of banking infrastructure. Aside from cash dispensing and balance check-ing, ATMs now have the ability to accept checks and deposits, provide comprehensive statements and even top-up prepaid mobile accounts.

This expansion has accompanied a rise of self-service within the banking industry: taking staff away from low-value customer service activities and putting them into more consultative roles within the business. Employees now have greater expertise and the ability to cross-sell products within the bank’s portfolio, while ATMs offer a quicker, more efficient route for cus-tomers to get their money.

However, this shift in strategy by banks means that the future of the ATM is at a crossroads: Does the organization view the ATM as simply a fulfillment channel or as a route to offer more comprehensive services? This decision forms a big part of the overall customer strategy that the bank is to follow. Does it concentrate on driving out costs from the ATM channel, reducing its total cost of own-ership TCO and being as efficient as possible when it comes to managing this channel? Or should the bank look to roll out even more new services via the ATM, connecting to customers in new ways and building more value into each interaction that a customer can have with the bank? Is this evolution or revolution?

Reducing TCO for the ATM channel means looking at issues of reliability and security, as well as improving the remote management of machines across the bank’s network. One of the biggest costs is the on-site visits that have to be made in order to keep the ATM up to date and functional; replac-ing these maintenance visits wherever possible with remote management or fixes would remove a significant level of overhead. This also would improve the user experience as there would be fewer service outages.

To reduce TCO over time also in-cludes rolling out advanced depository items. Some financial institutions have rolled out cash depositors as they al-




low fewer visits to the ATM to pick up a check that needs to be cleared within a certain time period. This can cut the number of times that an organization has to visit the ATM from a deposi-tory perspective. If you can reduce the number of visits to once a month per machine across the entire ATM estate, this can provide a substantial reduc-tion in costs.

Another area where ATM networks are being optimized for lower TCO is through electronic journaling; by focusing on incidents where disputed transactions have occurred, the bank can reduce the opportunity for these events to take place. The electronic journal can help the bank to sort out the transaction far faster than with a manual process and at a lower overall cost.

The process of reducing TCO also extends beyond hardware to the payments-processing system that supports the ATM network. Most banks still are using legacy systems that require specialist knowledge and skill sets to maintain and run ef-fectively. This invariably means that staff resources are one of the biggest overheads that an organization has to consider.

Rather than continue to support a legacy system that has high ongoing costs, the bank can move to a newer platform based on open systems that are not proprietary or closed to users.

This approach has two benefits: one, a new software platform can deliver much higher performance, and two, open systems are based on current operating systems and programming languages, which means the pool of talent that the bank can draw on is much wider. The costs of hiring staff to support the systems are lower as there are more candidates with the re-quired necessary skills, and the wider availability of resources means that the organization can get its projects completed faster.

This approach can improve the quality of support for the bank’s ATM network, while also reducing its staff expenses. By changing the software running the ATM, organizations can streamline their costs while reducing downtime, which can impact user satisfaction.

The alternative business strategy that banks are looking at is offering more services through the ATM. Instead of just using the channel to dispense cash, the ATM can become a platform for offering a wide range of features to customers. This approach is aimed at increasing the level of business that each customer conducts via the ATM channel, as well as the overall number of transactions that a user may carry out.

Increasing the functionality of the ATM means taking a more holistic approach to the channel and how it works within the bank’s overall approach to dealing




with customers. The ATM can become a point for self-service and fulfillment of standard transactions such as cash withdrawal and providing statements, taking these activities away from the branch staff. This means that staff can concentrate on more customer-fo-cused activity, providing better advice on banking products and opportunities to cross-sell. This not only is better for customers, as they receive a higher level of service when they require it, but it also means staff will be engaged in more meaningful, fulfilling activities.

Integrating the ATM software into the bank’s customer-relationship-management systems also offers the opportunity to target customers more efficiently. The ATM can provide a plat-form for advertising specific products to customers while they access their accounts. By linking into existing CRM systems, the bank can make sure that its advertising is more effective in reaching an audience that is predis-posed to be interested. This also can be used to target customers of other banks with offers that might be reason enough to shift their accounts over when they withdraw cash through one of the bank’s ATMs.

Another opportunity to improve ser-vice through the ATM channel is with greater personalization, allowing cus-tomers to access their most popular requests via shortcuts. These can be set up through online banking, where users create their favorites, which can

then be accessed whenever users visit the ATM. The software will present their favorites to them, cutting down on the amount of time each customer must spend at the ATM. This degree of customization relies on the bank being able to manage all its channels for customer interaction from a single point.

An example of this is when users want to take out a standard amount of cash without a receipt whenever they use an ATM. This option will appear on the screen after they enter their PINs, eliminating three or more sub-sequent steps. Creating this shortcut and giving customers greater control over how they interact with the ATM can shorten queues and the average amount of time each user spends at the machine.

Dynamic Currency Conversion or DCC provides another new opportunity for ATM operators to improve the level of services available via the ATM chan-nel. DCC is the conversion of currency from the local currency through to the customer’s national currency. By displaying this information, customers can get up-to-date information on how much their foreign-exchange transac-tion will be worth.

While DCC at the retail point of sale level has been in place for the past few years, providing this service at the ATM offers a far better opportunity to add value and provide higher levels




of information to the customer. Users also benefit from access to foreign currency whenever they require it, while the ATM operator can profit from taking the transaction fee from the foreign exchange.

Adding new services and features at the ATM level depends on the skills available to the bank. With a legacy network, implementing a new feature can require extensive investment and resources in order to complete work that may not necessarily return significant value to the bank. New teller machines can support a far wider level of interaction with users, so the infrastructure behind the individual ATM has to be as flexible as possible in order to take advantage of this additional functionality.

Taking the open-systems route means that new features can be delivered far quicker to the business and at a much lower cost. This means that the bank can look at providing a wider level of features and capitalize on more opportunities than it could otherwise.

Overall, there is a fundamental split in how banks are approaching the ATM channel. Does the bank remove as much cost as possible and keep the ATM as a simple fulfillment system for customers, or does it make the ATM a strategic element in the bank’s interactions with customers by providing greater levels of self-service? What will link these two strategies in the future is the fact that both will rely on a more open-software platform in order to be successful, one that is based on skills that are more widely available in the market. Whichever strategy a bank chooses, as current legacy networks become more expensive to support and the skills required die out within the developer and IT communities, the ATM channel will have to evolve to continue providing value to the business.



bank branch security in the 21st century...solutions to the retail and banking industries. the...

Documents