May 2008


International Surcharging –
  • As of APRIL 1st – Make sure you are getting your International Surcharge in Wisconsin!
  • Hawaii – Governor Lingle (R) signed the International Surcharge Bill on March 31st and it became effective immediately!  To date only Visa has issued their agreement with the legislation.  MasterCard’s legal department is still reviewing the language, but ATMIA has contacted MasterCard and has requested a rush on this decision.  ATMIA will keep you informed.
  • Florida – Great News!  Our International Surcharge Bills has passed both chambers and has now been sent to the Governor for signature!  Once the Governor formally receives this bill, he will have 15 days to act upon the measure or the bill will automatically become law. A source in the Governor's office stated that this measure is expected to be signed as the bill passed both chambers unanimously and has garnered industrysupport. Once signed, it will become effective July 1, 2008!
  • New Jersey – ATMIA will work on getting an International Surcharge Bill sponsored for the 2009 session.

Adverse Legislation

  • New York –
    • A.B. 3288/S.B. 3864 Requires operators of private automated teller machines to register their machines with the Superintendent of Banks. Imposes a fee for the registration of such machines.  A hearing was scheduled for April 29, 2008. 
      • ATMIA provided a Memo in Opposition.  This bill has been pulled for about three (3) weeks
    • A.B. 10722/S.B. 8109 – States that any bank shall waive the ATM fee of any person accessing child support payments pursuant to any order of child support or child and spousal support.
      • The bill was just introduced this week and has been referred to the Banks committees in both houses. The bill is new and has no prior legislative history. The Senate sponsor is an influential majority member of his conference while the Assembly sponsor is in the minority. ATMIA has put this bill on alert and will continue to monitor and gather background information. 
  • Illinois S.B. 2856: Provided that no person operating an ATM terminal in this state shall impose any surcharge exceeding $2 on a consumer for the usage of that terminal.  
    • This measure is now dormant. It failed to meet the committee reporting deadline and has now been sent back the Senate Rules Committee. If the Illinois Legislature decides to act on this measure they may ask for a reprieve to the rule but that is highly unlikely and has not occurred on any measure in over 5 years.
  • Maryland H.B. 751:  was introduced on 2/4/08, signed by the Governor on 4/8/08, and will become effective 10/1/08.  The bill amends several sections of the Maryland statutes relating to financial institutions including Md. FINANCIAL INSTITUTIONS CODE ANN. § 1-403, which relates to ATM installation. This bill does reduce and simplify the state’s requirements to install an off-premise ATM by requiring a written notice rather than an application. However, national banks are exempt from the current and the amended state statute, pursuant to their preemptive authority found at 12 CFR 7.4003, which provides that an ATM is not a branch “and is not subject to state geographic or operational restrictions or licensing laws.”

ATMIA Initiated Legislation

Review of NY State Registration Bill – During the last GRC meeting it was reported that with the recent financial crisis and New York depending on Wallstreet for taxation funds, New York is going to be short on money and looking for other sources of revenue.  This may be a good time to push our ATM Registration bill forward. The GRC will be reviewing the bill ATMIA ATM Registration Bill that was not passed in the 2006 legislative session for any updates.

Other GRC Actions

Wyoming - The GRC had been requested to approach the State of Wyoming in regards to the surcharge cap.  The current legislation allows for up to $2.00, but places the final decision in the hands of the banking commissioner who is evidently responsible for a $1.50 cap.

  • The Wyoming Banking Commission is currently soliciting feedback on amending Wyoming Statute 13-1-502(f). The statutory amendment will increase the Surcharge Cap to $2.00USD. The new regulation is currently in a 45 day review period. The notice of intent was published in two publications, Cheyenne Tribune-Eagle and the Casper Star Tribune, April 14 and 21, 2008. When the initial review period is complete, the statute will go for another 45 day review period with the Conference Committee. After which it will go to the Governor for signature.  It is expected that the amended statute will be implemented end of August 2008.
  • To review the proposed revision, you may visit their website at http://audit.state.wy.us/banking. Comments are being accepted on the proposed rules until Thursday, May 29, 2008.  ATMIA is in the process of preparing a letter of support for this amendment.  If you should have any question or wish to view the amendment please send your request to Cynthia Habeeb, US Sales Manager

US Industry Defense Fund – Please be prepared to receive a request for donation to our US Industry Defense Fund in the near fututre to help off set the costs for our General Governmental Affairs Representation for the 2008 Calendar Year.

Sponsoring Financial Institutions Committee – Next Meeting June 10th @ 11:30am Eastern – unless otherwise needed.

  • Re-evaluating request to FFIEC to modify AML guidelines After discussions with the SFI Committee, ATMIA contacted Kurt Helwig, EFTA, to discuss this further.  It was decided that ATMIA will send Kurt the section of the FFIEC AML guidelines that we are referring to for review and possible ask the FFIEC for clarification on their philosophy behind the guidelines.
  • Banks provide ISOs 30 day notices forcing ISOs to move to Armor Car – It came to ATMIA’s attention that a number of banks are forcing ISOs to move to Armor Car services which are contradictory to their overall business model of self replenishment.  It is believed that with the new AML focus targeting ATMs, source of cash, banks are apprehensive now with the merchant ATM model. 
    • ATMIA is contacting several banks to discuss this issue, and determine the reasons behind these concerns and develop a position paper and task force to work on this issue.
  • Meeting to address frustrations versus filing a complaint with the FTC – ATMIA is trying to facilitate individual meetings with the Networks to discuss possible actions in which to address the pressures on the ISO business model. A few of the challenges the ISOs are facing deal with interchange continually being driven downward and tier pricing, to name a few.
    • MasterCard, ATMIA, and their individual legal counsels will be meeting to discuss this in the next few weeks.

Denomination Fraud Committee – Next Meeting (TBA)
 
During our May 1st conference call, it was reported that an anecdotal resurgence in denomination fraud has been seen in the last six (6) months.  The following three main security weaknesses seem to be causing the vast majority of denomination fraud at the ATM:

  1. Blow out pass codes and reseting to factory default at ATM
  2. ATM was given a generic password widley known in the industry
  3. ATM is/was left at factory default passcode

Possible solutions discussed:

  • Require a manager/programmer card which in turn always requires a unique password for that machine.  If you do not have the card, you would need to have a key to get in to the machine to reset. 
  • Require a key to access the cabinet of the vault to trigger the program management function
  • Require that denomination changes be allowed ONLY by the processor.  It would need a form with a signature before you could change a denomination setting. 

ATM Placement Models have changed:

  • Allowing denomination changes at the ATM menu was less risky when the merchant owned the machine and was the ONLY one with a password or managing the machine. 
  • In today’s placement model merchants/ISOs are essentially allowing 3rd party armored providers and technicians the keys and have no way of verifying that a master password was really changed. 

Please think about taking part in this very important intiative, as any steps taken will certainly need to include the feedback and knowledge of the various segments impacted within the ATM industry: ATM manufacturers, processors, service organizations, etc. 

Debit Council – Next Meeting June 18th @ 10am Eastern – unless otherwise needed.

  • Mobile Phone Security Committee – this new sub-committee are already in the process of drafting best practices for mobile phone banking, incorporating a security lifecycle approach -  “Security Best Practices for Mobile Phone Banking & Payment Applications”.  The following are the chapters:
    • Objectives, Scope and Terms of Reference
    • The Evolution of the Mobile Phone
    • Defining the Security Lifecycle for Mobile Phone Banking
    • Customer Education Tips for the Mobile Phone
    • Security of Transmission from Mobile Phone to Financial Services Device (e.g. ATM)
    • Enrolment, Registration and Customer Access to Mobile Phone Banking, Including Best Practices for Authentication
    • Security of Authorization of Mobile Phone Banking Transactions
    • Protecting the Privacy of Customer Data, Including Dealing with Lost or Stolen Mobile Phones
    • Security of Software and Chipped SIM cards in Mobile Phones
    • Regulatory Environment for Mobile Phone Banking
    • References and Research Sources and Tools
    ATMIA has facilitated a portal on www.atmia.com for this committee dedicated to the notes, papers, etc., where committee members can stay up-to-date on the committee developments.

    There will be a panel discussion on Mobile Phone Security during the September Security Conference.
  • PCI Update – The PCI Security Standards Council is working on updating the PCI DSS.  At this point it is unclear how much this will impact the industry but we do not anticipate a significant impact on ATM ISO's.  The Payment Application Best Practices are now a mandate called Payment Application DSS with sunset dates on non-compliant or non-validated applications extending to 2010.  Outlined below is each of the five mandates, which will take effect over the next three years, related to PA-DSS.

    Phase Compliance Mandates

    • Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications
      Effective Date:  1/1/08
    • VNPs and agents must only certify new payment applications to their platforms that are PABP-compliant
      Effective Date:  7/1/08
    • Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications
      Effective Date:  10/1/08
    • VNPs and agents must decertify all vulnerable payment applications
      Effective Date:  10/1/09
    • Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications
      Effective Date:  7/1/10
  • Version 2 of SVC Best Practices Update – Revisions have been completed on Version 2 updating the outdated material.

NEW – Ram Raid Committee – Next Meeting (TBA)

April 23, 2008 ATMIA hosted a Ram Raid Committee conference call to address the growing problem with Ram Raids in the Dallas – Ft. Worth Metroplex. The call provided invaluable insight into ram raids from all participants. Since the call, contact has been made with Lieutenant Todd Thomasson who is working with the various local law enforcement departments impacted by the Ram Raids. According to the Dallas Morning News, there have been 42 ram raids in Dallas alone this year and in some instances store owners have opted not to replace their machines.  

Lieutenant Thomasson has set-up a special database in which to log the specific crimes as it pertains to ATMs and share intelligence across various cities within the Metro area. A call is being coordinated for next week to discuss with him the impacts ram raids have on various industry segments including but not limited to merchants, ATM deployers and consumers. To best prepare and work with local law enforcement ATMIA is in need of obtaining information on the following:

  • Specific cases of Ram Raids that have not been reported to Cynthia Habeeb, ATMIA US Manager and/or Lieutenant Todd Thomasson. Case numbers as well as locations of these burglaries are beneficial in assisting local law enforcement.
  • District Attorney contacts who have prosecuted criminals for their participation in ATM Ram Raids. All contacts are welcomed as we look for ways to deter criminals from this act.  Please, send your contacts and information to Cynthia Habeeb, ATMIA US Manager.

This committee is developed to address Ram Raid concerns across the U.S.  Should any occurrences of this act occur across the US, ATMIA would like to assist with local law enforcement to lessen their impact.

Again, ATMIA is setting up a portal on www.atmia.com for this committee dedicated to the notes, papers, etc., where committee members can stay up-to-date on the committee developments.

If you are interested in participating in any
of ATMIA’s US initiatives, please feel free
to contact either Cynthia Habeeb,
ATMIA US Manager, or Lana Harmelink,
ATMIA International Director of Operations.

About ATMIA

www.atmia.com
PO Box 452 – Brookings, SD 57006 USA 

As an independent, non-profit trade association, ATMIA's mission is: to promote ATM convenience, growth
and usage worldwide; to protect the ATM industry’s assets, interests, good name and public trust; and to provide
education, best practices, political voice and networking opportunities for member organizations. ATMIA is the
world’s only international trade body for the ATM industry with more than 1000 members in about 50 countries.
In June 2003, ATMIA established the Global ATM Security Alliance (GASA) (www.globalasa.com) with the
mission to employ global security resources in a united alliance in order to protect the ATM industry from criminal
activity. GASA publishes international security lifecycle best practices and manages a global ATM crime
data management system called Cognito, which includes an online fraud library.

 Click here to be removed from future mailings
Click here to add colleagues to future mailings
Click here to learn all about ATMIA

© 2008 ATM Industry Association. All Righs Reserved.