ATM Best Practices Approved 07 by twK0Ey

VIEWS: 5 PAGES: 18

									                                                              ATM Best Practices

Item #   Question                                             Answer
A.       Sponsorship
1        What is sponsorship and why do I need it?            With the advent of “off-premises” ATMs, i.e., those in non-banking locations,
                                                              networks needed to find a way to allow ATMs owned by individuals and private
                                                              companies to connect to the system. The solution was to ask the Member Financial
                                                              Institutions to sponsor individuals and companies who place ATMs in non-banking
                                                              locations. By sponsoring a private company’s ATMs, a Financial Institution is taking
                                                              on itself the full responsibility for those terminals in the eyes of the networks. That
                                                              means that the Financial Institution bears all risks associated with placing that
                                                              machine, including the risk of fraud and the possibility that a compromise at one
                                                              machine could adversely affect the entire system. Because sponsorship carries with
                                                              it such risk, any Financial Institution is obligated to do extensive due diligence on
                                                              the companies with which they do business, to try to mitigate the risk and protect
                                                              the overall ATM system.
2        What is due diligence?                               In the case of ATM sponsorship, due diligence is the process of investigating the
                                                              Independent Sales Organization (ISO), including a thorough analysis of the financial
                                                              health of the business and its owners or officers, investigations into the financial and
                                                              criminal history of the people running the business, and technical evaluations of the
                                                              equipment to be used processing the transactions. This due diligence information
                                                              provides the networks, the regulators, and the sponsoring financial institutions with
                                                              the information necessary to determine the amount of risk associated with an ISO or
                                                              agent’s network sponsorship and participation. This due diligence effort is a means
                                                              by which all participants throughout the ATM chain can help protect the integrity of
                                                              the EFT industry.
3        What are the minimum due diligence                   The minimum requirements of the Sponsoring Financial Institution (SFI) can vary
         requirements of a Sponsoring Financial Institution   depending on their internal policies established on sponsorship. Most SFIs require
         (SFI)?                                               some form of the following:

                                                              a. Business Financial Information, to include Financial Statements (Balance Sheet
                                                                 and Income Statement) for the most current two year period;
                                                              b. Federal Income Tax Returns (two previous years, all schedules and

                         Approved July 2007                                                              Page 1 of 18
Item #   Question                                      Answer
                                                          extensions);
                                                       c.   Financial Information for any principal with significant ownership or
                                                            management interest in the company, to include complete income tax returns
                                                            for the most current two year period (some SFIs also require current personal
                                                            financial statements);
                                                       d. Proof of Liability Insurance (insurance declaration page);
                                                       e. Proof of valid existence of company (Articles of Incorporation, LLC or
                                                          Partnership Organization);
                                                       f.   Documentation showing ownership and percentage owned;
                                                       g. Internal documentation to include:
                                                            1.   Background investigation;
                                                            2.   Credit Checks on all principals;
                                                            3.   Business Credit Check or Dun & Bradstreet review;
                                                            4.   On-site inspections;
                                                           5.     Network registration materials, which may include a PIN Security Audit.
4        What will happen with all this information?   The due diligence information provided will be retained in the SFIs files and will
                                                       become a permanent part of the SFIs records. The files may be reviewed by the
                                                       networks and banking regulatory examiners. If the information gathered does not
                                                       meet the network guidelines or the standard determined by the SFI, the SFI could
                                                       be criticized formally by the networks, regulators and/or the SFI’s board of directors.
                                                       This action could result in the ISO’s termination and/or the termination of the
                                                       program.
5        How is this information used?                 The due diligence information is used to:
                                                       a. Determine and validate the financial responsibility of the ISO or third party
                                                          agents.
                                                       b. Ensure that no significant derogatory information exists.
                                                       c.   Validate the ownership of the business.
                                                       d. Validate identification of the principals and of the key agents.
                                                       e. Verify inventory and to review solicitation or sales materials.
6        Is the information kept confidential?         All collected due diligence data will be treated in accordance with federal regulations
                                                       regarding      privacy    and     the      confidentiality  of     financial   records
                                                       (http://www.ftc.gov/privacy/glbact). Collected due diligence information will be
                                                       reviewed first by the collecting party, which may be a SFI, a processor or an
                                                       independent consultant working on behalf of a processor or SFI. The information will
                                                       then be provided to the SFI for approval and reviewed by the network(s). Bank
                         Approved July 2007                                                         Page 2 of 18
Item #   Question                                            Answer
                                                             regulatory examiners may also review it during their routine audits of the SFI’s
                                                             programs.
B.       Financial Review of Company
7        How can I obtain audited financial statements for   If your financial records are excellent, any CPA can review them and provide you
         my business?                                        with audited financial statements. The process is generally expensive and takes a
                                                             fair amount of time. Audited financial statements are the most reliable type of
                                                             financial statements. The audit is based on information submitted by the client and
                                                             the CPA does not verify all of the information. Limits on the scope of the audit and
                                                             on the CPA's responsibility are described in the opinion letter that accompanies the
                                                             audited statements. However, the value of an audited statement is that the
                                                             independent CPA is responsible for testing and verifying any numbers that seem
                                                             questionable or unusual as well as the most material financial information.
8        If audited financials are not available, will a     Generally, yes. Reviewed compilations are financial statements prepared by an
         reviewed compilation be sufficient?                 independent CPA that have been subject to some examination but have not been
                                                             audited. The CPA is required to consider the reasonableness of the information. If
                                                             any number appears questionable, the CPA must make inquiries, apply analytical
                                                             procedures, or take other appropriate actions to provide a reasonable basis for
                                                             expressing limited assurance that there are no material modifications that should be
                                                             made to the statements in order for them to be in conformity with Generally
                                                             Accepted Accounting Principles (GAAP). Any departure from GAAP in reviewed
                                                             statements should be noted in the transmittal letter and detailed in a footnote.
9        Can a Certified Public Accountant (CPA) or an       Both audited and reviewed compilations are prepared by CPA’s. Financial
         Accountant provide sufficient information to meet   Statements prepared by an Accountant would not have the credibility of audited or
         this requirement?                                   reviewed financials. Generally, SFIs will accept financials prepared by an
                                                             Accountant in combination with other documents like business income tax returns
                                                             and credit bureau reports.
10       Will an internally generated document from my       This may vary according to the SFI’s policies. At a minimum, business financials will
         accounting software be acceptable?                  be required, including a balance sheet and income statement. They should be
                                                             detailed, accurate, and professional in appearance. Some SFI’s require that they be
                                                             signed and dated. Your financial statements will be only one aspect of the approval
                                                             process.
11       Will financials from my bookkeeper suffice?         This may vary according to the SFI’s policies. At a minimum, business financials will
                                                             be required, including a balance sheet and income statement. They should be
                                                             detailed, accurate, and professional in appearance. Some SFI’s require that they be
                                                             signed and dated. Your financial statements will be only one aspect of the approval
                                                             process.
12       The SFI is asking for two years of financials and   The sponsor financial institution will validate and analyze the financial picture your
         two years of tax returns. Why do they require       company presents. Two sources of financial information will not only provide
         this?                                               additional data, they will also provide a way of validating the information. Two years
                                                             worth of information will give comparisons so that trends can be established.
13       What if I am a new, start-up company and don’t      The SFI will rely on the personal financial statements and personal income tax
         have financial statements or tax returns yet?       returns of your principals to make an evaluation of the risk associated with doing
                                                             business with your company. Depending on your SFI, these documents may have
                          Approved July 2007                                                           Page 3 of 18
Item #   Question                                            Answer
                                                             to be stronger than would normally be required. A personal guarantee may be
                                                             requested from all principals and /or a deposit may be required to mitigate risk.
                                                             Some SFIs have an underwriting policy that requires the company to be in business
                                                             for two years before they can be accepted as an ISO.
14       Would the SFI accept my tax records submitted       Generally, SFIs will request two years of business tax returns and two years of
         to city, state, and federal agencies?               personal tax returns from principals who have a significant interest in the company.
                                                             SFIs want to see your federal tax returns. They are less interested in your state or
                                                             local tax returns unless there is information contained in them that significantly
                                                             alters your company’s financial picture.
15       My company shows a loss; will I be turned down?     Some SFIs have policies and procedures that require the ISO to be profitable or be
                                                             in a profitable trend. However, many factors dictate profitability and bankers are
                                                             experts at analyzing financial statements and determining reasons that companies
                                                             are not profitable. If the reason is logical, most SFIs will not view a loss as being
                                                             the only declining factor.
16       I have never submitted anything to Dun &            No, information can be obtained from other reporting companies. If an SFI has
         Bradstreet. Is this mandatory?                      financial statements, tax returns, background investigations, on-site inspections and
                                                             principal information, it will generally not demand a D&B if one is not available.
17       What sort of criteria will be used to evaluate my   Every SFI will have its own set of criteria. The following gives you a general idea of
         company?                                            the requirements an SFI might look for:

                                                             1. Financial Information – Are you building the company?
                                                             2. Personal Investment – Is your money on the line?
                                                             3. Profitability – Do you know how to manage your company?
                                                             4. Size of the Company – Will the time and resources the financial institution must
                                                                expend result in adequate return for the investment?
                                                             5. Background investigation and credit reports – Are you reputable?
C.       Review of Principals
18       Why does the SFI need personal tax returns and       The networks require the SFI to complete a financial evaluation of any principal. A
         financial information?                              review of your tax returns, a credit report and other financial information is the only
                                                             way this can be accomplished. There are several reasons this review is important.

                                                             1. The SFI can determine the ability of a principal to support a company when
                                                                adverse conditions present themselves.
                                                             2. If guarantees are required, the SFI can determine the ability of the principals to
                                                                meet the guarantee.
                                                             3. Generally, the principal is also the president and/or manager of the ISO’s
                                                                company and a review of ability to manage personal assets is important in
                                                                determining the ability to profitability manage the company.
19       How will this information be used?                  The information provided to an SFI or collecting agency (such as a processor or
                                                             consultant working with the SFI) will be used first to qualify an applicant for
                         Approved July 2007                                                               Page 4 of 18
Item #   Question                                               Answer
                                                                sponsorship. The SFI will evaluate your business performance, business standards,
                                                                and ethical practices to ensure the ongoing viability of your company and your
                                                                ability to bear any potential liability in sponsorship of your company to a network
                                                                and/or networks. Depending on network requirements, the information may also be
                                                                shared with the network(s) that will give final approval to the application.
20       Will the information be kept confidential?             Financial institutions are required by Federal Regulations
                                                                (http://www.ftc.gov/privacy/glbact) to keep confidential all information given to them.
                                                                Additionally, privacy and confidential clauses should be present in your sponsorship
                                                                agreement. However, network rules may require that your financial information be
                                                                shared with the network giving final approval to the application. Additionally, federal
                                                                regulators may require that the SFI share information about their clients during
                                                                mandated audits.
21       Am I personally responsible for losses my              You may be personally responsible for any liability your company incurs, depending
         businesses incurs,a nd to what extent?                 on the requirements of the SFI, the sponsorship agreement you have signed, and
                                                                how your company is licensed.
22       This is a corporation. Why do I have to supply         Please refer to the answer in number 18 (above).
         personal financial information?
23       This company is owned by many stockholders,            Because your company is incorporated with stockholders, corporate filings will be
         none having more than 10% ownership. What              required by the SFI to include annual reports with audited financial statements for
         will the SFI want?                                     the most recent two years.
24       Will I have to submit this information in the future   You will most likely have to submit this information each year. Some networks
         or just this once?                                     require annual updates and reviews of financial information and generally a SFI’s
                                                                underwriting requirements and regulatory examiners require regular financial
                                                                updates of customers.
25       What is valid identification of principals?            Validation may be personal verification or professional investigation of such items
                                                                as:

                                                                1. Name – Social Security Number match;

                                                                2. Criminal records;

                                                                3. Residency – Citizenship, legal residency, or legal alien status;

                                                                4. Check against the OFAC list (Office of Foreign Assets Control);

                                                                5. Business records as available from the Lexis-Nexis or similar databases;

                                                                6. Other such items as may be required.
26       If any of the principals have criminal                 Evidence of a criminal history will mean increased scrutiny for both the principal(s)
         backgrounds, will that automatically impede            involved and the ISO. Much will depend on what the records reveal, as well as on
         approval from the SFI?                                 the policies of your SFI. A youthful indiscretion or a DUI probably will not prevent
                                                                you or your company from being approved for sponsorship. On the other hand, a
                                                                felony conviction for fraud or financial crimes may be cause to reject your
                          Approved July 2007                                                               Page 5 of 18
Item #   Question                                            Answer
                                                             application.
27       Is permission required for the SFI to have these    Most applications for sponsorship include permission to obtain background
         checks run on my business or myself?                information and credit checks. It is a federal regulation that financial institutions
                                                             obtain permission for certain investigations such as personal credit checks. Other
                                                             background checks, such as a D&B on your company or a check of public records,
                                                             do not require your permission. However, an SFI wants the ISO to know exactly
                                                             what type of information will be reviewed, so it is a business courtesy observed by
                                                             most SFIs.
28       Can I receive a copy of whatever you uncover?       Most SFIs will give you any documentation they receive, or they will give you the
         What are my rights regarding checking the           source of the documentation and that source company will give you the information.
         accuracy of the information?                        If you are declined it is particularly important to understand the reason for the
                                                             declination. This will give you an opportunity to dispute any incorrect information.
                                                             Additionally, if you move from one SFI to another it may save you the cost of
                                                             completing another background investigation.
29       Will I have an opportunity to explain if there is   Generally, if an SFI finds derogatory information on a report, you will be contacted
         derogatory information on my reports?               and asked to supply an explanation. In some cases, the SFI might request
                                                             permission to conduct a more comprehensive background investigation to confirm
                                                             your account of the situation.
30       What sorts of things will disqualify me from        This will depend on the policies of your SFI, but possible disqualifiers might include
         receiving sponsorship?                              a criminal history of fraud or financial crimes, evidence that you or your company
                                                             are involved in illegal activities or support such, serious questions about your ability
                                                             to manage the financial and technical risks of driving ATMs, or financial insolvency.
                                                             In addition, some networks maintain a list of companies with whom they refuse to do
                                                             business. If you are on a network’s “terminated for cause” list, the SFI will not be
                                                             able to offer you sponsorship into that network.
31       Once I am approved, will this information ever be   Some information will need to be reevaluated periodically. Most SFIs conduct
         reevaluated? Will I have to submit this             annual reviews of their customers, which may require new credit checks and
         information again?                                  financial information to confirm that no major changes have occurred in the last
                                                             year. In cases where information expires, proof of renewal will be required.
32       What is OFAC and why does it apply to me?           OFAC stands for the Office of Foreign Assets Control and is the federal agency
                                                             responsible for tracking and preventing foreign money laundering by international
                                                             drug dealers or terrorists. The agency periodically puts out a list of known or
                                                             suspected dealers and terrorists. With the passage of the USA PATRIOT Act, all
                                                             financial institutions are required to check their customers against this list in an
                                                             effort to prevent money laundering through their institutions. This requirement also
                                                             applies to Sponsorship customers.
D.       Review of Business Relationships
33       What do you mean by business relationship?          You should provide a list of any DBAs used by your company, now or in the past.
                                                             You should also disclose any names under which your company operated in the
                                                             past. In their “Enhanced ISO/Service Provider Risk Standards,” Visa requires this
                                                             review of other business relationships and that these are checked against their list
                                                             of disqualified entities by Visa.
34       Why would a business be disqualified by Visa or     While the chances of being disqualified are slim, if a business repeatedly failed to
                       Approved July 2007                                                             Page 6 of 18
Item #   Question                                         Answer
         another network?                                 abide by network regulations, a network could refuse to allow that business to
                                                          participate in network sponsorship.
35       Does the sponsoring SFI require any kind of      Some SFIs do require that a collateral fund be established, in the form of a letter of
         collateral fund be established?                  credit, personal guaranty by the principals or a CD on deposit with the FI. To a large
                                                          extent, this depends on the services the SFI does for you (whether they also do
                                                          settlement or provide vault cash, for example), as well as the underwriting
                                                          guidelines of the SFI.
E.       Terminal Inventory Procedures and Controls
36       What information is required as documentation    At a minimum, you need to document the actual, physical location of each ATM,
         for individual ATMs?                             whether currently in service or not. Then, depending on your networks and your
                                                          SFI’s requirements, you may also be asked to provide some or all of the following
                                                          information:

                                                          a. ATM makes and models;
                                                          b. Terminal serial numbers;
                                                          c.   Terminal ID numbers;
                                                          d. Software, hardware and firmware versions;
                                                          e. Terminal owners’ names and contact information;
                                                          f.   Terminal owners’ Social Security Numbers;
                                                          g. Terminal owners’ driver’s license numbers;
                                                          h. Surcharge amounts;
                                                          i.   Names of companies or individuals providing vault cash, first and second line
                                                               maintenance, key loading, etc.
37       Can the processor update the SFI or does the     Since the Sponsorship Agreement is between the ISO and the SFI, the ISO is the
         ISO have to take that responsibility?            entity responsible for seeing that all required information is reported to the SFI.
                                                          However, the ISO may be able to direct the processor(s) to provide certain reports
                                                          or information to the SFI directly on behalf of the ISO. This may require that a three-
                                                          way agreement between all parties be in place.
38       Why do I have to report all my locations to my   From a network prospective, the terminal is the responsibility of the SFI; at a
         SFI?                                             minimum they are responsible for it and for maintaining detailed terminal inventory
                                                          records. Additionally this is required under ANSI standards and most network
                                                          regulations to help prevent fraud and is considered industry best practices. Also,
                                                          many networks maintain online lists of terminals in their networks for the
                                                          convenience of their cardholders. These networks require that SFIs submit quarterly
                                                          databases showing all locations for the terminals they sponsor, so that they can
                                                          keep their lists up to date.
39       What is this information used for?               ATM location is critical when a processor or network determines suspected
                                                          fraudulent transactions or that the ATM has been compromised. It also is
                                                          necessary in the event a cardholder files a claim under Regulation E. Also, many
                         Approved July 2007                                                          Page 7 of 18
Item #   Question                                        Answer
                                                         networks generate lists of terminal locations for the convenience of the cardholder
                                                         trying to find an ATM. Terminals are often listed by sponsor and network regulations
                                                         prohibit them from sharing proprietary information about the ISOs who own or place
                                                         these ATMs.
40       Why do you have to know when I move a           It is important that both the SFI and the networks have up to date and accurate
         machine as long as you know that I have it?     information on the terminals you own and/or place. This facilities promotion of your
                                                         business by referring cardholders to your machines as well as ensuring that all
                                                         machines are protected against fraud.
41       Am I responsible for a terminal I sell?         If you are still receiving any income from that machine you are generally seen as
                                                         bearing the liability for that machine. You must include that machine in any reporting
                                                         you make to your SFI. Even if you sell a terminal outright and do not continue to
                                                         provide any services, you should always bear in mind the potential for abuse that
                                                         machine has. Under no circumstances should you sell a machine to someone you
                                                         know or suspect is engaged in criminal activity. New ATM Operator requirements
                                                         now mandate checks on all individuals before selling the terminal.
42       Do my procedures have to be in writing?         Yes, most network regulations require that all ISO procedures be documented.
43       What procedures should I have for managing my   Terminal management procedures should include at a minimum: purchasing,
         terminals?                                      installation, inventory control, inspection, and deactivation. Inventory control
                                                         procedures should include detailed methods for keeping track of machines in
                                                         storage or between installations, as well as the locations of all installed machines.
                                                         PIN security procedures should document receiving, storing, accessing, installing,
                                                         destroying, and deactivating encryption key components. These procedures will
                                                         ensure the ISO knows how to manage key components in compliance with
                                                         regulations. The ISO should also have procedures to ensure a paper trail of
                                                         documents and that address dual control of key components. This will help the ISO
                                                         protect against possible machine compromise.
44       Why do I have to report a machine that is not   Machines that are being stored, especially if they are simply between installations,
         currently installed?                            are vulnerable to tampering and misuse. Stolen machines can be set up as
                                                         dummies to skim card numbers. Accurate inventory control records, along with good
                                                         security procedures, help insure that none of the machines currently installed have
                                                         been compromised during a period of non-use.
F.       Conducting Audits
45       Which audits do I need to complete?             The requirements for audits vary from network to network. The Associations
                                                         (MasterCard & Visa) require the PCI audit that ISOs must complete before their
                                                         initial registration and every year thereafter. The regional networks require the ANSI
                                                         TG-3 audit and ISOs must complete it in even-numbered years. Also, some SFIs
                                                         may require regular or occasional audits themselves, even if your network(s) does
                                                         not. Check with your SFI to find out what its requirements are and which forms you
                                                         will need to complete.
46       Where do I get such audits?                     Your SFI will provide copies of the audit(s) used by the network(s) you are
                                                         participating in or you can contact the networks directly.
47       What do these audits measure exactly?           The audits measure the security of the processes and equipment used to manage

                         Approved July 2007                                                        Page 8 of 18
Item #   Question                                     Answer
                                                      PIN encryption. Specifically, they help determine whether your terminals are fully
                                                      compliant with network standards and regulations and whether you and your staff
                                                      have proper control procedures in place and are performing encryption key
                                                      management duties according to recognized best practices. They will look at how
                                                      you generate keys (if you do), how you store and transport keys or key components,
                                                      how you load encryption keys into your terminals and how you protect the
                                                      equipment itself from tampering.
48       Why do I have to do this audit process?      What makes an ATM transaction one of the most secure financial transactions
                                                      available is that each user has a personal identification number (PIN) known only to
                                                      him or her. Protecting those PINs from compromise is the single most effective
                                                      strategy for protecting the integrity of an ATM transaction and ultimately the public’s
                                                      faith in ATMs themselves. We protect those PINs by electronically encrypting them
                                                      before they are transmitted over telephone lines for verification. If that encryption is
                                                      compromised, it puts PINs at risk of being exposed. The audits are check-ups to
                                                      ensure that the encryption and key control procedures are not subject to
                                                      compromise and the entire system is operating optimally.
49       Will I ever have to do complete this audit   Yes, as mentioned above, you will have to do this on a regular basis
         procedure again?
50       What documents do I need to pass such an     The single most important thing you need to pass your audit is clear, detailed
         audit?                                       policies and procedures for managing your equipment and your encryption keys. All
                                                      audits have questions about whether those policies and procedures are in place and
                                                      are followed. If you do not have policies and procedures, or if your staff is not
                                                      trained to follow them accurately, you will have trouble passing your audit. At a
                                                      minimum, you should have policies and procedures on the following:

                                                       Terminal Management                         Key Management
                                                         Purchasing                                 Key Generation
                                                         Installation                               Component Transport
                                                         Inventory Control                          Component Storage
                                                         Inspection                                 Key Loading
                                                         Deactivation                               Key Destruction

                                                      You should also have policies and procedures on what to do in the event an
                                                      encryption key is compromised or if you experience a disaster (e.g. hurricane,
                                                      earthquake, tornado, etc.). In addition to policies and procedures, you also want to
                                                      keep on file copies of the information you give to your ATM installers or encryption
                                                      support organizations (ESOs) including copies of your policies and procedures and
                                                      any information they supply to you. This could include Key Logs that document
                                                      when a key is accessed or loaded into a terminal by your key custodians, whether
                                                      by your employees or those of an external ESO, and copies of your contracts with
                                                      your ESOs, sales representatives and merchants. It is also a good idea to have
                                                      documentation that the ATM or POS terminals you have purchased are fully
                                                      compliant with network regulations. This may include letters from the manufacturer
                        Approved July 2007                                                       Page 9 of 18
Item #   Question                                              Answer
                                                               attesting that the terminal is equipped with an Encrypting PIN Pad and is capable of
                                                               processing in the Triple DES encryption standard. Finally, if you have terminals that
                                                               are not yet upgraded to the Triple DES standard, you should have on file a detailed
                                                               plan for when and how you will complete those upgrades.
51       Is the SFI required to give notice prior to the       Whether the SFI is required to give notice and how much notice is generally an
         audit, and if so, how much notice is typically        issue between you and the SFI sponsor. Most PIN security audits are on a regular
         given?                                                schedule (every year for the Associations and every even-numbered year for the
                                                               regional networks), so you should have a pretty good idea of when you must
                                                               complete your audit. In the event that the network or SFI decides to do an on-site
                                                               audit, they will generally provide several weeks notice and will likely request certain
                                                               information in advance to allow you the opportunity to prepare.
52       Who pays for the audit if it’s done by an             Again, this is a contractual issue between you and your SFI. One factor that might
         independent entity?                                   determine who is responsible for the cost is whether the independent auditor is
                                                               required by the network. At present, most networks do not require an independent
                                                               auditor except in rare circumstances. Even processors are generally allowed to
                                                               have internal auditors perform their annual audits, as long as that internal auditor is
                                                               not directly responsible for the operations he or she is auditing. However, if the
                                                               network or SFI believes there is a specific reason why an independent audit is
                                                               warranted, check your contract to see if the ISO is required to bear some or all of
                                                               that cost. Most likely, the ISO will be expected to pay expenses at least, if not both
                                                               expenses and any auditor’s fee.
53       Do I have the opportunity to resolve the identified   Absolutely. If an audit uncovers a deficiency in your system or procedures, you will
         issues in a specified timeframe?                      be asked to file an exception report explaining what action you will take to correct
                                                               the problem and when you expect to have it resolved. Networks may ask for an
                                                               action plan and timeframe for resolution to a deficiency. Usually the network or SFI
                                                               will set a date by which they expect you to have resolved all your issues. You often
                                                               have room to negotiate this date if you can demonstrate progress or provide a good
                                                               reason for further delay. However, if repeated audits have identified little or no
                                                               progress toward resolving these issues, the networks and the SFI have the right to
                                                               terminate your sponsorship arrangement without further notice.
54       What would be the audit procedures if I use a         You are ultimately responsible for keeping your terminals in compliance even if you
         third-party to install and service my machines?       outsource some of the maintenance and key loading services. If you use an
                                                               Encryption Service Organization (ESO) or Third-Party Service Provider, you should
                                                               make sure your contract ensures that the ESO or Service Provider will stay in
                                                               compliance with network regulations and industry best practices. Give your ESO a
                                                               copy of your policies and procedures and contractually obligate them to follow them
                                                               or scrutinize their policies and procedures to make sure you are comfortable with
                                                               them. You will be expected to answer the audit questions accurately on behalf of
                                                               your ESO and/or rely on current third-party audits performed by certified auditors on
                                                               that entity.
G.       Sub-Contractors
55       What is meant by “sub-contractors?”                   As your business grows, you may find you need to bring on more staff to sell your
                                                               machines or services. Depending on your business model, it might be the case that
                          Approved July 2007                                                             Page 10 of 18
Item #   Question                                          Answer
                                                           you bring on sales or service representatives as independent contractors rather
                                                           than salaried employees. Sometimes you may contract with another ATM company
                                                           to market your services, especially as you move into a remote territory. There are
                                                           strict network rules that you must be aware of governing the way you can interact
                                                           with contractors or companies that are not in your direct employ.
56       Can I hire independent contractors to sell or     Yes, as long as it is done in a manner consistent with network regulations. PLUS
         service my machines?                              makes a distinction between an Independent Contractor (IC) and a sales
                                                           representative. Although both may do merchant solicitation, sales or servicing for
                                                           your registered ISO an IC is an individual who sells for your company but does so in
                                                           his or her own name and receives compensation from the merchant or from a
                                                           portion of the transaction fees. All ICs must be registered with PLUS and pay the
                                                           annual registration fees. STAR does not allow ISOs to use ICs according to this
                                                           definition. Other networks have not specified registration procedures for ICs at this
                                                           time. On the other hand, most networks do allow you to employ sales
                                                           representatives. Any representatives selling your machines or services must clearly
                                                           represent themselves as working for your company. Their business cards and all
                                                           marketing materials must be in your company’s name. All sales they make must be
                                                           in your company’s name. Any agreements they make with merchant locations must
                                                           be between your company and the merchant with no third-party agreements. Their
                                                           wages, salary or commission must be reported on a 1099 form or a W-2. Sales
                                                           representatives do not have to be formally registered with the networks but your SFI
                                                           might require some form of documentation on any sales representative you employ.
57       How much information should I maintain on sales   Your SFI might have specific requirements for what information you need to provide
         representatives or independent contractors?       on your sales representatives. At a minimum, you should collect and confirm basic
                                                           personal identifiers, such as name, address, date and place of birth, social security
                                                           number, driver’s license number, etc. You will want to get a signed release
                                                           authorizing you or the SFI to conduct credit and background checks, if necessary. If
                                                           you are contracting with a company to sell your services, you will want to collect
                                                           basic corporate documentation and filing status.
58       What is the difference between a sales            A sub-ISO is an ATM company that is not registered into a network and does not
         representative and a sub-ISO? What is a sub-      have a direct relationship with either a SFI or a processor but makes an
         ISO?                                              arrangement with another ISO to drive their ATMs under the latter’s network
                                                           affiliation. Most networks disallow this practice because it is difficult to enforce
                                                           compliance with network regulations or to establish clear responsibility for an ATM
                                                           in the event of fraud. Networks require that any single ISO placing ATMs be
                                                           registered directly with the networks and have contracts in its own name. The
                                                           registered ISO is at risk if they allow a company to operate in this fashion. They are
                                                           allowing a company to use their sponsorship which is against network regulations.
                                                           Not only could the ISO’s sponsorship be cancelled, they may be placed on the
                                                           network’s “terminated for cause” list and not be able to obtain sponsorship from any
                                                           SFI. The registered ISO is also fully responsible financially for any settlement loss
                                                           this sub-ISO may sustain. A small start-up company may find it beneficial to place
                                                           machines or sell services on behalf of a more established ISO until the start-up has
                         Approved July 2007                                                          Page 11 of 18
Item #   Question                                               Answer
                                                                the necessary resources to establish its own sponsor and network business
                                                                relationships. This arrangement is acceptable as long as there is a clear contractual
                                                                relationship between the start-up company and the registered ISO and all marketing
                                                                materials and placement and servicing agreements are in the name of the larger
                                                                company. Careful records must be maintained, including terminal inventory records,
                                                                so that there is never any question regarding responsibility for those ATMs.
59       Do I need to register the Independent Contractor       Visa/PLUS requires registration for Independent Contractors but not for sales
         (IC) or sales representative? What does such           representatives. The initial Visa/PLUS registration fee is $1,000 for each IC, with a
         registration cost? Will I be charged or will the SFI   $500 annual renewal. Visa/PLUS will bill the SFI for these costs, and in most cases,
         be responsible for the costs?                          the SFI will pass the costs along to the ISO who can, in turn, pass them on to the
                                                                IC. STAR does not require sales representatives to register and does not allow ICs.
                                                                Other networks do not require either to register at this time. SFIs might require
                                                                some form of documentation on any sales representative you employ.
60       I have a company that loads keys and services          A company that only performs first line maintenance (e.g. changing receipt tape,
         ATMs. Do I need to be sponsored into the               fixing dispenser jams, etc.) on ATMs usually does not need to be registered with the
         network also? Do I need to be registered?              networks. However, if the company loads or reprograms terminal software or loads
                                                                encryption keys or components, many networks require that this type of
                                                                organization be registered as an ESO. Some networks have fees associated with
                                                                ESO registration.
61       Is there additional insurance required by the SFI      Depending on the SFI’s underwriting criteria, the SFI may require an ISO to carry
         for the IC, sales representative, or ESO?              additional insurance to cover its contractors and vendors, or the SFI may require
                                                                that the ISO show proof that the contractors and vendors carry adequate insurance
                                                                of their own. As a prudent business practice ISOs should maintain general liability
                                                                coverage for potential losses arising from their business practices or from services
                                                                performed for or on their behalf by others.
62       Does an ISO qualify as an ESO?                         Generally, if an ISO is only loading keys in its own machines and not contracting out
                                                                to load keys for other ISOs, it is not considered an ESO for the purposes of network
                                                                registration. If an ISO is performing key loading or programming services for other
                                                                ISOs or financial institutions, it would be considered an ESO and would be subject
                                                                to registration as such with the networks.
63       What is an ESO?                                        An ESO is an organization that performs encryption services such as ATM and POS
                                                                terminal software loading or encryption key injection.              Also, an ESO’s
                                                                responsibilities may include providing Internet devices to Account Holders or
                                                                validating authentication tokens.
H.       General Business Practices
64       What is an ATM Operator?                               The term ATM Operator is defined by PLUS as a nonmember entity authorized by a
                                                                member or its agent to originate a PLUS transaction through the connection of an
                                                                ATM to the PLUS system and that displays the PLUS symbol. ATM Operators own,
                                                                operate, or lease ATMs that are connected to the PLUS system and may exhibit any
                                                                of the following:
                                                                     1. Receive revenue from the interchange/fees;

                                                                    2. Manage cryptographic functions;
                         Approved July 2007                                                              Page 12 of 18
Item #   Question                                         Answer

                                                               3. Or stock ATMs with cash.

                                                          Note: This excludes courier services.
65       What knowledge or information should I collect   If you are selling the ATM to a merchant, at a minimum, you should be collecting the
         on the ATM Operator?                             following merchant information:

                                                          a. Merchant name and any DBAs.
                                                          b. Physical location address of the terminal.
                                                          c.   Owner/principal’s name, address, date of birth, and social security number.
                                                          d. Verification that the merchant was identified by a driver’s license or some other
                                                             official identification with a photograph.
                                                          e. A disclosure and authorization release that allows the SFI access to conduct
                                                             credit checks and background investigations on the entity and principals.
                                                          f.   Terminal manufacturer, model number and serial number (EPP & terminal).
                                                          g. Terminal software, hardware and firmware versions.

                                                          The SFI will want to verify the identity (name/address/social security number) of the
                                                          merchant against the list of suspected drug traffickers or terrorists maintained by
                                                          OFAC as required by the USA PATRIOT Act. If you are not actually selling the
                                                          machine, but merely placing it in the merchant location, you should still collect basic
                                                          information on the business and its owner(s), including a business license and the
                                                          names, addresses and phone numbers of the principal owners. In every case, you
                                                          should also have an agreement with the merchant for providing services (i.e., a full
                                                          service turnkey placement). The ISO is encouraged to have any agreement used by
                                                          the ISO reviewed by an attorney to ensure the merchant is held to the same
                                                          standards compliance as the SFI (and networks) holds the ISO. The ISO should
                                                          always use prudent business practices to ensure the terminal is not subject to
                                                          tampering or compromise in the merchant’s location. If the merchant is allowed any
                                                          access to the ATM (i.e., the merchant loads cash or performs service), then the ISO
                                                          should treat it as a sale, even if you maintain legal ownership of the machine, and
                                                          collect the highest level of due diligence requested by your SFI. The ISO should
                                                          also have policies and procedures in place to ensure that the terminals operated by
                                                          their merchants are reviewed and on a regular basis, physically inspected for any
                                                          signs of tampering or potential compromising activity at the terminal.
66       What kinds of knowledge and information should   ISOs should use prudent business practices when selecting any vendor for services
         I collect on the vendors I use to service my     at the terminal, especially if those services could result in a security compromise at
         machines?                                        the terminal. If your vendor is an ESO performing key encryption or software
                                                          programming services on your terminals, they will be subject to registration in

                        Approved July 2007                                                          Page 13 of 18
Item #   Question                                           Answer
                                                            certain networks, which means the information required on them could be extensive.
                                                            Inform your SFI of any vendors you use, so your SFI can determine the level of
                                                            registration required by each Network.
67       What constitutes adequate operational reporting?   The specific reports required will vary according to the SFI. However, it is likely the
         What reports should I have available for my SFI?   ISO will have to submit the following reports:


                                                            Monthly: transaction history for billing purposes.

                                                            Quarterly: database containing specific information about each terminal and
                                                            quarterly reports providing number of merchant locations.

                                                            Annually: updated financials on the ISO, updated financials on the principals, copy
                                                            of current insurance coverage and PIN security self-audit(s).

                                                            Periodically: information on transaction volumes, Reg. E claims, and adjustments
                                                            filed on behalf of the merchants, notification of any changes in ownership or other
                                                            material changes in the ISOs operations and audits of merchant accounts.
68       In what format should this documentation be        The SFI will probably want information provided electronically as much as possible
         provided?                                          with paper back-up as requested. Most of the information regarding the merchant
                                                            should be made available to the SFI via the terminal set up information procedures
                                                            with the ISO’s processor. The SFI will need documentation that the merchant was
                                                            identified by driver’s license or some other forms of picture ID.
69       What does the SFI recommend I include in my        In your contract with your processor(s), your SFI may require a clause that gives the
         contracts with merchants and vendors?              processor permission to release transaction and terminal compliance information
                                                            directly to the sponsor for reporting purposes. You may want to consider the types
                                                            of exception reporting you require on possible compromises and include language
                                                            in your contract to cover that. In your merchant agreements, you should include
                                                            permission to do background and credit checks and language echoing your
                                                            sponsorship agreement obligating the merchant to abide by all network regulations
                                                            and protect the terminal from tampering. Also, you may wish to limit the degree to
                                                            which ATM servicing contracts could be assigned in the event the merchant sells
                                                            the ATM or the business.
70       How do I ensure that my customer information is    Any agreement between the ISO and SFI should be reviewed by the ISO’s attorney
         not used by the SFI for their gain?                and should have a confidentiality and non-disclosure clause that addresses the use,
                                                            if any, of customer information by the SFI for any purposes other than those solely
                                                            related to sponsorship.
71       How should I define protection of records?         The ISO should take reasonable precautions in backing up their computers,
                                                            maintaining firewalls and protecting merchant information. Always store encryption
                                                            keys and components in appropriate security containers under the principles of dual
                                                            control and split knowledge. Contracts should be stored in fireproof safes. Personal
                                                            information about merchants, vendors, employees, and anyone else with whom you
                                                            do business should be kept private. Verify with your SFI the length of time the SFI
                        Approved July 2007                                                             Page 14 of 18
Item #   Question                                               Answer
                                                                requires records to be maintained on the merchants following termination of any
                                                                sponsorship relationship.
72       What is meant by adequate exception reporting          Terminal compromise or attempted terminal compromise is usually detected first by
         processes?                                             your processor and their software is required to have exception reporting. Your
                                                                processor will provide exception reports of any terminal activity outside of normal
                                                                activity. Your procedures need to reflect that these reports are consistently
                                                                reviewed and agreed to, with initials of the reviewer and date reviewed. Ask your
                                                                processor about the types of exception reporting available.
I.       Hardware Compliance
73       What documentation do I need to show that my           A terminal manufacturer can provide you with a certification letter that states which
         machines are in compliance?                            terminal devices and software versions are in compliance with the network security
                                                                standards and which units have an Encrypting PIN Pads (EPPs) in a tamper
                                                                resistant security module (TRSM). The letter should be issued from the technical or
                                                                service department, not from the sales department. Additionally, Visa has
                                                                contracted with several labs that will be responsible for certifying ATM hardware and
                                                                providing an approved device list for all devices that have been certified by their lab.
                                                                This list is provided at www.visa.com/pin.
74       Where can I find out the technical standards that      Technical standards are outlined in most networks’ regulations which your
         I need to look for in a machine?                       sponsoring institution should have available. You can also purchase the American
                                                                National Standards Institute (ANSI) standards documents X9.24 and X9.8, on which
                                                                the network regulations are based by going to the ANSI web site:
                                                                http://webstore.ansi.org/ansidocstore/dept.asp?dept_id=80.
75       Aren’t all machines sold now compliant with the        No, however, since all new ATMs must be in compliance with the network
         regulations?                                           regulations as of October 1, 2005, you will need to verify with each manufacturer
                                                                that the machines you are purchasing are Triple DES compliant and have
                                                                encrypting PIN pads. If you are purchasing used ATM hardware, those machines
                                                                may not comply with the network regulations because companies selling ATMs are
                                                                still in the process of clearing their inventory of non-compliant machines. Be sure
                                                                you get a complete and accurate description of all the machine’s software, firmware
                                                                and hardware and verify with the manufacturer that the machine meets all network
                                                                requirements.
76       Is there any central place I can go to find out if a   Visa offers an approved device list for all devices that have been certified by an
         machine is compliant?                                  independent lab. This information is available at www.visa.com/pin.

77       What is an Encrypting PIN Pad?                         On an ATM, a PIN Pad is the keypad device where the consumer enters their PIN.
                                                                An encrypting PIN Pad means that the encryption of the consumer’s PIN is handled
                                                                within that PIN Pad device as opposed to somewhere else within the ATM. An
                                                                encrypting PIN pad is itself a Tamper Resistant Security Module (TRSM), which
                                                                means it cannot be physically accessed or modified without destroying the device
                                                                and all software and information stored inside, including encryption keys.
78       Are there any waivers granted for non-compliant        While there are no general waivers being granted at this time, the networks are
         ATMs?                                                  giving terminal owners and operators time to comply with their regulations before
                                                                imposing fines. However, until compliance is obtained, full liability in the event of a
                          Approved July 2007                                                               Page 15 of 18
Item #   Question                                          Answer
                                                           card compromise is placed entirely on the ATM owner.
79       Are there any ATMs grandfathered?                 At this time, the networks have not agreed to grandfather any ATMs past the
                                                           mandatory compliance dates.
80       What are the timeframes required for Triple DES   The mandatory compliance dates for TDES vary according to network and are
         compliance?                                       subject to change. The initial deadlines posted by the networks are as follows:

                                                                    April 1, 2005            All ATMs in the Cirrus network must be fully
                                                                                             TDES compliant.
                                                                    June 30, 2005            ACCEL/Exchange Network – Each Acquirer
                                                                                             Processor that supports PINs for Network
                                                                                             transactions must employ Triple DES (double
                                                                                             key length) for PIN block encryption in
                                                                                             compliance with ANSI X3.92: 1987, Data
                                                                                             Encryption Algorithm, and ANSI X9.52: 1998,
                                                                                             Triple Data Encryption Algorithms Mode of
                                                                                             Operation, to protect the PINs during
                                                                                             interchange and transmission of transactions.
                                                                    December 31, 2005        All ATMs in the regional networks must be fully
                                                                                             TDES compliant.
                                                                    December 31, 2007        All ATMs in the PLUS network must be fully
                                                                                             TDES compliant.
                                                                    July 1, 2010             ACCEL/Exchange Network – all POS devices
                                                                                             participating in the Network that support PIN
                                                                                             acceptance are required to use Triple DES
                                                                                             (double key length) or singles DES with Derived
                                                                                             Unique Key per transaction (DUKPT) for PIN
                                                                                             block encryption.

                                                           The networks have taken the position that ATMs should have always offered an
                                                           EPP; therefore, they have not documented a specific deadline as to when an ATM
                                                           must support an EPP.
81       What if all my ATMs are not compliant and it      If this situation occurs, you should discuss this with your SFI. An SFI may request
         requires a significant investment to upgrade or   an extension to the network deadlines in order to give you adequate time to comply
         totally replace them?                             with the regulations. However, an extension represents a period of time exempt
                                                           from fines but does not represent a release from liability.
82       How do I find out what software version I’m       Identification of the software will depend on each ATM manufacturer and model.
         running?                                          Software version can be identified two ways for most ATMs with terminal based
                                                           software such as a Triton, Tidel or Tranax. The first method is to go to the terminal
                                                           and enter the management functions of the ATM to pull a Terminal Configuration
                                                           report. You will find the software version printed on that report. The second method
                                                           is to dial into the ATM and pull down that information with a terminal management
                                                           software package such as Triton Connect or Tidel AIMS. For Host-based ATMs,
                                                           you should contact the terminal manufacturer to determine the best method to
                         Approved July 2007                                                         Page 16 of 18
Item #   Question                                             Answer
                                                              retrieve this information. It may not be sufficient to rely on the manufacturer’s
                                                              specifications for software in a machine. A machine that left the factory with one
                                                              standard software package installed may have had upgrades to another software
                                                              version. Contact your machine manufacturer to accurately determine this.
83       What is firmware? How do I know what firmware        Firmware is software imbedded in a chip or other piece of hardware. Firmware is
         version I’m running?                                 static and cannot be changed or upgraded the way most software can. Identification
                                                              of the firmware will depend on the ATM manufacturer and model. Most ATMs with
                                                              terminal based software such as a Triton, Tidel or Tranax machines will have the
                                                              firmware information stored in the Terminal Configuration report. For Host-based
                                                              ATMs, you should contact the terminal manufacturer to determine the best method
                                                              to retrieve this information. Firmware cannot be upgraded or changed. You may be
                                                              able to retrieve this information from the manufacturer if you have the ATM serial
                                                              number.
J.       Due Diligence Record Retention
84       Is it my responsibility to verify that my SFI is     No, this is a responsibility the networks and regulators place on the SFI. It is,
         maintaining these records?                           however, your responsibility to supply adequate information to your SFI so that the
                                                              records they maintain on your ISO(s) are complete.
85       How long should I keep my records after I cease      In general, most records should be kept for a minimum of five years after the
         doing business with a merchant, ESO, or SFI?         termination of the business relationship. You should, however consult with your SFI
                                                              to see what they require.
86       What is my responsibility for maintaining records    As soon as you make the decision to sell or dissolve your business, you should
         if I sell my business or go out of business?         inform your SFI of your intentions and your plans for your terminal inventory. You
                                                              may incur some fines from early cancellation of the sponsorship agreement. Do not
                                                              assume you can assign your sponsorship contract to the new owners if you are
                                                              selling. There may be limitations or restrictions on whether your entire contract or
                                                              portions of it can be assigned. Be prepared to provide your SFI with an accurate
                                                              and updated list of your terminals and their locations. If you are de-installing your
                                                              terminals, your SFI may request proof that all encryption keys were erased from the
                                                              machines. Obtain legal advice concerning any ongoing legal liabilities you may have
                                                              in connection with contracts you have signed.
87       What if I buy a business? What responsibility do I   The following provides a few suggestions on acquiring a new business:
         have maintaining their old records or if their
         records are not complete?                            1. You will be required to verify the terminal information and ensure that it is up to
                                                                 date.
                                                              2. Comply with any network regulation concerning terminal compliance.
                                                              3. Verify ATM activations to ensure that ATM key components have not been
                                                                 compromised and seriously consider changing key components.
                                                              4. Get processor reports verifying, full component keys, unique keys and PIN Pad
                                                                 blocking for all your computers.
                                                              5. Inspect ATMs to ensure they are secure and have not been tampered with or

                          Approved July 2007                                                            Page 17 of 18
Item #   Question                          Answer
                                              compromised.
                                           6. Determine with the SFI if the sponsorship agreement is assignable and supply
                                              new ownership information.
                                           7. Verify with each Merchant the terms of the agreement and merchant data to
                                              ensure there have been no ownership changes. Update merchant records with
                                              any changes.

K.       Anti-Money Laundering             The FFIEC Bank Secrecy Act Anti-Money Laundering Examination Manual outlines
                                           the responsibilities of the sponsoring bank’s risk management requirements.
                                           Please contact your Sponsor Bank for its directive relative to compliance with the
                                           regulation.



88




                      Approved July 2007                                           Page 18 of 18

								
To top