NAAIO National Association of ATM ISOs and Operators

    In the past, Pin Entry Device (PED) security requirements originated from Visa, MasterCard and JCB.  That is no longer true.  Currently, the five major payment brands (American Express, Discover, JCB, MasterCard and Visa) have come together to form the Payment Card Industry Security Standards Council, commonly known as PCI.
 
      Until PCI came along, Visa maintained on its web-site a listing of compliant point of sale devices and encrypting pin pads, but Visa’s listing (today referred to as the Pre-PCI device listing) expired on December 31, 2007.   The Visa Pre-PCI device listing was replaced by the PCI listing now available on the PCI website at www.pcisecuritystandards.org.
 
      According to Visa, all Pre-PCI device approvals have expired as of December 31, 2007 and Pre-PCI devices cannot be purchased after their approval expiration date.  Pre-PCI devices can be deployed after December 31, 2007 only if purchased before December 31, 2007.    
 
      Why is this important to ATM ISOs and Operators?    As ATM ISOs and Operators shop for PEDs to be used as replacements or upgrades in their ATMs, they need to be cautious of sellers who offer devices for sale that are not on the current PCI PED approval list.   For example, be cautious of advertisements or listings that make no mention of PCI PED approval.   And be cautious of ads that might state products as “Visa approved.”  You might be buying obsolete products that will expose you to liability according to network rules.  
 
      In order to avoid liability associated with the compromise of a personal identification number (PIN), it is the obligation of every ATM ISO or Operator to make sure they purchase and deploy PEDs on their ATMs that are PCI PED approved.
 
Currently, the one and only place to verify whether a PED is approved is the PCI website.  Click here if you’d like to verify your equipment

IMPORTANT PCI LINK: https://www.pcisecuritystandards.org/education/prioritized.shtml

On February 24, 2009, representatives of NAAIO met with MasterCard for a second time at MC’s headquarters in Purchase, NY.  NAAIO representatives included Steve Burns (E-Cash; NAAIO Board member and NAAIO President), Ray Varcho (WRG Services Inc; NAAIO Board member), and Darryl Ware (WWS ATM; NAAIO Board member).   The meeting was coordinated and attended by Kendall Harsch of MetaBank, a leading ISO sponsoring financial institution.
 
      NAAIO, on behalf of its membership, welcomed the invitation to sit down with top decision makers who hold responsibility for ATM program management.  As a continuation of the introductory meeting held in November of 2008, significant effort was devoted to a discussion of the typical ISO ATM business model, as compared and contrasted with the financial institution ATM model.  The discussion included the current state of the ATM ISO industry and the challenges related to surcharge, interchange, equipment pricing, service, and ancillary products and services such as co-branding.  NAAIO and MC are exploring ways to foster ATM transactional growth.
 
      Other topics of discussion included educational and public relations efforts, as well as frivolous chargeback activity, non-compliant operators, and non-compliant ATMs.
 
      A third meeting with MC is being planned. In preparation for that meeting NAAIO welcomes comments and suggestions from all its members, whether ISOs, Operators or Vendors.  NAAIO encourages each of its members to get involved.  Let your voice be heard.

Last month, at our annual meeting, we announced that NAAIO has been accepted to the PCI Security Standards Council. You may be wondering just what this means to you, the NAAIO member.
 
      First, it gives us at NAAIO the option of nominating a member to the Board of Advisors. This person, if elected, would have direct input to the new PCI standards. NAAIO has nominated Daryl Ware to sit on this board and we’ll keep you posted as to his election on the board.
 
     Second, and more importantly, NAAIO’s acceptance to the PCI Security Standards Council means that you, the NAAIO member have direct access to any and all information that NAAIO receives from membership in this council - at no added cost to you. As a valued member of NAAIO, we believe that your voice and needs as an ISO are important. If you have questions, if you want to be heard, NAAIO will make sure that you are.
 
      Through NAAIO’s membership in the PCI Security Standards Council, YOU are a member of the PCI Security Standards Council.