On top of your normal due diligence practices performed on critical vendors, those supplying devices such as ATMs introduce additional risks. Not only are you concerned about the overall practices of the organization, but you also have to assess the design and implementation of the hardware itself. Here are a few items to consider when evaluating a new ATM vendor or product.
- PCI, EMV, ADA, privacy, and other compliance requirements and how the vendor satisfies them.
- This includes ensuring security practices on the ATM are in place such as:
- Encryption at rest and in transit
- Physical security of the ATM
- Software updates
- Access controls
- Incident response
- Penetration testing
- Log management
- Data retention
- Remote monitoring and management abilities and commitments for support.
- Consumer and peer feedback on the ATM model being considered.
I'm always interested in what others are doing for due diligence for specific, yet common vendors such as these, so I encourage others to respond with their experience of this process as well.
Original Message:
Sent: 09-14-2023 11:11 AM
From: Anonymous Member
Subject: Due DIligence for ATM Provider
This message was posted by a user wishing to remain anonymous
Our institution is replace out ATMs through a vendor we have use for several years. What are the Due Diligence considerations for ATM hardware and software providers?