Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Due DIligence for ATM Provider

    This message was posted by a user wishing to remain anonymous
    Posted 12 days ago
    This message was posted by a user wishing to remain anonymous

    Our institution is replace out ATMs through a vendor we have use for several years. What are the Due Diligence considerations for ATM hardware and software providers?

  • 2.  RE: Due DIligence for ATM Provider

    Posted 4 days ago

    On top of your normal due diligence practices performed on critical vendors, those supplying devices such as ATMs introduce additional risks. Not only are you concerned about the overall practices of the organization, but you also have to assess the design and implementation of the hardware itself. Here are a few items to consider when evaluating a new ATM vendor or product.

    • PCI, EMV, ADA, privacy, and other compliance requirements and how the vendor satisfies them.
      • This includes ensuring security practices on the ATM are in place such as:
      • Encryption at rest and in transit
      • Physical security of the ATM
      • Software updates
      • Access controls
      • Incident response
      • Penetration testing
      • Log management
      • Data retention
    • Remote monitoring and management abilities and commitments for support.
    • Consumer and peer feedback on the ATM model being considered.

    I'm always interested in what others are doing for due diligence for specific, yet common vendors such as these, so I encourage others to respond with their experience of this process as well.