Preview Mode Links will not work in preview mode

You can also listen and subscribe to COMMERCE NOW on these channels: 

Sep 25, 2018


As the tax against self service endpoints evolve to be more complex, and many financial institutions struggle to keep up, there's a growing demand for security management services in the industry. In this podcast, you will hear about this trend and what it means for financial institutions. 



A look at how ATM security has changed … and how it hasn’t

ATM Security Management: Know Your Options

COMMERCE NOW (Diebold Nixdorf Podcast)


Amy Lombardo:                00:00                    

Hello again, and thank you for joining us on this episode of Commerce Now. As the tax against self service endpoints evolve to be more complex, and many financial institutions struggle to keep up, there's a growing demand for security management services in the industry. Today I have the pleasure of being joined by Julie Osborne, our Global Vice President of Diebold Nixdorf's Service Portfolio, and Martin Nearhos, Principal Security Architect for the Global Services Portfolio Division as well. We're going to hear about this trend and what it means for financial institutions. So, hello Julie and Martin. Thanks for being with me here today.

Julie Osborne:                   00:38                    

Thanks Amy, it's a pleasure. Thanks for having me.

Martin Nearhos:               00:41                    

Yeah, thanks Amy. Happy to be here.

Amy Lombardo:                00:44                    

Okay. I'm really excited here, because I'm based here in the US, but I'm talking to two subject matter experts who are in our Singapore office. It's great to just have this global view on this security topic. So, let's dive in here. Let's start with just a high level question on why do you think financial institutions are having difficulty managing their self service security?

Martin Nearhos:               01:10                    

That's a good question. Maintaining the security of the customers' assets and information has always been a high priority for the industry, but threats against the self service banking channel have evolved. It's now much harder to keep up. A tax against ATMs have traditionally been isolated to geographic regions, and slow moving out of those regions, but this is no longer the case. We're now seeing increasingly complex attacks, such as various forms of jackpotting, taking place across the globe, and at the same time the threat of traditional physical attacks hasn't really gone away. It's a lot to combat.

Julie Osborne:                   01:47                    

If I might just add to what Martin said, financial institutions usually don't have the time or in-house expertise to keep security measures up to date. As retail banking paradigms shift, banks and credit unions are under a lot of pressure to do more with less, and even if financial institutions wanted to hire in-house security specialists, as businesses and governments fight cyber security threats, these resources tend to be really expensive and in high demand. Also, as we all know, this constant pressure to stay compliant with security regulations and industry standards, ATM security service providers can help relieve the burden of staying on top of changes and staying protected against attacks.

Amy Lombardo:                02:28                    

Okay. Got it. Martin, if I can ask this to you before we jump into this whole idea of doing more with less, since you're located in the Asia Pacific region, are there certain types of attacks that you're seeing on the rise today? We talked a lot about jackpotting in the Americas, but could you give us an idea of maybe what you're seeing over in your region?

Martin Nearhos:               02:51                    

The Asia Pacific region is quite diverse. You've got many different markets at many levels of maturity, so it varies. Locally you won't get, say Singapore, there's a certain limit to attacks, whereas in other countries very close by, you've got a much broader range of attacks. It's complex and it doesn't move.

Amy Lombardo:                03:15                    

Got it. Yeah. It sounds like no matter where you are, just keeping on top of that security is always going to be top of mind here.

Martin Nearhos:               03:22                    


Amy Lombardo:                03:23                    

Okay. Let's talk about this idea of doing a little more with less. When we're looking at it from a financial institution standpoint, can we talk a little bit about why they should be looking into outsourcing their ATM service and management?

Julie Osborne:                   03:37                    

Oh, absolutely Amy. I might take that one. It's becoming increasingly popular for FIs to work with organizations that have intimate knowledge of the ATM channel, and offer specialized security services as part of ATM fleet management arrangements. They will want someone who can offer 24/7 secure operation centers for monitoring, and who can also take care of all necessary maintenance, hardware and software upgrades, and updates for them. Some FIs don't have the capability in house to reliably maintain secure ATM environments, and others would just simply rather have someone else handle it because it is a specialist capability, as I said. So, if FIs are looking to take the burden off themselves and effectively manage the security services of the ATM  fleet, with an ATM security service provider such as Diebold Nixdorf, they should look for a provider who can deliver the following three things.


First, you'd want optimized security through 24/7 monitoring, proactive threat elimination, and an in depth understanding of emerging threats, to try and protect against attackers.

Second, you'd want increased efficiency, freeing the FI from day to day ATM security management responsibilities, or streamlining processes.

Third, you want a service that will effectively manage operational risk, to provide real time threat insights, and offer remote troubleshooting, and has a deep understanding of the industry requirements. Ultimately, I think the best approach is a multilayered security protection approach that offers real time information to ensure ATM networks are protected and available, whilst also providing the information FIs need for a [inaudible 00:05:17] ATM security audits.

Amy Lombardo:                05:19                    

Okay, got it. Those three points were really helpful here, especially in looking to determine your outsourcing, your Managed Security Services, but what does an engagement actually look like for an financial institution? What are some of the specific options, and what would it take to get a program like this up and running?

Martin Nearhos:               05:41                    

I can take that. If you're an existing customer, and you're already ready using sort of self service fleet management, which is just a suite of services designed to run multi-vendor self service devices cost effectively, the customer can sort of decide what level of protection makes sense for their organization, based on their risk profile and their operational risk. If you're a new customer, we'd look at all the fleet details that required. The ATM make, the model, physical location, that would all be analyzed. Then the customer would select the appropriate security service, and again, it's based on their business and operational risk. We suggest that whatever FIs choose is a core security service. The services offered should, at the very least, provide everything needed to comply with industry standards and requirements such as those developed by the Payment Card Industry Security Standards Council.


It should also include the hardening of various aspects of the ATM with remote monitoring and software patch deployment. It would also include things like device monitoring, secure connectivity, managed firewall, peripheral device control, anti malware, antivirus, and of course intrusion detection and prevention. Then the FI can have the option to build upon that basic level of services for such things as protection against complex logical system attacks. Although I would recommend this sort of protection to everyone, we know that financial institutions want to prioritize their investments in advanced security, and they just can't do it all at once. With these types of services, FIs can then rely on the security service provider to proactively monitor the ATM for suspicious activity, protecting terminals more effectively in real time, responding quickly when attacks are detected, and engage with customers to resolve the incident, and take the burden of managing the self service fleet off the FI, who, as we've already said, may be stretched pretty thin on resources.

Amy Lombardo:                07:42                    

So Martin, if I can ask you a question here just based off of the compliance portion, the regulation portion of what you mentioned, I would think that's pretty important, almost as a value added services as well, that your security partner could provide you almost with the consultation, the education, on what all these requirements might mean for your institution. Am I thinking about that the right way?

Martin Nearhos:               08:11                    

You are. There's some industry standards that, across everywhere, but what happens is you get into regional areas. Some have slightly different requirements, so as a global offering, it's quite difficult, but we have specialists in all the major regions that could offer that service.

Amy Lombardo:                08:29                    

Okay. Thank you. Okay, so to close out this topic, have you heard how customers are responding to these types of Managed Security Services in the industry today? Are they able to focus more on their customers without the burden of managing their own ATM security services then internally? Julie, how about you take that one?

Julie Osborne:                   08:51                    

Thanks Amy. Actually we have. We've seen some very positive results from the financial industry. Threats against the self service channel aren't going away anytime soon, but with Managed Security Services, financial institutions can spend less time trying to prevent attacks, and spend more time with their customers growing their businesses, and ultimately that's where we want them to be.

Martin Nearhos:               09:11                    

And, just as the FI is focusing on on their customer, the security service provider, but it's got to focus on continuing to evolve and develop, because the expectations will continue to rise, and FIs will expect to be offered more value in the future as well.

Amy Lombardo:                09:29                    

Well great. This sounds like a no-brainer to me. I would want to stay protected and just not have that burden internally. Thanks Julia and Martin for being with me here today, and to our listeners for tuning into this episode of Commerce Now to learn more about Managed Security Services, and how FIs can better protect themselves. Log Onto Until next time, keep checking back on iTunes or your favorite podcast listening channel for new topics on Commerce Now.