Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« Who Am I? Authentication Challenges | Main | March Madness on the Hardwoods, Mobile Madness in the Payments Arena »

March 11, 2013

The ATM: Disappearing Soon from a Location near You?

The ATM industry in the United States is facing a set of regulatory and operating rule deadlines that might impact the industry as much as similar deadlines did during 2005–08. Back then, ATM owners were required to upgrade their terminals to support the more secure Triple Data Encryption Standard (3DES) to safeguard ATM transaction messages during transmission. To comply, ATM owners faced the expense of hardware and software upgrades. Because a number of ATM independent sales organizations (ISOs) were operating older machines that required replacement rather than upgrades, they sold off their businesses claiming they could not support these additional expenses. Although the total number of ATMs is difficult to determine, most people in the industry agree that the 3DES requirement resulted in fewer of them.

Now it's "déjà vu all over again" for many ATM owners. Two recent changes to regulatory and operating rules require additional investment in their ATM fleets. The first of these is the accessibility provisions of the 2010 American with Disabilities Act (ADA) that include, but are not limited to, a voice guidance requirement, Braille signage, and input controls for visually-impaired individuals. These provisions were published in September 2010. ATM owners had a compliance date of March 2011 and an enforcement date of March 2012. An online Wall Street Journal article written near the 2012 deadline estimated that half of the ATMs in the United States did not fully comply with the new requirements. Because many ATM owners were in near compliance at the time of the deadline, the current level of incomplete compliance is not known. I understand, however, that several ATM owners, particularly ISOs with low-volume cash dispensers, have still not upgraded their ATMs. Despite a number of lawsuits filed by visually-impaired individuals against noncompliant ATM owners, many appear to be continuing to operate while hoping to go undetected. The act allows an exemption to an ATM owner if the upgrade would be an "undue burden," but the burden is on the owner to seek the exemption and prove the burden.

The second change comes from the recently announced liability-shift roadmaps for EMV chip implementation by Visa and MasterCard. MasterCard set a deadline of October 2016; Visa, a year later. Currently, the card issuer bears losses from fraudulent card transactions at the ATM. After those dates, if a counterfeit card is used at an ATM that has not been upgraded to handle EMV cards—in which case the ATM has to read the card's magnetic stripe back-up—the ATM owner will bear the loss resulting from that fraudulent transaction.

Even more pressing is MasterCard's liability shift for non-U.S.-issued Maestro card transactions at U.S. ATMs, scheduled for April 19, 2013. The National ATM Council, an industry group for ATM ISOs, has formally requested MasterCard to both delay this shift and push back the overall liability shift deadline to synchronize with Visa's 2017 date. Already struggling with the increased costs resulting from the upgrade decision, ISO ATM owners fear that absorbing counterfeit card losses would devastate their financial condition. I suspect that as many of them have done with the ADA requirements, many may continue to postpone upgrade expenses and just hope that their machines are not targeted. However, as I noted in a recent post, criminals tend to attack the weakest elements of their target.

ATM usage continues to face competition from debit POS (purchases and cash-back) as well as the expanding mobile payments channel. With ATMs being such a high fixed-cost operation, the impact of additional upgrade expense at a time when usage is decreasing is likely to take a toll on the number of operating ATMs. What do you think?

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 11, 2013 in ATM fraud , EMV , regulations | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference The ATM: Disappearing Soon from a Location near You? :


FFIEC came up with two factor authentication guidelines in 2005 and followed it up with additional guidelines in 2012 or so. Still, there are so many banks that don't use 2FA in the USA. If big banks have managed to escape regulation for 8 years, it'd be much easier for ATM operators to fly under the regulatory radar for at least a few more years. So, I predict that ATMs will continue as they are and don't expect them to disappear anytime in the near future, at least not due to the current spate of regulation.

Posted by: Ketharaman Swaminathan | March 15, 2013 at 06:44 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad