PCI compliance: Is your credit union prepared for 2024 upgrades?

As the financial landscape continues to evolve, credit unions face many ongoing challenges, not the least of which is maintaining compliance at their ATMs. The latest mandates as stated by the Payment Card Industry Security Standards Council (PCI), are once again aimed at maintaining the safety of member data at self-service ATMs, ITMs, and kiosks that community members use for financial transactions.

But what would really happen if your credit union didn’t update ATM security? How can you meet PCI mandated requirements by the end of the year? And is there any end in sight to these ridiculously expensive upgrades?

Upcoming PCI Security Mandates

The current PCI mandate is for ATM PIN pads and data encryption, with a deadline of December 31, 2024. These specific updates are designed to enhance the security of financial transactions and protect sensitive customer information by updating the encryption level of the data being sent to the processor from the keypad.

Every ATM transaction processor must be able to accept the new TR31 Phase 3 key block encryptions before the end of the year. As a credit union, your task is a little bit harder. To be fully compliant, your ATMs must:

1. Be equipped with the latest encrypting pin pad (EPP) upgrades: Terminals capable of being upgraded to the latest version of EPP must be updated by the end of 2024. ATMs not capable of being upgraded must be replaced.
2. Communicate in TR31 Phase 3 encryption: ATM software and firmware must be updated to use TR31 Phase 3 key blocks. This upgrade provides a higher level of security for personal identification numbers (PINs) and data infrastructure, making it more challenging for hackers to exploit weaknesses in the system.

These upgrades are crucial for credit unions to maintain PCI compliance, pass ATM audits, and keep member information safer.

Non-upgraded machines: A temporary grace period

While the deadline for upgrades is fast approaching, credit unions can take some comfort in knowing that non-upgraded machines won’t go dark on January 1, 2025. U.S. processors are working diligently to meet PCI deadlines for accepting TR31 Phase 3 transactions. However, they recognize that not all machines will be upgraded in time.

At recent ATM industry conferences, including the ATM Industry Association (ATMIA) US Conference 2024 in February and the National ATM Council Conference (NAC2023) this past October, processors assured ATM operators and financial institutions there won’t be an end-of-year crisis. They plan to continue accepting current encryptions alongside the new encryption type for the foreseeable future.

And, unlike EMV with its high-cost liability shift, the immediate monetary dangers are relatively low. The real concern for credit unions with this upgrade is insurance, compliance and audits.

This distinction has several important implications:

1. Member access: Account holders will still be able to access their accounts through non-upgraded ATMs.
2. Compliance audits: Credit unions with non-upgraded machines would not pass a PCI compliance security audit.
3. Upgrade necessity: Credit unions that haven’t already upgraded their ATMs should evaluate their machines and make the required changes.
4. Implementation process: Upgrading ATMs involves hardware and software changes, testing, and certification. With proper planning and the right components, these changes can be implemented efficiently.

On the bright side, making these updates usually means you have the latest self-service technology, too. And up-to-date ATMs, ITMs, and Kiosks are more likely to offer the integrations and features your credit union needs to meet member self-service demands.

The rapid pace of ATM upgrades

Over the past decade, the frequency of ATM upgrades has increased significantly. These costly changes have been digging into credit union budgets about every two years—all to keep up with evolving standards and technologies. Here’s a brief timeline of major updates:

• 2004: PCI Data Security Standards (DSS) V1.0
• 2006: PCI DSS v1.1
• 2008: PCI DSS v1.2
• 2009: PCI DSS v1.2.1
• 2010: PCI DSS v2.0
• 2012: Americans with Disabilities Act ATM compliance standards
• 2013: PCI DSS v3.0
• 2014: Windows 7
• 2015: PCI DSS v3.1
• 2016: PCI DSS v3.2.1
• 2017: EMV liability shift
• 2018: PCI DSS v3.2.1
• 2020: Windows 10
• 2022: PCI DSS v4.0 with PCI EPP keypad and software changes due January 1, 2025

This rapid pace of change presents significant challenges for credit unions in terms of costs, planning, and implementation.

Streamlining compliance: The ATM outsourcing option

Given the frequency and complexity of ATM upgrades, many credit unions are exploring alternative solutions to manage their ATM fleets more efficiently. One such option is partnering with a reliable ATM outsourcing business. This approach offers several benefits:

1. Cost management: Outsourcing can help level out the costs associated with frequent upgrades and updates.
2. Reduced burden: The responsibility for compliance and updates shifts to the outsourcing partner, freeing up credit union resources.
3. Expertise: ATM outsourcing companies specialize in maintaining compliance and can often implement changes more efficiently than in-house teams.
4. Future-proofing: With a dedicated partner managing ATM operations, credit unions can more easily adapt to future changes in technology and regulations.

As credit unions prepare for the upcoming PCI compliance upgrades, it’s essential to take a proactive approach. While there may be a grace period for non-upgraded machines, achieving full compliance should remain a top priority. Credit unions should evaluate their current ATM fleet, plan for necessary upgrades, and consider the potential benefits of ATM outsourcing to streamline their compliance efforts.

By staying ahead of PCI compliance requirements, credit unions can ensure the security of their members’ data, maintain trust in their institutions, and position themselves for success in an ever-evolving financial landscape. As the December 31, 2024, deadline approaches, now is the time for credit unions to take action and prepare for these critical security upgrades.

Ready to reduce costs, streamline operations and stop managing ATMs? Click here or fill out the form to discover how ATM outsourcing can benefit your credit union.