I’m writing (but not publishing…. Come on folks, it’s 2009…) this from 35,000 feet, somewhere over  the north Atlantic, east of Iceland.  What else am I going to do while sitting in a big, metal recycled air tube hurtling over the surface at speeds never meant for man?  Think and write about security, of course!

I’m heading back state-side after a great PCI Europe community meeting.  I didn’t get the final count, but the meeting had just north of 200 attendees.  It seemed smaller than last year, but that could have been the seating arrangement.  One of my favorite sessions is always the PCI Standards Feedback and Q&A Sessions.  This year was no different!

Blow up ATM, by laverrue

Blow up ATM, by laverrue

While the questions in the US were definitely more entertaining, I think the questions from the Europe meeting was more interesting.  Last year was the first PCI Europe meeting and the questions were much more basic.  They had a common theme from the first PCI meeting in Toronto, mainly because fines had not forced the issue outside of the US.  This year, however, with fines on the horizon, the questions were focused on the intent of certain requirements, and how they apply to the region.

One of those questions has a much larger applicability, but I don’t remember it being asked at the Community Meeting in Vegas.  Do the recently re-branded PTS standards apply to Automatic Teller Machines (ATMs)?

The Technical Working Group declined to comment in this forum, but it is an interesting question.  Why shouldn’t they be included?

ATMs are payment devices just like the card swipe or chip & pin machines we see at mearchants all over the world.  The only difference is that they typically have larger displays, are heavier and more physically hardened, and they spit out money on request.  They’ve also become a great target for hackers to prey on the trusting human (with a fake ATM), or to add sophisticated skimming devices to steal and take advantage of consumer payment data.

PTS should apply to ATMs, though the enforcement should come from the networks and financial institutions using or enabling these devices.  At a minimum, these standards can be used to remove some of the digital vulnerabilities these devices harbor, and add a little more security to the physical side.

What about you folks out there?  Should ATMs continue to be ignored?  Are we barking up the wrong tree?  Should we focus on PIN-Debit switching and key management instead?  Add your comments below!

That’s all for now.  I’m having a hard time concentrating with the gentleman next to me snoring as loud as he is.  This guy needs to go get that Pillar procedure performed.  Seriously.

Look for many more posts in the next several weeks from the meeting!

This post originally appeared on BrandenWilliams.com.