Professional Documents
Culture Documents
For far too many years, to reduce costs, security has played NCR’s security model defines a layered approach, this
a minor role in the purchasing decision of ATMs, but with provides the best protection for the whole environment
the increase in criminal attacks on ATMs and pressure from a variety of attack vectors and having all the security
from industry bodies such as PCI and EMV, security and layers’ in place maximises the security of your ATM estate.
compliance is no longer an optional extra.
N C R S ECU R E M I N I M U M CO N F I G U R ATI O N
This document defines the minimum security If one layer has a weakness, then the other layers will
configuration requirements for an NCR ATM. The majority mitigate the risk of that weakness being exploited. If all
of the recommendations may also be relevant for other the layers of protection are not applied then it may allow
vendor ATM’s. compromise of another layer.
All NCR ATM’s MUST be configured as per the guidelines The layered approach to security and the importance of
explained in this document. These minimum security having the layers is critical to preventing attacks on the
requirements are necessary to defend/protect ATM environment. These guidelines are not optional; they
against currently known attacks on an ATM. All of the should be viewed as mandatory to protect the ATM in
requirements provide protection to the different layers today’s environment.
within the environment complementing each other to
provide a secure holistic coverage across all the layers.
NCR Logical Security: Security Requirements to help protect against Logical attacks
• Existing implementations must migrate to a secure TLS
RU LE 3 : I M PLE M E NT
version (currently 1.1 or later)
CO M M U N I CATI O N S E N C RYP TI O N • After June 30, 2018, all use of SSL and early TLS as a
Transmission of sensitive cardholder data across ALL security control must be stopped
networks must be encrypted. Cyber criminals may be
NCR Secure TLS Encrypted Communications supports
able to intercept transmissions of cardholder data over
TLS version 1.2 and is stronger when combined with the
networks, so it is important to prevent their ability to
environment hardening guidelines provided in
view this data. Encryption is one technology that can
this document.
be used to render transmitted data unreadable by any
unauthorized person. Never send unprotected cardholder data by end user
messaging technologies (for example, e-mail, instant
PCI DSS Requirement 4.1 states to use strong
messaging, SMS, chat, etc.)
cryptography and security protocols to safeguard sensitive
cardholder data during transmission over open, public NCR Recommends NCR Secure TLS Encrypted
networks (e.g. Internet, wireless technologies, cellular Communications.
technologies, General Packet Radio Service [GPRS],
satellite communications). Ensure wireless networks
transmitting cardholder data or connected to the RU LE 4: I N STALL AN D MAI NTAI N
cardholder data environment use industry best practices A F I R E WALL
to implement strong encryption for authentication
and transmission. The ATM firewall must be configured to only allow known
authorized incoming and outgoing connections necessary
SSL and early TLS encryption have been demonstrated to
for an ATM environment, the connections must be
have weaknesses which can be exploited and must not be
configured per program rather than per port.
used as a security control to meet PCI requirements.
For example, the default configuration of the Windows 7
As a minimum the PCI DSS guidance below should be
firewall blocks all incoming communications connections,
followed for migrating away from SSL and early TLS.
any applications that require incoming connections must
• Prior to June 30, 2018, existing implementations that use be explicitly configured. All outgoing communications are
SSL and/or early TLS must have a formal Risk Mitigation allowed by default.
and Migration Plan in place Detailed configuration options for the Windows firewalls
• New implementations must not use SSL or early TLS as a and lots more are provided within Security for APTRA.
security control More details on Security for APTRA are provided in Rule 8.
For further information, please refer to the documentation
for your firewall product.
NCR Logical Security: Security Requirements to help protect against Logical attacks
RU LE 5: R E M OVE U N US E D RU LE 6: D E PLOY AN E FFEC TIVE
S E RVI C E S AN D APPLI CATI O N S ANTI - MALWAR E M EC HAN I S M
It is recommended that you remove any unused services Anti-malware software will:
and applications from the system to reduce the attack • Maintain the integrity of your ATM software stack and
surface area. By adopting the principle of ‘If you don’t use prevent malicious software compromising your ATM.
it, disable it’, you remove potential points of attack by
An effective active white-listing solution will provide online
disabling modules and components that your application
protection beyond known malware threats. For example,
does not require.
memory protection, zero-day attacks and threat alerting.
For example, if your application does not use output
NCR Recommends Solidcore Suite for APTRA.
caching, you should disable the ASP.NET output cache
module. Thereafter, if future security vulnerabilities are • Solidcore Suite for APTRA is more effective that anti-
found in this module, your application is not vulnerable. virus software alone in preventing known and unknown
The following table lists examples of the recommended malware from executing.
applications that should be removed from the ATM • Solidcore Suite is an active whitelisting application for
software stack if they are not used on the ATM. However, increased malware protection
you should review your software stack to determine if there • Solidcore Suite for APTRA prevents execution of malware
are further binaries that can be removed: copied onto an environment
• Solidcore Suite for APTRA prevents unauthorised
Description/ software from execution
Application File Name
Purpose
Address Display/edit • Solidcore Suite for APTRA alerts on execution
arp.exe
Resolution Protocol network address unauthorised software and malware.
Display/edit
File Attribute attrib.exe
file attributes • Solidcore Suite for APTRA provides runtime memory
Transfer files between protection
File Transfer Protocol ftp.exe
two hosts
• Solidcore Suite for APTRA protects against zero-day
Display
NetBios over TCP/IP nbtstat.exe
network information attacks, known and unknown threats
Display To complement Solidcore Suite for APTRA you should use a
Network Statistics netstat.exe
network information
Display
traditional or standalone Anti- Virus (AV) solution to ensure
Name Server Lookup nslookup.exe
network information any known malware copied onto your ATM is removed.
Remote Copy Program rcp.exe Copy files Major points to consider when deploying AV.
NCR Logical Security: Security Requirements to help protect against Logical attacks
If Solidcore Suite for APTRA Alerts or AV scan reports
RU LE 8: HAR D E N I N G TH E
indicate malware has been found, best practice malware
incident procedures must be followed, which may include WI N DOWS O PE R ATI N G
the following: SYSTE M (OS)
• Containment and eradication of the malware is essential; The Windows operating system must be hardened to
it must be quarantined or deleted if possible restrict the privileges and behavior of the ATM to allow
• Recovery of the ATM to restore normal functionality, the only the functions necessary for a self-service environment.
ATM should be reimaged, with a known master image This consists of setting up a locked down OS environment
on a standalone ATM based on the following high level
• Samples of the original hard disks must be removed for
requirements:
forensic analysis
• Disable Windows Auto-play
NOTE: NCR tests McAfee Stinger standalone AV to detect
• Auto-play is a feature of Windows operating systems
known ATM malware.
which allows software to run from removable media as
soon as it is detected on a USB, DVD or CD. Disabling
RU LE 7: E STAB LI S H A R E G U L AR the auto-play feature within the operating system will
prevent malware being automatically run when it is
PATC H I N G PROC E SS FO R ALL
detected on removable media
SO F T WAR E I N STALLE D • Implement a locked-down user account for automatically
Keep all software running on the ATM up to date with running self-service application functionality, with the
the latest NCR and other vendor security patches for all minimum privileges and no interactive desktop access
software. This ensures that attackers do not take advantage • Implement a keyboard disabler to block keypresses being
of known vulnerabilities within the deployed software. interpreted within the locked down account
The weaknesses may allow malware to be installed onto
• Apply file, folder and registry permissions to restrict the
the ATM or allow attackers access to the ATM software
access the minimum required for the ATM to function
stack. If a vulnerability within the software stack has been
addressed by a patch which has been installed onto the • Apply computer and user policies to restrict to the
ATM then it will no longer be exploitable. minimum functionality required for the ATM application
to function correctly and securely
Keeping up to date with Microsoft security hotfixes
ensures that attackers do not take advantage of known All the above configuration options and many more are
vulnerabilities within the operating system. The unpatched provided within Security for APTRA.
vulnerabilities may allow malware to be installed onto the NCR Recommends Security for APTRA.
ATM or allow attackers access to the ATM software stack.
Security for APTRA protects the operational security of
NCR can provide a Managed Services offering that deploys
an ATM creating a secure locked down environment
Microsoft Windows 7 hotfixes to your ATM estate on a
to protect the ATM’s assets. The secure environment
quarterly basis.
encompasses a comprehensive set of security features
PCI DSS Requirements 6.1 and 6.2 address the need including: preventing the automatic running of programs
to keep systems up to date with vendor- supplied on removable media, providing a locked down account for
security patches in order to protect systems from known automatically running self-service functionality, controlling
vulnerabilities. Where operating systems are no longer access to external devices and running of software which
supported by the vendor, security patches might not be effectively locks down the runtime environment of the ATM
available to protect the systems from known exploits, and software environment at the registry level. In excess of 500
these requirements would not be able to be met. registry settings are automatically set when the software
Major point to note is that Windows XP support ended April is installed in ‘Secure Mode’. These registry settings are a
2014 and you must have plan to migrate those XP ATMs as balance between the minimum settings required to operate
soon as possible. an ATM in a stand-alone environment, and the industry-
Without critical Windows XP security updates, your ATM accepted system hardening standards. Which may include,
may become vulnerable to harmful viruses, spyware, and but are not limited to:
other malicious software which can steal cardholder data or • Center for Internet Security (CIS)
damage your business data and information. • International Organization for Standardization (ISO)
• SysAdmin Audit Network Security (SANS) Institute
• National Institute of Standards Technology (NIST)
NCR Logical Security: Security Requirements to help protect against Logical attacks
RU LE 9 : I M PLE M E NT RO LE NCR Recommends NCR SECURE Hard Disk Encryption
BA S E D ACC E SS CO NTRO L • Protects against attackers installing malware offline onto
the ATM hard disk
The more people who have access to cardholder data
• Renders the contents of the hard disk unreadable to
environment, the greater risk there is that a consumers
protect against offline attacks, reverse engineering of
account will be used maliciously. Restricting access to those
code or data harvesting
with a legitimate business reason for the access helps an
organization prevent mishandling of cardholder data. • Provides a centralized encryption status of the ATMs
being managed
For all users accessing the ATM environment, it should be
based on the roles they have and given only the access • Prevents attackers deriving or harvesting the decryption
permissions based on the role. For example, branch staff keys locally to circumvent encryption technology
who need to change the printer paper needs only the level • Remote authentication prevents the encryption key being
of privilege needed to effectively perform that assigned task. derived or harvested from the local hard disk.
Once all roles and corresponding access needs are defined,
individuals can be granted access accordingly
RU LE 11: E N S U R E
Restrict functionality allowed via remote desktop access
to ATMs and if remote access is required then role
CO M M U N I CATI O N S B ET WE E N
based access control must also be implemented. PA-DSS TH E ATM CO R E AN D TH E
requirement 10.1 must be enforced for that access which D I S PE N S E R I S PROTEC TE D
means multi-factor authentication with at least two of
Encrypting the communications between the ATM core and
the methods below be used for all remote access to the
the dispenser will prevent black box attacks. If attackers
payment application environment.
attempt to send commands to the dispenser directly,
Authentication methods for all users:
the dispenser will recognize these commands as invalid.
• Something you know, such as a password or passphrase Only commands from the ATM software stack will be
• Something you have, such as a token device or smart card authenticated and processed by the dispenser.
• Something you are, such as a biometric NCR Recommends
Payment application vendors must provide instructions • For NCR SelfServ ATMs
for configuring the application to support multi-factor
• NCR Dispenser Encryption Enhancement with Physical
authentication.
Authentication (Level 3)
NCR PA-DSS compliant applications provide guidance on
• USB CDM software component from APTRA XFS
how to meet this requirement.
06.03.00 or later
• Minimum component version =
RU LE 10: D E PLOY A R E M OTE LY USBCurrencyDispenser 03.01.00)
AUTH E NTI CATE D HAR D D I S K • For NCR Personas ATMs
E N C RYP TI O N SO LUTI O N • PDEE upgrade kit, with Physical Authentication
• SDC CDM software component from APTRA XFS
Deploying full hard disk encryption protects the integrity of
06.01.00 or later
the ATM hard disk and offline attacks. This means that the
ATM is protected against: • Minimum component version =
SdcCurrencyDispenser 03.06.00
• Malware attacks when the ATM hard disk is offline
• Attackers reverse engineering software on the ATM
hard disk
• Attackers harvesting data from the ATM hard disk
• Hard Disk being seen when ATM is booted from
removable media
• Hard disk is removed from the ATM and mounted as a
secondary drive
• The core is removed from the ATM
NCR Logical Security: Security Requirements to help protect against Logical attacks
RU LE 12 : PE R FO R M A RU LE 1 4: CO N S I D E R TH E
PE N ETR ATI O N TE ST O F YO U R PHYS I CAL E NVI RO N M E NT O F
ATM AN N UALLY ATM D E PLOYM E NT
Best practice defines that a penetration test is performed The physical environment that an ATM is deployed within
on your ATM by an organisation external to your company. and the ATM type will influence the risk of an ATM being
The penetration test should be done against a full software attacks. Lobby ATMs (e.g. P77 or 6622) should not be
stack, network access points and physically hardened as per deployed in 24/7 unattended environments without
the recommendations in this document and as a minimum compensating physical security controls. A Through the
follow the PA-DSS requirements for ensuring applications Wall ATM may be more suitable for these locations.
are not vulnerable to common coding vulnerabilities.
NCR Recommends
The test should comprise of various simulated attacks
in an attempt to find misconfiguration, weaknesses and Through the Wall ATMS may be more suitable for
vulnerabilities that could be exploited by an attacker in a unattended environments.
production level ATM. The penetration test will allow you to UL rated pick resistant Top Box locks SelfServ
do identify any areas that need addressed to ensure your ATMs as a configuration option or upgrade kit with
ATM is optimally secure. appropriate key management.
NCR Logical Security: Security Requirements to help protect against Logical attacks
C O N TA C T U S AT N C R . C O M T O D AY
WHY N C R?
NCR Corporation (NYSE: NCR) is a leader in omni-channel solutions, turning everyday interactions with
businesses into exceptional experiences. With its software, hardware, and portfolio of services, NCR
enables nearly 700 million transactions daily across retail, financial, travel, hospitality, telecom and
technology, and small business. NCR solutions run the everyday transactions that make your life easier.
NCR is headquartered in Duluth, Ga., with over 30,000 employees and does business in 180 countries.
NCR is a trademark of NCR Corporation in the United States and other countries.
Copyright and Trademark Information: The products described in this document are copyrighted works of NCR Corporation. NCR and APTRA are trademarks
of NCR Corporation. Adobe and Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other
countries.
Microsoft, ActiveX, Windows and Windows Vista are registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are the property of their respective owners.
Disclaimer: It is the policy of NCR Corporation to improve products as technology, components, software and firmware become available. NCR therefore
reserves the right to change specifications without prior notice. All features, functions and operations described herein may not be marketed by NCR in all parts
of the world. In some instances, photographs are of equipment prototypes. Therefore, before using this document, consult with your NCR representative or
NCR office for information that is applicable and current.
All brand and product names appearing in this document are trademarks, registered trademarks or service marks of their respective holders.
© 2017 NCR Corporation Patents Pending 17FIN5025-A-0517 ncr.com