ATM Risk Management and Controls - EuroJournals
ATM Risk Management and Controls - EuroJournals
ATM Risk Management and Controls - EuroJournals
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
168 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
• Retained cards – these <strong>ATM</strong> cards pose an even greater risk, if they fall into the wrong h<strong>and</strong>s<br />
<strong>and</strong> are misused.<br />
• Inadequate supervision of embossing of the card.<br />
• Stolen cards not being reported immediately<br />
• Stocks of blank cards could lead to unauthorised cards being issued leading to fraud.<br />
2. Business Process <strong>Controls</strong><br />
In general no one person should h<strong>and</strong>le all the transactions. This can be achieved by proper segregation<br />
of duties. Appropriate control should be included during reconciliation, verification of withdrawals <strong>and</strong><br />
date/time of transactions was completed.<br />
Application Close supervision is necessary within the embossing department, where control on<br />
card issuance should be rigorous after embossing. Furthermore the envelopes should be issued based<br />
on a predetermined control number. During hours of non-production, the embossing department should<br />
be kept locked. Personnel having access to cards must be denied access to PINs whenever cards are<br />
prepared <strong>and</strong> processed. There should be two staff in charge of the process in order to have dual<br />
accountability for stock.<br />
Security <strong>and</strong> Control of PIN (Personal Identification Number)<br />
A PIN is a “personal identification number” . This is a number consisting of four numerical characters<br />
which is essentially a cardholder’s password. PINs can be assigned by the institution or can be<br />
customer selected. PINs which are generated for the customer can be derived from the customer’s<br />
account number <strong>and</strong> a logarithm used. These PINs are normally stored in an encrypted form at the<br />
<strong>ATM</strong>. A temporary PIN is issued which can be used at the <strong>ATM</strong> immediately. Later the customer has<br />
the choice of selecting his own PIN number at the <strong>ATM</strong>.<br />
<strong>Risk</strong>s/Threats<br />
There are a number of risks involved in the management of PIN numbers:-<br />
1 There is the integrity of the PIN itself. If control <strong>and</strong> security is not tight, the method of<br />
selecting PIN or encryption keys may become known <strong>and</strong> duplicated PINs <strong>and</strong> mailers be<br />
prepared.<br />
2 The PIN mailers are intercepted during mailing.<br />
3 PINs longer than four digits are security hazards, as holders may be tempted to write down their<br />
number to remember them.<br />
4 Issuing replacement PIN numbers to customers. If the person making the request has stolen the<br />
card or is not authorised to use it, the true owner of the card st<strong>and</strong>s to lose a substantial sum of<br />
money.<br />
Application <strong>Controls</strong><br />
For controls <strong>and</strong> security purpose the PIN which is in encrypted form is stored in a database file for<br />
security purposes. The PIN mailers are prepared separately. The PIN is only activated upon the use of<br />
the card by the customer at the <strong>ATM</strong>.<br />
Adequate control should be carried out when PIN is produced for mailing. Mailing of the PIN<br />
is carried out subsequent to card mailing. The PIN is forwarded to the customer in a separate mailer on<br />
a different day.<br />
For security reasons all systems documentation concerning PIN generation/encryption <strong>and</strong><br />
decryption keys must be under tight control at all times. Furthermore, extreme care must be taken when<br />
requests for new PINs are made. It is important for security reasons that the request for a new PIN<br />
should be in writing.