Blog: The Value of Hard Disk Encryption

The demand for cash is 24 hours a day, 365 days a year — and, where there is demand, there are ATMs. However, wherever there are ATMs, there is also the threat of crime.

Crime can be in the form of physical attacks, such as blowing up a safe or stealing a terminal. Or it can be invisible, bigger threats: stealing sensitive consumer data or injecting malware into the ATM. Should a criminal get access to the information conveyed through a self-service terminal, it could lead financial loss, of course, but also loss of trust and confidence from your consumers.

Most financial institutions (FIs) manage encrypting payment card data in motion very well, meaning it’s protected during the transmission across the networks, but they sometimes overlook the finer details of data at rest on the self-service terminal itself. These self-service devices pose a specific challenge since they don’t have a unique user whose password can be used to encrypt the disk, which is the case on a personal computer like a laptop. At Diebold Nixdorf, we help you lock down your ATM hard disks so thieves can’t get access. Vynamic^® Security Hard Disk Encryption (HDE) ensures that data cannot be tampered with, whether it’s “in motion” or “at rest.” 

The Payment Council Industry Data Security Standard (PCI DSS) defines data at rest as information sitting on a hard drive. And since data is held on a disk at the self-service terminal, this data needs to be encrypted — meaning it can’t be easily obtained or read without authorization, or, for that matter, manipulated in any way. 

So how well are you doing with encrypting data at rest … and are you thinking about all the data that is at rest in your self-service device?

Think about these examples:

• When a customer deposits a check, an image is taken. Is this image kept in a raw JPG file format on your terminal’s hard drive? If so, it is key to make sure images (and all other data on the drive partitions) are encrypted, and that after transmission to the image processor, the images are properly deleted, while the check itself is stored in a controlled safe.
• What about card data during the transaction? The PIN on self-service devices is encrypted at the keyboard level through PCI PTS-compliant EPP keyboards. But the data read off the inserted card with the encrypted PIN is held on the disk. Ensuring that this data is not overlooked and gets encrypted is essential.
• Or what about this one — it tends to raise some eyebrows. Have you sold any of the ATMs in your fleet? If you did not have an encrypted hard drive, did you follow the best practice of destroying the disk rather than putting it out in the open with a new owner?
• A fraudster attempting to jackpot your terminal needs to copy his malware to your ATM's PC. He will need access to your terminal's hard drive. Your fleet needs to be protected against such unauthorized access by ensuring military-grade, full disk encryption agnostic to the hardware vendor.
• In some cases, organized crime rings steal the hard drive or even the whole ATM to gain the data from the disk or install malware on it in order to prepare a larger-scale cyber-attack on a fleet. With HDE, attackers won’t be able to read or write on the disk, and any other disk will not be recognized by the ATM without the cryptographic keys unique to the system.

Vynamic Security Hard Disk Encryption (HDE) protects you from all the above-mentioned scenarios. Our solution includes pre-boot authentication, a patented hardware mode for encryption as well as integrity scans among other advanced features. Flexible and adaptable, Vynamic Security is built to align with how you operate and enables your security team to eliminate friction for a more secure self-service channel.

However, if you would prefer to benefit from increased efficiency by letting a team of experts take care of your hard disk encryption for you, Diebold Nixdorf also offers HDE as part of our Security Management Services. This gives you access to streamlined processes, a fleet view of your encryption status as well as support in keeping your ATM fleet PCI compliant. Without the need for you to invest time and resources into building up your own team of ATM security experts. Instead, you can focus on your core business. 

Keeping sensitive consumer and bank data secure from the growing number of cyber-attacks is a challenge, but with hard disk encryption, you are taking an important step towards a more secure ATM fleet. If you’d like to know what else you can do to improve the security of your ATM fleet, download our guide on the 7 shields to protect the self-service channel or book a security assessment with one of our experts.