Home
Join

24 Replies

  • You have to love our dear regulators.  If no one else is doing it then it MUST be risky. Bunch of Jack A$$3$.  Don't get me started.  So is the connection going to be used just to manage the ATM or will the transactions actually be using this connection to get to the payment network?

    Was this post helpful? thumb_up thumb_down
  • How is using a VPN over the hospital's network different than using a VPN over any other network?  If you put in a firewall and can show that the traffic is secured, the ATM is not accessible to anyone else and that the logs are actively monitored, what's the problem?  Just because the person your boss spoke to at the FDIC didn't know of anyone else doing it doesn't mean that no one else is doing it or that it is somehow insecure.  What does your bank examiner say? How about your security auditor?

    Internet -- HospitalNet -- Bank Owned Firewall/VPN Endpoint -- ATM
     

    Was this post helpful? thumb_up thumb_down
  • I agree with TL-O1CU.  As long as you can show it's secure and that you are following all standard monitoring procedures I say you're good.  Do you have an independent or internal audit group you can call and discuss?  

    Was this post helpful? thumb_up thumb_down
  • Jeremy, the connection will be used for management and transactions.

    TL, I completely agree with you I just wanted to see what everybody else thought and if anybody else had something like this set up. The security auditor will side with the FDIC the examiners typically are not technical in any way so who knows what they would say. 

    Was this post helpful? thumb_up thumb_down
  •  

    Shep wrote:

     "...the examiners typically are not technical in any way..." 

    Understatement of the year! ;)

    Was this post helpful? thumb_up thumb_down
  • I think it will be fine.  With the proper documentation of what you are doing I don't see  where they could "get" you on anything.  

    Was this post helpful? thumb_up thumb_down
  • I just have to convince my boss of that.

    Was this post helpful? thumb_up thumb_down
  • This isn't unheard of. While we are not doing this I know of an institution that is running its ATM, processing and all, via a wireless broadband connection with a VPN back to the home office. Not something I'd try but they apparently got the go ahead. 

    I think that Jeremy5285 said it best when he said document it. You can show a risk assessment and if you've done all of your due diligence well there is little they can say about it. Sadly, I think the entire financial industry is too scared of the examiners especially in IT when more than half of the time you get non-technical people who don't understand what is going on. 

    I believe that if you can convince a management team that has non-technical people in it that should be sufficient to pass by the examiners. 

    Was this post helpful? thumb_up thumb_down
  • I can speak from experience that most of our IT examiners have been rookies right out of college with no IT background.  They basically have a checklist to go off of.  We had one recommendation from an examiner a few years ago to ensure that our generator had the appropriate fencing around it.  Another year they brought some ex-regulators (retired I think) on as contractors to help out since they were short handed.  These guys were so out of touch.  I said "virtualization" and the guy just started at me.  He didn't understand any of it.  In fact this year, the examiners that were onsite tried to get a connection from our LAN instead of using our guest WiFi network.  Not only did I get alerted but all their traffic was blocked due to the way we allow internet access.  Couldn't have been more perfect.  We made a note of it and our President even emailed their boss.  They don't care what the rules are and they don't understand our industry.  We did have great examiners when our bank was first formed - very professional, very open and helpful.  Those days are long gone.  

    Was this post helpful? thumb_up thumb_down
  • Nicholas could you PM me the name of that institution and possibly a contact there?

    Jeremy, when I worked for a MSP we had recommendations from one exam to enable the web interface on the banks Cisco routers. So I know not many of them have a clue at all.

    Was this post helpful? thumb_up thumb_down
  • @Shep, I'll see if I can find their name and ask if I can share. They've been pretty tight lipped about how it all works aside from what I know so I'm not certain if they'd be excited about sharing more, but I can ask.

    Was this post helpful? thumb_up thumb_down
  • Nicholas thank you if not I understand and we now have approval any to do it anyway.

    After the hospital shot down every other proposal to get an internet connection to the ATM my boss finally agreed to go that route.

    Was this post helpful? thumb_up thumb_down
  • Have you considered using a dial-up ATM connection?  It's slightly slower than broadband-based, but is also secure by nature.  We have an ATM using an extension from a school's PBX, and it works fine 98% of the time (only having problems when all of the PBX's outgoing lines are busy).  Ours is configured to dial a toll-free number so there's no long distance charges for the school hosting the ATM, and the toll-free charges are offset with appropriate surcharges for non-customers.  

    Having said that, using a VPN with the hospital's internet shouldn't be a flag for auditors - it's no different than having a remote office connected via VPN.  The examiners will only want to see that you have done your due diligence and a passing IT Risk Assessment.

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • We just deployed our first atm. Vantiv (Formerly Fifth Third) set up our commlinks to them which in turn fed over to our core processor. IF that is a case you can use then Vantive would order a fractional line for that location and ship you a cisco router pre configured for that atm. The hospital would only need run a line for the atm to plug into and then that to the cisco router. Then router to new fractional line and complete. Secure and least amount of headache or work. If you are doing live transactions then a dialup would not fit the bill as the connection is too slow and may timeout the transaction and cause failed transactions or incomplete transactions. This in turn could cause out of balance situations for your accounting team. The user may get the money but the transaction not complete to the core. Or the user may not get the money and the transaction completes at the core making for upset customers. Just a touch of my experience from the last year of planning and deployment.

     

    J

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • We are doing live transactions that is why we need something other than dial up. This location has a current ATM using dial up but the new one does check imaging and all kids of other things so dial up is too slow. Our processor uses a wireless company for most remote ATM's but due to our location these have proven unreliable and have caused nothing but headaches. Due to our craptastic phone company we cannot get fractional lines, except ISDN  which was over $600 a month. 

    Was this post helpful? thumb_up thumb_down
  • Who is your phone company? We have fairpoint here formerly Verizon. No ability for t lines to a hospital? That is lame as all get out.

    Was this post helpful? thumb_up thumb_down
  • AT&T, it is because the CO switch hasn't been upgraded since the mid 80's. We can get a full T1 but again looking at $400-600 a month.

    Was this post helpful? thumb_up thumb_down
  • The 400-600 is our current price point for our link so that's about right. Our hands are tied in this scenario as an atm with those features requires a dedicated high speed link. The LAN option may work but you have to weigh the risks that if the public link drops and your live system fails to the stand-in file that holds balances and transaction limits for card holders while the atm is offline. How many will get money they actually don't have. Then when you come back online and the transactions flow through they overdraw their accounts. The question is risk to expense. We are a small community development credit union and when our members overdraw it is very difficult for them to recover as they are very low income and money is scarce for them.

     

    Hope this helps in your decision making.

     

    J

    Was this post helpful? thumb_up thumb_down
  • The way the ATM's are currently set up if it looses the link it is just down not getting anything from it.  Fortunately the internet connections seem to be fairly reliable and we will have it configured to connect to one of our remote sites in case our is offline for some reason

    Was this post helpful? thumb_up thumb_down
  • oh fully offline. That negates the overdraws..... Nice. You may be fine with the public connection through vpn then. So I am to surmise that you do not use vantiv in any way?

    Was this post helpful? thumb_up thumb_down
  • Not that I am aware of. 

    Was this post helpful? thumb_up thumb_down
  • Having no experience running atm over vpn to the core without vantiv I've unfortunately run out of advice. :( Wish I could have been of more help.

    Was this post helpful? thumb_up thumb_down
  • We actually have 3 other locations running over a VPN now. They are using DSL and establishing a VPN with a Cisco router. This is working fine and the auditors didn't have a problem with it. It was when we are using a network that we don't have control over that they get spooked.

    Was this post helpful? thumb_up thumb_down
  • If the auditors are happy then that's a very big plus. Their the ones that make things difficult. Covering that base then your good to go.

    Was this post helpful? thumb_up thumb_down

Read these next...