BNM ATM Security Guidelines · PCI PTS

SST Security Assessment Malaysia — ATM, Kiosk & Self-Service Terminal

Independent, on-site security assessment of your ATM and self-service terminal fleet. Physical, logical and network-side testing aligned to BNM ATM Security Operational Risk Guidelines and PCI PTS POI v6.

Get a Scope Talk to an Expert

The 2026 ATM & kiosk threat landscape

Self-service terminals are no longer just cash machines. The Malaysian SST estate now spans ATMs, cash-recycler machines (CRMs), e-Wallet top-up kiosks, MyKiosk service points, fuel-pump payment terminals, parking pay-stations, transit ticket vending machines and an expanding fleet of branchless-banking kiosks. Each is a small, network-connected, customer-facing computer running a thick application stack on top of Windows IoT or Linux — and each is exposed to a four-layer attack surface: physical, peripheral, host operating system and network.

The four attack patterns that dominate real-world Malaysian incidents and our assessment caseload are:

• Jackpotting / cash-out: Logical attacks against the dispenser interface — connecting a rogue laptop or USB device directly to the dispenser's XFS/CEN-XFS interface to issue forced-dispense commands. Variants include Ploutus, Cutlet Maker and country-specific custom payloads.
• Black-box attacks: Physical decoupling of the dispenser from the ATM PC, then attaching an attacker-controlled microcontroller (Raspberry Pi, custom board) directly to the dispenser. The ATM software stack is bypassed entirely.
• Skimming, shimming and deep-insert: Magnetic-stripe skimmers, EMV chip shimmers and deep-insert devices placed inside the card reader. Paired with PIN-capture overlays or pinhole cameras targeting the PIN pad.
• Network-side / MITM: Compromising the ATM's link to the bank switch — VLAN escape, ARP poisoning on an under-segmented branch LAN, modification of XFS-over-network traffic, or attacks on the management-network plane (NDC+/DDC, vendor remote-management protocols).

Kiosk-specific risks beyond ATMs

Non-ATM self-service terminals share the same fundamental architecture but carry different commercial risk:

• Payment terminals & fuel pumps: Outdoor PCI POI devices exposed 24/7. Tamper-evident sealing, hidden CCTV-blind spots and old TLS stacks are the common findings.
• MyKiosk / government service points: Citizen-data exposure (MyKad scanning, identity verification flows) — PDPA-grade data on a device sitting unattended in a mall corridor.
• Top-up & ticketing kiosks: Cash acceptors, QR-payment integrations and gift-card terminals — small ticket size but high volume; abuse-at-scale risk.
• Branchless banking kiosks: Full account-opening, eKYC and loan-origination flows; effectively a remote branch in a steel box.
• Self-check-in / self-order terminals: Often Android-based, often unmanaged, often on flat hospitality networks.

Our 4-phase methodology

Passive recon & design review

Documentation review, firmware version inventory, network diagram analysis, dispenser/XFS stack mapping, branch-LAN segmentation assessment. No physical contact with the terminal yet — this phase derisks the on-site work.

On-site evaluation

Physical inspection with the engineering operations team present. Cabinet integrity, lock quality, USB and serial port exposure, surveillance coverage, tamper-evident seal review, anti-skimming overlay inspection, PIN-pad shielding, EMV reader inspection.

Physical pentest (with consent)

Controlled, reversible exploitation of the highest-priority findings — black-box dispenser interface, USB HID attacks against the OS, XFS interface fuzzing, network-side MITM under controlled conditions. Every action logged, photographed and reversible.

Reporting & remediation

Findings register mapped to BNM ATM Security Operational Risk Guidelines and PCI PTS POI v6 requirements. Executive summary, technical walk-throughs, prioritised remediation roadmap, verification re-test plan.

BNM ATM Security Operational Risk Guidelines mapping

Bank Negara Malaysia's ATM Security Operational Risk Guidelines set the supervisory bar for licensed banks operating ATM fleets in Malaysia. Our assessment deliverable maps every finding to the relevant guideline section, so the report drops directly into your compliance evidence file. Coverage spans physical security controls, logical/host hardening, network-segmentation expectations, card-skimming countermeasures, surveillance and monitoring obligations, and incident-response readiness. We also map findings to the parallel BNM RMiT control families where relevant — paragraph 10 on logging, monitoring and pentesting, and paragraph 11 on cyber resilience.

PCI PTS & PCI PIN Security alignment

For card-accepting terminals — ATMs with card readers and PIN-pads, fuel-pump payment terminals, retail kiosks — PCI PIN Transaction Security (PTS) POI v6 and PCI PIN Security v3.1 set the device-level expectations. Our assessment verifies tamper-evidence, tamper-response, key-loading procedures, secure-channel implementation between the PIN-pad and the host, and the operational controls around key custodianship and device lifecycle. Findings can be packaged for your acquirer or scheme auditor on request. See also our PCI ASV scanning service for the network-side PCI DSS scope and our broader PCI DSS compliance practice.

Frequently asked questions

Will the assessment damage the ATM or kiosk?

No. Our methodology is built around controlled, reversible techniques agreed in writing before the engagement starts. Destructive techniques (drill points, lock bypass that defaces the chassis, irreversible firmware flash) are explicitly excluded unless the asset is decommissioned and the customer has signed off in writing. Every test on a live, in-service terminal is run during a service window with the engineering operations team on-call. Pre-test and post-test photo evidence is captured for every cabinet opened.

What legal and consent prerequisites must be in place?

A signed scope of work and Rules of Engagement document, naming each terminal serial number, location and the authorised testing window. For ATMs at branch sites, the branch manager and the line-of-business owner must both have written approval on file. For shared-network terminals (PayNet, MEPS), the network operator's written authorisation is required for any test that touches the switch interface. Our standard contract includes hold-harmless and indemnity clauses against accidental cash dispense or service outage.

Do you need to be on-site or can this be remote?

ATM and kiosk assessments are inherently on-site. The physical attack surface — locks, dispenser cassettes, USB ports, cabinet seams, surveillance camera placement — cannot be evaluated remotely. Our network-side testing of the back-end switch can be remote-led from our SOC over a customer-supplied VPN, but the terminal-side work requires an engineer at the device. Typical engagements are 2-5 working days per terminal, batched across a small representative sample.

What is the deliverable format?

A board-ready executive summary, a technical findings register mapped to BNM ATM Security Operational Risk Guidelines and PCI PTS POI v6 requirements, photo evidence per finding, exploit walk-throughs for the technical team, a prioritised remediation roadmap and a verification testing plan for re-test. Findings are rated against CVSS v3.1 and our internal SST-specific severity matrix (because chassis-tamper risk is poorly modelled by generic CVSS).

What does an SST assessment typically cost?

Pricing depends on terminal count, fleet diversity and depth of testing. A representative-sample assessment of 3-5 terminal models across a mid-sized branch network typically lands in the RM 80,000 to RM 180,000 band, all-in. A single-model deep-dive (one ATM, full physical-to-back-end review) typically sits in the RM 40,000 to RM 75,000 band. Travel and accommodation outside Klang Valley are billed at cost. We will scope to a fixed price after a 30-minute discovery call.

Ready to scope an SST assessment?

Discovery calls take 30 minutes. We will scope to a fixed price within 5 working days, including travel and equipment.

Get a Scope

The 2026 ATM & kiosk threat landscape

The four attack patterns that dominate real-world Malaysian incidents and our assessment caseload are:

• Jackpotting / cash-out: Logical attacks against the dispenser interface — connecting a rogue laptop or USB device directly to the dispenser's XFS/CEN-XFS interface to issue forced-dispense commands. Variants include Ploutus, Cutlet Maker and country-specific custom payloads.

• Black-box attacks: Physical decoupling of the dispenser from the ATM PC, then attaching an attacker-controlled microcontroller (Raspberry Pi, custom board) directly to the dispenser. The ATM software stack is bypassed entirely.

• Skimming, shimming and deep-insert: Magnetic-stripe skimmers, EMV chip shimmers and deep-insert devices placed inside the card reader. Paired with PIN-capture overlays or pinhole cameras targeting the PIN pad.

• Network-side / MITM: Compromising the ATM's link to the bank switch — VLAN escape, ARP poisoning on an under-segmented branch LAN, modification of XFS-over-network traffic, or attacks on the management-network plane (NDC+/DDC, vendor remote-management protocols).

Kiosk-specific risks beyond ATMs

Non-ATM self-service terminals share the same fundamental architecture but carry different commercial risk:

• Payment terminals & fuel pumps: Outdoor PCI POI devices exposed 24/7. Tamper-evident sealing, hidden CCTV-blind spots and old TLS stacks are the common findings.

• MyKiosk / government service points: Citizen-data exposure (MyKad scanning, identity verification flows) — PDPA-grade data on a device sitting unattended in a mall corridor.

• Top-up & ticketing kiosks: Cash acceptors, QR-payment integrations and gift-card terminals — small ticket size but high volume; abuse-at-scale risk.

• Branchless banking kiosks: Full account-opening, eKYC and loan-origination flows; effectively a remote branch in a steel box.

• Self-check-in / self-order terminals: Often Android-based, often unmanaged, often on flat hospitality networks.