PCI Security Standards Council®

Return to Newsroom


Two Leading Industry Leading Organizations Issue Joint Bulletin on Threat of ATM Cash-Outs

PCI Security Standards Council (PCI SSC) and the ATM Industry Association (ATMIA) Join Forces to Highlight Increasing Threat

Washington, D.C., October 7, 2020 – Today the PCI Security Standards Council and the ATM Industry Association (ATIMA) issued a joint bulletin to highlight an increasing threat that requires urgent awareness and attention.  The full bulletin can be viewed here.

What is the threat?

An ATM “cash-out” attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time.  Criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

How do these attacks work?

An ATM cash-out attack requires careful planning and execution.  Often, the criminal enterprise gains remote access to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts.  This is commonly done by inserting malware via phishing or social engineering methods into a financial institution or payment processor’s systems. 

The criminal enterprise then can create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner.  With control of the card management system, criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash. 

These attacks usually do not exploit vulnerabilities in the ATM itself.  The ATM is used to withdraw cash after vulnerabilities in the card issuers authorization system have been exploited.      

Who is most at risk?

Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks.  These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.

What are some DETECTION best practices?

What are some PREVENTION best practices?


ATMIA Information Alert: Unlimited Operations (ATM Cash-Out)

PCI SSC and ATMIA ATM Cash-out Bulletin

Beware of ATM Cash-outs Blog post

On-the record quotes from Troy Leach, Senior Vice President, Engagement Officer:

“We have heard from many of our stakeholders in the payment community that ATM “cash-outs” are a growing concern across the globe.” said Troy Leach, Senior Vice President, Engagement Officer of the PCI Security Standards Council.  “We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the ATMIA who’s industry is well aware of these daily threats.” 

“There are ways to prevent these rare but devastating attacks however,” said Leach.  “Adherence to the PCI Data Security Standard (DSS), strict authentication protocols, and regular testing and communication is key to preventing and mitigating these attacks.”

“Closely following PCI SSC standards and guidance such as the DSS and our guidance on multi-factor authentication and software security along with closely monitoring changes in the environment, can help defend against these attacks.”

“Now more than ever, organizations need to make cybersecurity a top, every day, priority,” “Criminals around the world are getting more and more sophisticated and well as brazen in their attacks. Everyone needs to act like they are already a target because they likely are.” 

On-the-record quotes from Mike Lee, CEO, ATMIA

“These attack techniques are quite sophisticated in nature and represent a real threat globally to the ATM industry.  Our guidance with the PCI SSC is designed to help educate and prepare our industry for this dangerous attack.”  

“It is important that all stakeholders work together to put in place systems that prevent ATM cash-outs.” 

“We must work together through education and training to effectively counter the growth and sophistication of ATM “cash-out” attacks.”

“The bulletin we are jointly issuing today should be an alarm to those who could be impacted by these types of attacks and should serve as a guide to enhance awareness of and defense against these techniques.  No one in our industry should assume they are immune from these attacks.”


About the PCI Security Standards Council 
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.

ATMIA is the leading non-profit trade association representing the entire global ATM industry. ATMIA serves more than 11,000 members from over 650 companies located in 70 countries spanning the entire ATM ecosphere, including financial institutions, independent ATM deployers, equipment manufacturers, processors and a plethora of ATM service and value-added solution providers. To join us please visit:  https://www.atmia.com/membership/join/


Our website uses both essential and non-essential cookies (further described in our Privacy Policy) to analyze use of our products and services. By clicking “ACCEPT” below, you are agreeing to our use of non-essential cookies to provide third parties with information about your usage and activities. If you click “DECLINE” below, we will continue to use essential cookies for the operation of the website.