ATM Operator Security Checklist

Last Updated: February 2026

For ATM operators and bank security teams. Use this checklist when a skimmer, shimmer, or other tamper device is discovered, or when a logical attack is suspected.

Critical first step: Take the ATM out of service immediately and do not touch any suspected device. Call your card scheme's incident line and local law enforcement.

---

SECTION A: DAILY INSPECTION CHECKLIST (Routine Operations)

Complete before and during each operational day. Record inspections in your incident log.

Card Reader Area

• Card slot appearance — no protrusion, overlay, or unusual component
• Card slot feel — no wobble or looseness on gentle lateral pressure
• Material and colour match to surrounding fascia
• No adhesive residue, scratches, or marks around slot edges

PIN Pad Area

• PIN pad not elevated or spongy
• PIN pad material and colour consistent with rest of machine
• No overlay or additional frame around keypad
• Nothing attached above or adjacent to keypad

Camera and Fascia

• No unusual attachments in brochure holder, lighting surround, or above display
• No objects inserted in fasciae that could conceal a camera
• Fascia panels intact and showing no signs of forced entry

Cash Dispenser Area

• No visible obstruction or foreign device at cash exit slot
• No tape, string, or obstruction inside or around the dispenser output

ATM ID Verification

• ATM ID / serial number confirmed against asset register: ____________
• Tamper-evident seal check (where fitted): intact / broken
• CCTV covering machine: operational / confirmed

Inspection Record

• Date / Time: _______________
• Inspected by: _______________
• Result: Clean / Issue found (describe below)
• Issue description: _______________
• Action taken: _______________

---

SECTION B: INCIDENT RESPONSE — PHYSICAL TAMPERING DISCOVERED

Step 1: Take ATM Out of Service Immediately

• Use remote management system to put ATM in "Out of Service" state
• If remote management unavailable: place physical "Out of Service" notice, do not allow customers to use the machine
• If customers are queuing: advise them to use a different ATM — do not describe the specific issue publicly

Step 2: Do NOT Touch or Remove Any Suspected Device

• The device is evidence
• Do not touch it, pull it, photograph it by touching it, or attempt to disassemble it
• Do not allow members of the public or unauthorised staff to approach

Step 3: Call Your Card Scheme's Compromise/Fraud Line

• Visa: [Your acquirer will have Visa's ATM compromise notification contact]
• Mastercard: [Your acquirer will have Mastercard's ATM security contact]
• Your Acquirer: [Number from your processing agreement]
• Provide: ATM ID/location, time of discovery, description of what was found
• Receive incident reference number: _______________

Step 4: Call Local Law Enforcement

• Report the tampering to police
• Provide: ATM location, ID, time of discovery, description
• Do not allow officers to remove the device without documentation
• Obtain crime reference number: _______________

Step 5: Preserve CCTV Footage

• Back up footage from the minimum compromise window — typically last 24–72 hours
• Specifically preserve: footage from overnight, opening, and any period when the ATM may have been unattended
• Do not allow footage to loop or be overwritten
• Secure footage chain of custody — who has access and why

Step 6: Establish the Compromise Window

• Review inspection records: when was machine last confirmed clean? _______________
• Compromise window start: _______________ (last clean inspection)
• Compromise window end: _______________ (time of discovery)
• Pull transaction logs for the compromise period — this determines the number of potentially affected cards

Step 7: Notify Your Compliance and Operations Teams

• Internal notification per your organisation's incident escalation procedure
• Engage fraud investigations team
• Notify legal/compliance for data protection assessment

---

SECTION C: INCIDENT RESPONSE — LOGICAL ATTACK SUSPECTED

Signs Suggesting a Logical/Software Attack:

• ATM dispensing cash without corresponding legitimate transactions
• Unusual ATM behaviour: unexpected messages, cycling, unusually frequent maintenance mode
• Evidence of physical access to the ATM's internals (top hat, service door)
• USB devices or unfamiliar cables found inside the ATM (upon authorised inspection)

Step 1: Take ATM Out of Service

• Immediately remove from transaction processing
• Do not restart, update, or modify the ATM software/firmware

Step 2: Preserve State

• Do not power off unless specifically instructed by your ATM vendor's security team
• Engage your ATM vendor's security response team immediately — they will have specific forensic requirements

Step 3: Secure the Physical Machine

• Do not allow access except by authorised technicians with law enforcement present
• Treat the ATM as a crime scene

Step 4: Notify Card Schemes and Acquirer

• Same as Steps 3–4 in Section B above

Step 5: Engage Specialist Support

• ATM vendor security team: [Your vendor's emergency contact]
• Your organisation's cyber incident response team (if applicable)
• External forensic support if required by your incident response plan

---

SECTION D: CARD SCHEME NOTIFICATION AND CUSTOMER IMPACT

Step 8: Submit Fraud Event Report to Card Schemes

Your acquirer will typically facilitate this, but confirm:

• Visa Fraud Event Notification submitted (via acquirer)
• Mastercard Fraud Event Notification submitted (via acquirer)
• Your organisation's internal fraud event report completed

Step 9: Affected Card Block Programme

• Card schemes may initiate a card block on all cards used at the compromised ATM during the compromise window
• Confirm with acquirer whether block programme is being initiated
• Note: some card scheme agreements require this to happen within specific timeframes

Step 10: Data Protection Assessment

• Assess: do compromised card details constitute personal data under GDPR (EU/UK)?
• If yes: assess risk and notify supervisory authority within 72 hours if required
• Assess: are affected cardholders required to be notified?
• Engage legal counsel for notification decisions

---

SECTION E: POST-INCIDENT REMEDIATION

Step 11: ATM Return to Service

• ATM must be fully inspected and confirmed clean by a qualified technician before return to service
• Confirm with your ATM vendor that no modifications were made to the machine software
• Document the technician visit and findings before returning to service

Step 12: Anti-Skimming Measures Review

• If anti-skimming hardware was not deployed: evaluate deployment Anti-Skimming Solutions
• If anti-skimming hardware was deployed but did not prevent the attack: review with vendor whether configuration, placement, or technology upgrade is needed
• Evaluate whether active card reader monitoring (electronic shimmer detection) should be added

Step 13: Inspection Procedure Review

• Review inspection records: was the device installed during an inspection gap?
• Update inspection frequency and protocol if needed
• Re-train inspection staff on current device types and detection methods

Step 14: Network Security Review (for logical attacks)

• Engage your ATM network security team for a network segmentation review
• Review remote management access controls
• Confirm ATM OS patching status
• Review application whitelisting configuration

---

REGULATORY QUICK REFERENCE

---

Last Updated: February 2026

ATM Fraud Prevention: The Complete Guide — ATM Fraud Prevention Guide Anti-Skimming Solutions — Anti-Skimming Solutions Request a Security Assessment — Request a Security Assessment

This checklist provides general guidance for ATM operators. Your card scheme agreements, acquirer requirements, and local legal obligations take precedence. Engage legal counsel for data protection notification decisions.