We figured it would be best to educate our customers and potential customers on what the master password is, what it is used for, and the steps we take to keep your ATMs secure when we program your ATMs.
- What is the master password? There are multiple levels of passwords in retail ATMs. The operator, service and the master being the highest level of programming access. With the master, you have every option available in the ATMs programming system including the Masterkey menu.
- What is the master password used for? It is used to program the ATM by inputting settings that will sync up to a processor and allow transactions to process on secure card networks. These settings need to be entered 100% correct- otherwise your ATM and vault cash investment may be at risk!
- Who “Owns” the Master Password? The industry standard for all ATM ISOs is the ATM Company who programs your ATM retains ownership of the processing and therefore the master password. Most ATM ISOs – like Best Products – are happy to let you choose your own master password for those that specifically request it especially experienced ATM programmers and IADs. Please keep in mind though- contractually you will be liable for errors and will be considered an Encryption Support Organization (ESO). If not, you may physically own the hardware, but if an ATM Company programs your ATM, it is typically their master password. This is 100% correct and the way it should be! You own the hardware and the ATM Company owns the processing and password. Why? It’s pretty simple actually. Ultimately your ATM Company is liable to ensure the integrity of your ATM and all the ATMs processing on their network. It is OUR responsibility to make sure your ATM is programmed correctly. Keeping the master password secure is the most basic form of “hardening” to prevent your ATM from being compromised. Even more important- as an ISO – our sponsor bank has us sign off that we will abide by security policies and procedures regulated by the card networks. These include a PIN security audit, ESO approval and registration. If you are not legally considered an ESO- you are not authorized to program an ATM, load Masterkeys, Handle Masterkeys, or destroy Masterkeys. One common misconception, ATMs are not just cash vending machines. ATMs have security protocols, compliance hurdles, and are federally regulated by sponsor banks – who in turn are following network rules. Any company not following guidelines should not be trusted.
- Why the master password should NOT be given out: Yes, ATMs are more secure than ever before – but with technology – there certainly are always vulnerabilities. Without getting into specifics – any ATM Company that willingly gives out their master password to anyone and everyone– has questionable business practices. Most likely do not have enough experience to realize the importance of protecting your ATM and are NOT ABIDING BY REGULATIONS! Nowadays, the internet has given rise to self-proclaimed “ATM Guru’s” who recommend you have your own master password and you program your own machines. Truly some may have your best intentions at heart. We get that and appreciate the few with these good intentions. However most of these experts- are not ISOs and have absolutely no knowledge of any of the rules or regulations. If you are a newbie- these “gurus” telling you that you need to have this master password- right off the bat – this is 100% incorrect advice and blatantly goes against any and all regulations in a heavily regulated industry. These “gurus” are also not the ones paying for mistakes that inexperienced operators make – which can and do happen. Additionally the majority of these “Gurus” are competing ATM operators who are tying to scrounge up business! They use this scare tactic to manipulate less experienced operators into thinking their ATM company is being dishonest by withholding the “master password”. Playing on the emotion of fear is the oldest sales tactic in the book. Don’t get fooled! The truth is – what they really don’t want you to find out is not having your own master password is NOT A BIG DEAL!
- Why not having the Master Password is NOT A BIG DEAL: For any reputable ATM Company, you can bypass the master password by reloading software for most brands of retail ATMs. Simple as that. There are certain steps a technician must take to do this, but this process is known as “flashing”. It takes seconds to minutes to complete. Flashing is ATM service 101. Any ATM Company or ATM “Guru” who claims not having the master password is a big deal – has either no clue what they are doing OR they are using scare tactics outlined in #4. You should be very weary of their business ethics and qualifications. Utilizing “flashing” is not to say that anyone can hack into an ATM, anytime/ anywhere. They can’t. They would have to follow a set of protocols and reprogram the ATM. So not to worry – flashing isn’t going to put your ATM at risk.
- What about Converting Processing from one ATM Company to Another? Not to get into the weeds too much about conversions, but we convert ATMs to our processing platform all the time. New machines, used machines – as long as it is EMV Compliant – we are happy to add new customers! When someone converts their ATM to us, for the most part we send out a technician and reprogram the ATM FREE OF CHARGE. Our qualified on-site technicians “flash” and reprogram the ATMs to process with us. We do not need the old master password. We do this all over the US. Whether it’s 1 ATM or a project of 500. Generally speaking, the only time we charge is if we suspect the ATM is broken or needs to be upgraded. In fact, 90% of the reprograms we do are 100% completely free. Additionally, as long as you are a processing customer, we can send you software and guide you through the process of “flashing” over the phone if you would prefer to program ATMs yourself. But to Best Products – sending an on-site technician to convert terminals just makes good business sense and strengthens relationships. We have the technicians and resources to do it – so why not.
- Can you Have your Own Master Password? Yes-absolutely. In fact, the majority of independent ATM companies processing under our umbrella, both large and small retain their own passwords for peace of mind. These customers typically are programming and servicing their own ATMs and we have completed proper due diligence and paperwork for them to be an ESO. We have absolutely no problem using your own master password if you notify us at time of programming. Keep in mind though, we will make every effort to ensure your ATM is programmed correctly, but if you make unauthorized changes or you make a mistake with a setting or forget this password, the liability is on you – not us. Typically business owners who do not service their machines themselves would utilize the ATM Companies password. That being said, we don’t recommend using the master password for day-to-day replenishing, as there are settings that can easily be changed which may cause issues for the inexperienced.
Rule of thumb
If you aren’t going to program your ATM yourself – you probably don’t need the master password, and you will never need it. If you feel more comfortable with your own master password – ask us to set your own master password at time of programming/ installation but be aware that the liability is on you if a setting gets changed causing a loss. Additionally, not having master password access is NO BIG DEAL. You not knowing it, really makes no difference whatsoever to a reputable company with qualified ATM service technicians.
Final Thoughts
There are a ton of great ATM companies out there. Whether you go with us or one of them, make sure you are working with a company who is being honest with you from the get go. This should not have to be said but – choose a company who follows the rules and guidelines set in place by networks, sponsor banks and processors! Best Products Sales & Service, Inc. has been an ATM ISO since 1998. In our quarter century history, we have serviced well over 10,000 customers in the retail and financial verticals nationwide. We don’t admit to knowing everything like these “gurus” lol, but we learn new things every day and continue to evolve. One thing though is for sure – you can’t make up experience. We feel it is important to share our knowledge with those with less experience, in order to maintain integrity in an industry we are so proud to be a part of.