.svg)
TR-31 compliance: What ATM ISOs need to know
Staying current with evolving regulations is crucial for ATM independent sales organizations (ISOs), operators and portfolio managers. One regulation drawing significant attention across the industry is TR-31. In this article, we’ll break down what TR-31 is, what compliance involves and how to approach it strategically to maximize the benefits while avoiding common pitfalls.
What is TR-31?
TR-31 is a security standard developed by the Accredited Standards Committee X9, which is a group responsible for developing and maintaining voluntary standards for the financial services industry. Short for Technical Report 31, TR-31 aims to protect financial data entered via ATM keypad.
TR-31 encourages the use of both software encryption and updated keypads that use “key block” technology to secure personal identification number (PIN) entry at the ATM. It is designed to combat evolving crime threats and ensure the integrity of ATM transactions.
This new standard replaces Triple DES (3DES), which is a symmetric key block cipher that was the previous requirement for transmitting PIN blocks, encrypting a customer’s PIN during transactions at the ATM.
The Payment Card Industry Security Standards Council (PCI SSC) has mandated TR-31 compliance for all ATMs that participate in its network and process cardholder transactions. The deadline for compliance was January 1, 2025.
In order to become compliant, you may need to replace or upgrade your ATM with software, a new keypad or both.
How do I know if my ATM is TR-31 compliant?
Some ATMs may already be TR-31 compliant. These include:
- Newer models
- Those with recently updated software
- Those with a newer encrypting PIN pad
If you’re not sure if your ATM is TR-31 compliant, use our TR-31 Compliance Self-Assessment Tool to check. If it’s not, the Tool will suggest the steps you should take toward becoming compliant.
Why is TR-31 compliance important?
TR-31 compliance is essential to remain in accordance with PCI standards. The PCI SCC is a global organization formed by major credit card companies like Visa, Mastercard and American Express to heighten payment card data security. It develops and maintains best practices for protecting cardholder data.
When it comes to banking and payment technologies, security is non-negotiable. TR-31 plays a critical role in safeguarding sensitive data and ensuring secure communication between ATMs and financial networks, like those run by credit card companies.
By adhering to TR-31, ATM operators significantly enhance the security of ATM transactions. It reduces the risk of interception or tampering with PIN entry, which is essential to protecting customer information from increasingly sophisticated digital attacks.
Moreover, as cyber threats evolve, TR-31 provides a scalable and future-ready framework for secure key management. For ATM ISOs and operators, compliance isn’t just about checking a box—it’s about building trust, ensuring operational integrity and protecting customers.
Benefits of TR-31 compliance
In addition to remaining in good standing with the PCI SCC, complying with the TR-31 regulation has other advantages.
Improved security
TR-31 enhances ATM security by providing stronger protection against cyber threats. This update helps operators avoid the financial losses and reputational damage that can accompany security breaches.
TR-31 prevents unauthorized access to PINs. It reduces the risk of man-in-the-middle attacks (when a cybercriminal intercepts communication between the ATM and the processor) and key compromise (when encryption keys used to protect PINs are stolen or accessed by unauthorized parties). TR-31 ensures that even if data is intercepted, it’s unreadable due to the key block.
Future-proofed infrastructure
TR-31 is part of a broader shift toward more advanced cryptographic standards. Compliance sets your ATM up for compatibility with future PCI and network requirements. Moreover, it ensures that ATM systems remain aligned against evolving threat models as criminals continue to develop increasingly sophisticated skimming and hacking techniques.
Additionally, TR-31 positions ATM ISOs and operators to adopt next-gen features like TR-34 (remote key loading) and reduces the need for emergency updates in the future.
Reduced risk of financial penalty
While enforcement by the PCI SCC is currently light, future penalties could include non-compliance fines from card networks. In the most severe circumstances, a card network may deactivate your ATMs, which would have a profoundly negative impact on revenue and reputation.
Additionally, by not complying with the latest security regulations, you put your ATM at risk for breaches and assume financial liability for any associated losses. This could also result in higher insurance premiums or denial of claims due to using outdated security measures.
Enhanced credibility
TR-31 compliance helps position ATM operators as leaders in security and reliability. Meeting the latest encryption standards demonstrates a proactive commitment to protecting customer data. This credibility can be a powerful differentiator in a crowded market, helping ATM ISOs and operators attract new business, strengthen partnerships and retain existing customers.
What happens if you don’t comply with TR-31?
If your ATM is not TR-31-compliant, you may incur noncompliance fees and be deactivated from processing transactions with PCI member card networks, which can ultimately lead to lost revenue and damaged customer trust.
Falling behind on TR-31 compliance can also create future roadblocks, as outdated systems may not be compatible with upcoming regulations or technologies—making it harder and more costly to implement future upgrades.
Additionally, noncompliance makes your ATMs more vulnerable to cyberattacks, including PIN theft and key compromise, which can lead to fraud, data breaches, outages and reputational damage. In the event of a breach, financial liability could fall on the operator, especially if it’s proven that compliance would have prevented the incident.
Steps to achieve TR-31 compliance
Attaining TR-31 compliance starts with understanding the current state of your ATM fleet. Begin by assessing your existing hardware and software to determine if they meet TR-31 standards. This is simple to do using our TR-31 Compliance Self-Assessment Tool, where you choose your ATM make, model and encrypting pin pad (EPP) version for step-by-step guidance.
Next, you may need to install software updates to enable TR-31 functionality and ensure secure communication with processors. This is a simple process that can take about 30 minutes to one hour.
Many older terminals may require an EPP upgrade. New EPP hardware typically ranges from $800 to $1,000 and the labor for installation costs about $75 to $150 depending factors like the location and provider.
Once you’ve determined what actions are required to achieve TR-31 compliance across your ATM fleet, you can put a plan in place for execution based on your available resources.
What comes next?
While TR-31 is the current regulation on the minds of today’s ATM ISOs and operators, there are other potential standards on the horizon.
MACing
“MACing” is a security measure that uses Message Authentication Code (MAC) to secure the entire transaction message between the ATM and the processor, not just the PIN as TR-31 does.
MACing is a robust defense against man in the middle attacks, considered 99% effective. It’s already a requirement in Canada, and the National ATM Council is exploring making it an industry standard in the US as well.
CDS offers MACing at no additional cost. It takes just a few minutes to install and can be done at the time of a routine service call. Contact us for additional support and guidance.
TR-34
In the future, there is a possibility that the PCI SCC could introduce TR-34 as a requirement. While TR-31 defines how encryption keys are used and managed once they are in the terminal, TR-34 defines how those keys are delivered to the terminal. Together, they create a secure and efficient key management system.
TR-34 allows keys to be securely transmitted over a network, which can save time and reduce human error. It also simplifies the process of enabling MACing and other emerging security measures, as the necessary keys can be installed remotely rather than during an in-person service call.
TR-31 compliance: Final thoughts
TR-31 compliance is more than a regulatory mandate—it’s a strategic investment in the future of ATM security. With the January 1, 2025 deadline now passed, ATM ISOs and operators must act swiftly to assess and upgrade their fleets to meet this critical standard.
Beyond compliance, embracing TR-31 positions operators to adopt next-generation security measures like MACing and TR-34, which further strengthen transaction integrity and streamline key management. These enhancements not only safeguard against evolving threats but also demonstrate a proactive commitment to protecting customers’ sensitive financial data.
The cost of inaction, whether through fines, network deactivation or reputational damage, far outweighs the investment in compliance. Visit our TR-31 Compliance Self-Assessment Tool today to start the process.