Article

The 'gray' areas of Triple DES

ATM deployers have had a difficult time determining just when their ATMs must be Triple DES compliant. From 2003 to 2004 to 2005, deadline extensions, regional variances and grace periods have left FIs and ISOs scratching their heads. And since the deadline itself has been ambiguous, deployers and processors expect the penalty for non-compliance to be just as confusing, if even existent.

December 27, 2005 by

Triple DES. Some wonder if it's more of a conundrum than a definitive mandate.

This story and all the great free content on ATMmarketplace is supported by:

Qualtex

Manufacturer of the WeatherMaster!" line of Through-the-Wall ATMs, offers Distributor Programs for its ATMs, Accessories and Walk-Up/Drive-Up Kiosks.

Since 2001, when MasterCard International first introduced the idea of moving to a harder-to-crack code, the deadline for upgrades to existing ATMs (and point-of-sale terminals) has been a moving target. A quick scroll through ATMmarketplace's archives proves that.

Jerry Silva, a senior analyst with Boston-based consultancy TowerGroup, said a penalty for non-compliance is doubtful and why between 20 percent and 30 percent of U.S. financial institutions don't have Triple DES compliance even on the radar.

"I can't imagine there would be a big penalty," he said. "I think it will be like EMV in Europe, where you're liable if there is a case of fraud, but beyond that, it's not a big deal."

The truth, however, is that no one really knows what will happen if the Triple DES mandate isn't met - although most suspect MasterCard and Visa International won't enforce a penalty. And that absent fear of retribution has led to a great deal of hesitation, especially in the ISO space.

Other contributing factors, including deadline ambiguity, the lack of a big-picture understanding of the standard, and the cost associated with upgrading and replacing ATMs also have stalled the conversion process.

A look back

Most of the industry, by now, is very familiar with Triple DES. It's that complex encryption standard that's harder than single DES for hackers to break into.

The biggest problem has been the extension after extension.

-- Wayne Vandekraak,
Solvport LLC

As of Jan. 1, 2003, all newly deployed ATMs were required to support Triple DES. But deadlines for bringing existing ATMs into compliance, at least in the United States, have been confusing.

Sam Ditzion, president and chief executive officer of Boston-based Tremont Capital Group, an ATM industry advisory firm, said the Triple DES deadline has been more gray than black and white. "I suspect that we'll see a somewhat ambiguous gray period during the first part of 2006. Many ATM operators lacking formal extensions are not 100 percent Triple DES compliant yet, but I suspect that the networks and processors will either temporarily look the other way or officially warn, but not fine."

MasterCard's April 1, 2005, deadline didn't get pushed, but a number of extensions were granted. And Visa has come up with a compliance pyramid on which different deadlines have been set for different regions of the world. In the U.S., the deadline won't be enforced until Dec. 31, 2007, according to information posted on Visa's Web site, which Visa referred ATMmarketplace to in lieu of comment. No one at MasterCard could be reached.

"I think the difficult part is determining, 'What is the ultimate compliance method?'" said Kevin Gregoire, executive vice president of products and networks for Brookfield, Wis.-based Fiserv Inc. "How strong will the compliance be enforced? On one end of the spectrum the date comes, and in the event the client is not compliant, the strongest position would be that the ATM is being removed from the payment system, and that causes some disruption," which makes it unlikely.

What's Important

	MasterCard's April 1, 2005, and Visa's Dec. 31, 2005, deadlines haven't moved, although a number of extensions or grace periods have been granted. Visa won't enforce its deadline until Dec. 31, 2007.
	Neither MasterCard nor Visa has publicly said whether deployers that fail to comply with the Triple DES mandate will be fined, denied access the network(s) or simply held liable if a secruity breach occurs.
	Deadline ambiguity, confusion about compliance and the upfront investment have led some FIs and ISOs to wait as long as possible.

Wayne Vandekraak, president and CEO of Beaverton, Ore.-based Solvport LLC, an independent ATM service company, said ISOs have been going in circles to understand the deadlines, and that's been an issue. "The biggest problem has been the extension after extension. I don't think smaller ISOs realize the risks they're running, but I think larger ones do, and that's why they're moving forward."

TowerGroup's Silva said only an estimated 35 percent of the U.S.'s 180,000 to 190,000 FI ATMs have been upgraded and/or replaced. He added that some mid-sized and small FIs will just wait it out.

Dean Stewart, director of software product marketing and management for North Canton, Ohio-based Diebold Inc., the No. 1 ATM manufacturer for U.S. FIs, said compliance for Diebold customers is closer to 75 percent in the U.S. FI space, but it's definitely not close to 100 percent.

"There were so many different dates," he said. "I would have thought that we'd be a little further along than we are now, but with the waivers, I'm not surprised."

Stewart said confusion surrounding the mandate led many deployers, especially FIs, to wait before moving forward. And Fiserv's Gregoire said not fully understanding the benefits of Triple DES led some FIs to hold off.

On the ISO side, cost has been the hold up, said Mike Cowart, director of operations for Atlanta-based RBS Lynk's ATM Services Division. "It's costly. You've got to convince a merchant that you sold an ATM to five or six years ago that he needs to upgrade, and that's a tough sell."

Triple DES upgrades and replacements haven't brought in the big bucks everyone expected. Executives at both NCR and Diebold have admitted that their companies were expecting higher ATM sales during the first two to three quarters of 2005, as FIs worked to replace older ATMs to meet the compliance deadline. (Read also, NCR, Diebold pursue other avenues in wake of dropping ATM profits.)

Sabrina Andrews-Turner, president of Grand Prairie, Texas-based Pi Systems International, which provides upgrade kits to FIs, said kit sales are just beginning to pick up.

"I'd say our customer base has doubled since this time last year," she said. "We had a lot of interest in early 2003, because they thought all of this would happen in early 2005 - the original deadline. And then when they realized the deadlines would be pushed, things slowed down in 2004. But now, with Visa and MasterCard saying this is it, 2005 has been a real bang-up year."

Processors put pressure on deployers

What has changed since last year is that processors are taking a lead role in spearheading the Triple DES switch.

Fiserv, which owns the Accel/Exchange EFT network, is pushing for a Dec. 31, 2005, deadline but will continue to process transactions on both single and Triple DES.

RBS Lynk has extended its compliance deadline to Dec. 31, 2006, and is actively working with ISOs to bring their portfolios into compliance.

Ron Herman, executive vice president of Nebraska Electronic Transfer System Inc., said all but about six of the 325 Nebraska FIs NETS works with have made the conversion. Of the 1,700 ATMs NETS processes transactions for, only 200 needed an extension until April 2006.

"We're confident that we'll have all except those 200 (ATMs) switched over by end of this year," he said, "well before what Visa is requiring."

Included In This Story

Diebold Nixdorf

As a global technology leader and innovative services provider, Diebold Nixdorf delivers the solutions that enable financial institutions to improve efficiencies, protect assets and better serve consumers.

Request Info

Learn More