CONTINUE TO SITE »
or wait 15 seconds

Article

Triple DES: Too high to comply?

Triple DES has driven some ATM deployers to trim ATM portfolios.

July 9, 2008 by

Gary Wollenhaupt is a regular contributor to ATM Marketplace. To submit a comment about this article, please email the editor.
 
By now, most ATM operators have met the burden of complying with Triple DES by investing thousands to millions of dollars to upgrade their ATM fleets.
 
Some, however, are still working to complete the task.
 
Though the published enforcement deadline for Triple-DES compliance was Dec. 31, 2007, some operators with granted extensions are still completing their upgrades. (As of January 1, 2003, all new ATMs were required by MasterCard Worldwide and Visa Inc. to meet Triple-DES requirements.)
 
Cardtronics Inc., world's largest independent ATM deployer, told ATM Marketplace in late 2005 that it expected Triple DES upgrades on its fleet to take "a few" years. In 2006, the company earmarked $25 million for U.S. ATM projects, namely to cover Triple-DES upgrades.
 
This month, Cardtronics, which now has more than 32,000 ATMs in its fleet, said it had successfully completed Triple-DES upgrades and encrypting-PIN-pad replacementsat all of its ATMs. The ISO made the announcement in the wake of news about the ATM breach at 7-Eleven, where Cardtronics operates and owns machines branded for Citibank.
 
story continues below...advertisement
 
 
 

ATMmarketplace.com SPECIAL REPORTMobility and the Integration of Banking ChannelsHow Consumers Will Demand to Bank in the Next Five Years

  Only US$299!

 

 

 
Triple DES, a look back
 
Since 2001, when MasterCard first introduced the idea of moving to a harder-to-crack code, the deadline for Triple-DES upgrades to existing ATMs (and point-of-sale terminals) has been a moving target.
 
In 2005, a former analyst with Boston-based consultancy TowerGroup told ATM Marketplace that 20 percent and 30 percent of U.S. financial institutions didn't even have Triple DES on the radars. He blamed an absent fear of penalty or retribution among FIs and especially ISOs for upgrade hesitation.
 
Other contributing factors, including deadline ambiguity, the lack of a big-picture understanding of Triple DES, as well as the cost associated with upgrading and replacing ATMs, also stalled the conversion process.
 
The Triple DES standard, as part of the card-networks' efforts to ensure cardholder data is protected, calls for tripling the encryption algorithm used to protect PINs. In most cases, upgrading machines required new encrypting PIN pads, and software and firmware upgrades to handle the longer encryption key.
 
Nicole Sturgill, research director of delivery channels for TowerGroup, estimates Triple DES upgrades cost between $700 and $2,000 per machine.
 
For some deployers, investing in upgrades for older machines didn't make sense. And many simply opted to pull the ATMs and not replace them.
 
Some processors have suggested that reluctance to upgrade has led to a drop in off-premises ATM deployments over the last six to 12 months. In the retail space, processors have seen ATMs numbers fall.
 
But Sturgill says she sees overall U.S. ATM deployments trending, ever-so-slightly, upward. That could be because FIs are placing more machines, while independents are placing fewer or even removing machines.
 
"Banks have been able to justify unprofitable ATMs because of branding and customer convenience," Sturgill said. "Merchants who decided not to keep ATMs because they were not profitable enough to justify the upgrade probably made a good decision to let those ATMs go."
 
The PCI council maintains a list of approved PIN-entry devices on its
 
Visa maintains a list of pre-PCI devices and information specific to the Visa PED program on its PIN-specific site.
PCI, a look ahead
 
More security-compliance mandates keep coming.
 
All new ATMs sold after Dec. 31, 2007, must comply with PCI's PIN-entry device security requirements. Visa has said acquirers deploying ATMs today with PED devices that are not on the current list approved for compliance will be liable if a PIN compromise occurs, and could face penalties from Visa.
 
"Should there be a compromise, the forensic analysis will look at the weakest link, and if you have an EPP (encrypting PIN pad) that's not the most current version, you take a risk," said John Del Guidice, chief executive of ThoughtKey Inc., a security assessor and consultant that specializes in PCI compliance.
 
Visa has not, however, set a sunset date for the use of PED devices deployed before the new list of devices was approved on existing ATMs.
 

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
Eurasian Bank selects Diebold Nixdorf's self-service software
First National Bank to open 30 branches
Romanian man arrested for alleged cash trapping ATM scheme
Replacing the ATM: Pros and cons of new vs. remanufactured
Chase partners with The Points Guy for Make-A-Wish sweepstakes


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'