CONTINUE TO SITE »
or wait 15 seconds

News

Companies offer TDES upgrade alternatives

With vendors' reluctance to provide Triple DES upgrades for their early ATM models, many deployers believed that their oldest machines had been given a death sentence. However, several companies hope to give the ATMs a reprieve with devices designed to make them Triple DES compliant.

November 3, 2003

With MasterCard's and other networks' requirements that all ATMs must be Triple DES compliant in 2005 and vendors' reluctance to provide upgrades for early ATM models, many deployers believed that their oldest machines had been given a death sentence.

Several companies hope to give some of the older machines a reprieve with devices designed to make these ATMs -- including such popular models as Triton's 9500, NCR's 5000 series and Diebold's 1060 and early 1000 series -- capable of running Triple DES.

ATM Exchange 3DES Plus™

ATM Exchange, a Cincinnati-based ATM refurbishment and service company, began developing a product shortly after vendors announced they didn't plan to support some of their early models, which continue to be top sellers in the refurb market.

"That's a core part of our business, so of course we want to continue to support those machines," said Dave Parlin, president of ATM Exchange.

Working with Thales e-Security, ATM Exchange originally developed a product called the DES Wizard. The first prototype did not include an EPP (Encrypting PIN Pad).

After both MasterCard and Visaspecified that PINs must be encrypted at the point of entry, as required by both ISO (International Standards Organization) and ANSI (American National Standards Institute) standards, ATM Exchange added a certified EPP.

Earlier this year, ATM Exchange changed the name of its product to 3DES Plus™.

One of the biggest issues ATM Exchange had to address, Parlin said, was how to have its EPP handle PINs in a secure way while allowing non-encrypted information such as withdrawal amounts to be sent to the ATM processor in the clear. The 3DES Plus processor needed to recognize when a PIN entry screen was being requested so that it could "tell" the EPP when data needed to be encrypted and when it did not.

In existing ATMs, no differentiating signal is sent to the PIN pad to identify PIN entry. ATM manufacturers modified their software to allow their new and upgraded machines to recognize when PINs were entered. ATM Exchange and Thales e-Security did not want to require any changes to the ATM software or configuration downloads, so they devised a proprietary method of identifying PIN entry.

Here's how the 3DES Plus works: When the processor's proprietary element recognizes that an ATM is instructing a cardholder to enter his PIN, it instructs the EPP to enter secure mode and store the PIN. Using a static digit, the EPP creates a "substitute" PIN and passes it to the ATM processor.

The ATM processor receives the substitute and continues normal processing. The actual PIN never leaves the EPP. When PIN entry is complete, the 3DES Plus processor resets the EPP to "clear" mode to allow data other than PINs to be passed to the ATM processor in the clear.

When the ATM processor has all of the necessary transaction information, it prepares a message for transmission to the host processor. The 3DES Plus processor intercepts the message and sends a copy of the account number to the EPP. The EPP creates a PIN block and encrypts it using Triple DES, then sends the encrypted PIN block back to the 3DES Plus Processor, which then sends it to the host.

The 3DES Plus processor sends the reply from the host back to the ATM processor unchanged. If a cardholder enters an incorrect PIN and the ATM requests a re-entry, the 3DES Plus processor repeats the same sequence of events.

Parlin said the 3DES Plus security enhancement, which retails for approximately $1,950, is designed to work on virtually all NCR and Diebold machines. Notable exceptions include Diebold's TABS and Cash Source Plus series of ATMs.

ATM Exchange has provided drawings of the 3DES Plus to MasterCard for its review, Parlin said. ATM Exchange also plans to submit the 3DES Plus to a Visa-certified lab for testing when testing facilities are available.

Parlin said that many ATM Exchange customers are concerned about purchasing new ATMs or investing in costly upgrades in an uncertain regulatory environment, when the Department of Justice has yet to sign off on its final requirement for audio-enabled ATMs and much of the world is adopting the EMV (Europay/MasterCard/Visa) standard and migrating to chip-based cards because of PIN security concerns.

"A lot of our customers would like to prolong replacement and keep the machines they have until everything shakes out," Parlin said.

Pi Systems 3DES Fix

Sabrina Turner, vice president of operations for Pi Systems, said many of her Euless, Texas-based service and refurbished ATM company's customers share similar concerns.

So Pi Systems developed the 3DES Fix. Like ATM Exchange's 3DES Plus, the original version of 3DES Fix did not have an EPP. In late 2002 the company added an EPP made by ATM manufacturer GTIto its product.

While Pi Systems believed its 3DES Fix would appeal primarily to deployers with ATMs at least 5 years old, Turner said the company is fielding many inquiries from people with models that are 3 to 5 years old.

"Some of them are being told they'll need a new processor, more memory and a new monitor. So they're looking at upgrades that are going to cost upwards of $10,000," she said.

Like Parlin, Turner said many deployers believe they can mitigate future costs by delaying upgrades until issues such as the pending changes to the Americans with Disabilities Act (ADA) are resolved. "They'd rather write one check and make sure they've got it covered," she said.

Turner said that 3DES Fix's software follows the states sent by the processor, enabling the control module to determine whether its EPP should be in Triple DES mode or clear text mode. The control module, which she called a "smart router," converts all DES ATM messages to Triple DES before sending the message to the network processor.

3DES Fix costs $3,500. Like 3DES Plus, it is designed to work on most NCR and Diebold machines. Pi Systems expects to offer a version for Fujitsu's 7000 series of ATMs by year's end, Turner said.

Pi Systems has picked up one endorsement, from Co-Op Network. "Their EPP extends the security and lifespan of our member credit unions' ATM fleets without requiring the purchase of additional hardware or software," said Gene Polito Co-Op Network's president of EFT Services. "Pi Systems is a solution, but we're still exploring other alternatives for clients that may extend the life of their ATMs."

Turner said 3DES Fix has already been certified by several transaction processors, including eFunds and Genpass. MasterCard has determined that Pi Systems' method of handling PINs is compliant with its security requirements, she said. Earlier this year, Pi Systems began circulating a letter to that effect written by a MasterCard executive.

Some questions

Alan Falconer, senior vice president of Paragon Data Services, an information technology and management consulting firm that is working with the Pulse EFT Association, Pacific Capital Bancorpand several other clients on Triple DES compliance and other issues, said products like 3DES Plus and 3DES Solution "are certainly creating a stir."

However, he asked, "If machines using these things start rejecting PINs, whose responsibility will it be? The manufacturer likely wouldn't stand behind it, and I doubt if Pi Systems is going to start issuing service contracts."

Rob Evans, director of industry marketing for NCR's Financial Solutions, agreed that ongoing support is an issue. "Will you have one guy for the keyboard/encryption device and another guy for everything else?" he said. "When someone calls 1-800-NCR, we like to be able to tell them we'll be right over with a part. That's not going to happen here."

Both ATM Exchange and Pi Systems say they are recruiting distributors from the ranks of independent ATM service companies to install and service their products.

Noting that NCR partners with manufacturers of peripherals such as money order printers and night deposit boxes, Evans said NCR wouldn't rule out some kind of an arrangement with companies that produce Triple DES conversion devices.

However, he said, "We haven't been able to get our hands on one of these things to run it through its paces. We don't really know if they meet the recognized standards for what constitutes a TRSM (tamper resistant security module) that are spelled out in the ANSI and ISO specifications."

Upgrading Triton's 9500

Two small ATM manufacturers, GTI and WRG Services, are selling Triple DES upgrade kits for Triton's 9500. Triton considered offering an upgrade for the 9500 but decided against it because of "lack of demand," said Anita Nobles Arguelles, Triton's marketing director. "Our distributors said their customers were more interested in new ATMs."

Bill Jackson, Triton's chief technical officer, estimates that there are perhaps 5,000 9500s, which Triton manufactured from 1995 to 1997, in the field. Jason Kuhn, WRG's general manager, believes the number may be much higher. "Those machines were so reliable. Probably just about every one (Triton) ever sold is still out there," he said.

WRG's 9500 conversion kit, as well as its Triple DES conversion kits for ATMs based on a Verifone 490 platform, "have been going out the door pretty steadily" since WRG began shipping them in July, Kuhn said.

The cabinet, power source, printer and De La Rue dispenser used by Triton remain with both WRG's and GTI's kits; the machine's circuit board, cables and keypad are replaced with new ones -- for less than $1,000. WRG will swap the 9500's dot matrix printer for a thermal printer for an additional $250.

No certification is necessary, Kuhn said, because the product uses WRG software and an EPP that have already been certified.

To help boost recurring revenue, WRG is offering its kits at no charge to its existing distributors who re-up with new, five-year transaction processing contracts, Kuhn said.

Ongoing service is not as big of an issue for 9500s as it is with NCR and Diebold machines. WRG has a service department, which helps its distributors maintain and service Triton and Tidel machines in addition to its own Fast Cash and Vision 100 ATMs.

"We've been supporting 9500s since we bought our first one in 1996," Kuhn said.

Included In This Story

Triton Systems

Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost

Request Info
Learn More
Diebold Nixdorf

As a global technology leader and innovative services provider, Diebold Nixdorf delivers the solutions that enable financial institutions to improve efficiencies, protect assets and better serve consumers.

Request Info
Learn More

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'