News

Getting Triple DES compliant

February 14, 2006

This article appeared in the ATM & Financial Self-Service Executive Summary, Winter 2006.

Since 2001, when MasterCard first introduced the idea of moving to a harder-to-crack code, the deadline for upgrades to existing ATMs has been a moving target.

At this point, no one really knows what will happen if the Triple DES mandate isn't met - although many are gambling that MasterCard and Visa won't enforce a penalty. The lack of consequences has led to a lot of hesitation.

"Not doing anything seems silly, especially when you can retrofit an existing ATM for Triple DES," said Madhavi Mantha, a senior analyst with Boston-based consultancy Celent LLC.

But confusion associated with upgrade and replacement costs, in addition to a hazy understanding of the standard itself, has stalled the conversion process. Jerry Silva, senior analyst of delivery channels for Boston-based consultancy TowerGroup, estimates that only 35 percent of the U.S.'s 180,000 to 190,000 FI ATMs have been upgraded and/or replaced to meet Triple DES requirements.

Jerry Brown, marketing coordinator for Springboro, Ohio-based ATM Components & Technology Inc., said most FIs "are making their decision to upgrade or replace based on the high cost of upgrading with an OEM solution that could cost in upwards of $10,000. This is not the complete picture."

Many third-party providers like ACT are selling upgrade kits for NCR and Diebold machines for about $3,000, Brown said. "Our kit, for instance, not only upgrades to Triple DES security standards but also provides configuration flexibility via protocol conversion, such as serial-to-IP. Strong future capabilities like Remote Key Entry provide investment protection."

And like Mantha, Brown said those who hesitate on compliance are taking chances.

"It was deemed important enough to customer security to issue a mandate to improve security in the first place, and I don't think it will reflect well on the financial institutions that are willing to trade customer security for time and dollars."

Processors put pressure on deployers

To give FIs a push, some processors are taking the lead in the Triple DES switch.

Fiserv and First Data Corp. - which owns the Star Network - pushed for a Dec. 31, 2005, deadline. In addition, a spokesman for Nebraska Electronic Transfer System Inc. (NETS), said all but about six of the Nebraska FIs NETS works with are compliant.

Companies like ACT and its partner Grand Prairie, Texas-based Pi Systems International, are working with processors to get FIs compliant. In 2004, ACT joined Pi Systems and West Berlin, N.J.-based data communications company Sunhillo Corp., which focuses on the data encryption side.

"The results are a trilateral organization with all of the key ingredients to serve the maintenance field, as well as understand and problem-solve with processors around the world," Brown said. "Each processor can potentially bring a different set of data-communication problems into the process, so it's important to work with a company that is capable of understanding the variables."