CONTINUE TO SITE »
or wait 15 seconds

News

More networks finalizing Triple DES deadlines

After some fits and starts, most leading electronic funds transfer networks -- including Star and NYCE -- are finalizing deadlines for ATM vendors, deployers and transaction processors to comply with stricter standards for encrypting PIN-based transactions.

November 21, 2002

Reprinted with permission from ATM&Debit News, a weekly electronic newsletter based in Chicago. Subscriptions available at 212-631-9780 or go to thisWeb site.

After some fits and starts, most leading electronic funds transfer networks are finalizing deadlines for ATM vendors, deployers and transaction processors to comply with stricter standards for encrypting PIN-based transactions.

However, much work still has to be done to upgrade software and hardware, or to replace hardware altogether, to ensure a smooth transition to the stricter Triple Data Encryption Standard, or Triple DES, from the currently used Single DES standard, observers say.

According to ATM&Debit News, most of the leading ATM network switches recently joined MasterCard International and Visa U.S.A. in adopting new compliance deadlines. Moreover, it is anticipated that most networks will adopt a single standard for the security of encryption codes -- called keys -- to be loaded into ATMs.

Triple DES uses an enhanced encryption key pad residing in ATMs and point-of-sale terminals that makes it far more difficult for even the fastest computers to determine all the possible algorithmic combinations used to scramble PINs keyed in by consumers. The use of Single DES keys, while effective for decades without any known security breaches by computer hackers, is now thought to be vulnerable to today's faster computer processors.

The nation's largest PIN-based debit network, Star, owned by Memphis, Tenn.-based Concord EFS Inc., is mandating that after June 30, 2003, all new and replacement ATMs be capable of supporting Triple DES transactions. It also set a Dec. 31, 2005, deadline for all ATM transactions sent through Star to be Triple DES encrypted.

The second-largest ATM network in terms of transaction volume, Woodcliff Lake, N.J.-based NYCE, has set a Jan. 1, 2003, deadline for all new and replacement ATMs to be capable of supporting Triple DES. The network has not yet established a deadline for ATM transactions flowing through NYCE to be Triple DES encrypted, says Susan Zawodniak, NYCE executive director.

Zawodniak says the deadline likely will be sometime in 2005, but network officials are still trying to gauge the financial impact on deployers and processors. The results of a recent survey of processors indicate that most ATM deployers will meet the 2003 machine-capability deadline, she says.

The Co-Op Network of credit unions soon will publish a deadline for new and replacement ATMs to be Triple DES capable beginning in the third quarter of 2003, says Co-Op CEO Robert Rose, predicting that as larger ATM networks establish Triple DES deadlines, smaller ones will follow.

Visa and MasterCardhave set several Triple DES deadlines for their Plus and Cirrus ATM networks, respectively. MasterCard has set the toughest deadline of April 1, 2003, for when all of the association's Cirrus members' hardware and host processors must comply with Triple DES standards in preparation for all Cirrus transactions to be Triple DES encrypted by 2005.

Visa set a Jan. 1, 2003, deadline for new and replacement ATMs to be capable of sending Triple DES transactions through Plus, whose brand mark Visa says is on nearly all U.S. ATMs.

Alan D. Falconer, senior vice president at Paragon Data Services, which is doing Triple DES consulting work, says Visa delayed a hardware and processor-compliance deadline until Jan. 1, 2004, in part, to review the effect MasterCard's earlier deadline has on Cirrus participation.

Indeed, MasterCard could suffer because of its Triple DES leadership, says Falconer, as nonbank ATM operators may take the Cirrus mark off thousands of ATMs that cannot be upgraded by April 1, 2003. "MasterCard may take a hit on this," he says.

Falconer estimates that 35 percent of the estimated 352,000 ATMs operating in the U.S. cannot be upgraded to comply with the new standards and will have to be replaced. Most ATM suppliers now sell only ATMs that are Triple DES capable, and several, notably Dayton, Ohio-based NCR Corp. and North Canton, Ohio-based Diebold Inc., offer upgrades that include new Triple DES capable key pads that can be installed on most existing ATMs, notes Falconer.

To more tightly secure the distribution of keys used to formulate the encryptions, deployers can automatically download the keys into an ATM using communications lines instead of human operators. Tampering with the keys automatically destroys them for use in that particular machine, and networks will not switch transactions from the ATM until new keys are installed.

Few deployers have installed the key pad upgrades. Small deployers particularly are wary of making significant Triple DES investments until more deadline and pricing information is known, says Rob Evans, NCRdirector of marketing. "Some folks haven't done anything, while some folks are pretty far along," he says. "The majority of the financial institutions will be ready, but not all will make the day."

Dean Stewart, Diebold manager of software products, says the Triple DES cost to deployers can range from several hundred dollars per ATM on new machines to up to $3,000 per ATM for upgrades on older ATMs. Subsequently, many financial institutions are replacing older machines earlier than planned, he says.

Nonbank ATM operators, however, appear to be a more complex problem. Evans says the networks are concerned about nonbank ATM operators' ability to manage and secure the algorithmic keys. Most leading networks are expected to adopt standard management rules for the keys, which can be used to crack encryptions as well as make them more complicated to crack.

NYCE has placed liability for security breaches of the keys on financial institution sponsors of nonbank ATMs. "The bank that is involved in the sponsorship is responsible for the security of that machine," says Zawodniak.

An unidentified industry source tells ATM&Debit News that such a liability rule, which the source says Star will adopt as well, targets large bank sponsors of nonbank ATMs. The goal is for ATM sponsors to take a leading role in ensuring their clients have adequate key-management measures in place, says the source.

Bank ATM deployers already are liable for losses caused by security breaches on their ATMs, notes the source. "The networks don't want the ISOs to be sloppy," he says.

Included In This Story

Diebold Nixdorf

As a global technology leader and innovative services provider, Diebold Nixdorf delivers the solutions that enable financial institutions to improve efficiencies, protect assets and better serve consumers.

Request Info
Learn More

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'