CONTINUE TO SITE »
or wait 15 seconds

News

Triple DES debate continues

A panel discussion at the recent ATM Industry Association Summit in San Diego, Calif., provided proof positive that there is little, if any, industry consensus on implementing Triple DES encryption. Among the questions addressed by panelists: What constitutes a 'replacement' ATM?

September 3, 2003

A panel discussion at the recent ATM Industry Association Summit in San Diego, Calif., provided proof positive that there is little, if any, industry consensus on implementing Triple DES encryption.

"Everybody's jumping through different hoops," said Jason Kuhn, general manager of Willoughby, Ohio-based ISO WRG Services, after listening to the discussion.

Differing dates

Indeed, Star Systems will require every new or replaced ATM to be Triple DES compliant by June 30, 2003 -- more than a year after MasterCard's April 1, 2002 deadline for capable ATMs -- according to Hugh Burke, Star's vice president of internal audit and one of the panelists.

The difference between "compliant" and "capable" seems to boil down largely to software. MasterCard changed the wording in its original Triple DES schedule from "compliant" to "capable" after it became apparent that many vendors had the hardware required to run Triple DES -- but not necessarily the software.

Star wants all transaction hosts and processors to run Triple DES on machines that are capable of doing so by June 30, 2004 -- again, more than a year after MasterCard's date of April 1, 2003. Star's "drop dead" date for all ATMs to run Triple DES is Dec. 31, 2005 -- nine months after MasterCard's deadline.

Star is on track to have some ATMs running Triple DES long before that, Burke said. "Core Data has completed testing with several manufacturers. We expect to bring ATMs up in production running Triple DES by early 2003."

Panelist Bruce Sussman, director of internal audit for the NYCEnetwork, said that NYCE plans to adopt an implementation schedule similar to Star's. "We're driving toward Dec. 31, 2005 as a date for all devices to be compliant."

 For more on Triple DES
from our archives:

More networks finalizing Triple DES deadlines

Compliance is focus of ATMIA Summit

Adaptability is key to communications security

Refurb shops see upgrades in their DEStiny

Triple DES dare you

While Visawas not represented on the panel, Stoddard Lambertson, Visa's PIN security program manager, announced in another presentation that Visa expects newly deployed ATMs to support Triple DES by January 1, 2003 - nine months after MasterCard's April 1, 2002 deadline. Visa has not yet released other implementation dates.

When panelist Deb Kilburn, a consultant on Triple DES compliance for MasterCard, was asked why the two card companies couldn't work together on establishing dates, she said, "Contrary to what some people think, we do not agree on everything."

(This was a humorous reference to an earlier presentation by Dave Schneider, general counsel for the Pulse EFT Association, during which Schneider discussed a lawsuit in which Wal-Mart and other retailers allege that the two card companies forced them to pay higher interchange rates by unfairly "tying" their credit and debit products.)

More seriously, Kilburn said that MasterCard's intent was to "make it easier for our members to work toward one date" for full compliance -- perhaps somewhere in the window between the varying deadlines. "We want to be very flexible with our members, to come up with reasonable dates each member can make," she said, noting that guidelines for variance procedures are widely available.

ATMs on the move

Another area of dissent was the definition of "replacement" ATMs, which MasterCard mandates must be "Triple DES capable" by April 1, 2002 (or January 1, 2003, per Visa). This is a particular area of concern in the retail ATM world, where moving under-performing machines is common.

"We're handling that on a case-by-case basis," Burke said, explaining that Star does not consider machines that are de-installed and then immediately re-installed to be replacements.

"If it's pulled out and sits in a warehouse for some time, we would consider that a replacement. But our interpretation of the rules is that the regular movement of a machine -- where it's moved to another part of a store or down the street -- is not a replacement."

However, Kilburn said that as far as MasterCard is concerned, all ATMs that are moved are replacements. "If anything needs to be done to a terminal, an upgrade should take place at that time. You've known (Triple DES) is coming. We're encouraging people to make it a part of their planning process."

Fielding a question from an audience member concerning replacements, Kilburn said that deployers could apply for a variance. However, the questioner expressed a concern with turnaround time. "If I sell a machine, I can get it installed in a week. I can move it in a day," she said.

Addressing the question of a machine where physical location does not change but the processor does -- an even more common condition than movement in the competitive retail environment -- Burke said, "A conversion to us is not a replacement."

MasterCard holds a similar position on this point, Kilburn said. "We've already had a few of these situations come up, and we've been lenient."

Who decides?

An issue of increasing concern is which devices will be considered Triple DES compliant by card associations and networks. As vendors other than the major ATM manufacturers introduce devices that they claim can make machines compliant -- one company, Euless, Texas-based Pi Systems, displayed a product called 3 DES Fix in the ATMIA exhibit hall -- questions will arise.

"You've known (Triple DES) is coming. We're encouraging people to make it a part of their planning process."

Deb Kilburn
consultant on Triple DES
compliance

All of the panelists agreed that the current practice of self-certification has shortcomings. Both Burke and NYCE's Sussman advocated the use of independent testing facilities.

"We've asked vendors to self certify, and there have been inconsistencies," Burke said. "Right now it's up to the member and the ATM owner to ask the right questions."

"NYCE does not and cannot have an approved device list," Sussman said. "Our advice is not to buy new devices unless you can get assurances that the hardware is secure. We hope that over time we can work through these issues collaboratively and come up with some common criteria."

According to Lambertson, Visa has approved one independent facility, San Luis Obispo Calif.-based InfoGard Laboratories, for testing point-of-sale devices but has yet to do so for ATMs. Visa will consider a request for an ATM testing facility at its February 2003 International Board meeting, he said.

Kilburn said that MasterCard will review third-party products at the request of vendors and help them determine whether they meet MasterCard's requirements for Triple DES.

Panelist Dean Stewart, Diebold'sdirector of product development, said that even the largest vendors are working on faith as they produce upgrade kits for their ATMs. "Our EPP (Encrypting PIN Pad) meets the standards as we understand them," he said.

Stewart said that "most" legacy machines are not Triple DES capable as defined by the networks today. However, he said, the majority could run Triple DES with the addition of an EPP, the appropriate software and, in some cases, more memory or a faster processor.

Panelist Dan Palczynski, NCR's director of marketing for Retail ATM Solutions, pointed out that many vendors are producing encryption modules that also facilitate remote key management.

Incorporating such technology -- even though it is still developing -- is a good idea, Sussman said. "(Triple DES) should be treated as a technology planning issue. It makes sense to solve other issues if you can do so."

Convert early, convert often

While the card associations and networks want to encourage conversion, they also hope to reduce cost and minimize downtime for deployers, Kilburn said. "Our intention is not to split hairs through this process, but to ultimately get to an end-to-end Triple DES capable network."

All of the panelists encouraged deployers -- particularly those with large networks -- to fast-track their conversion plans. It makes more sense to upgrade over time rather than taking on hundreds or even thousands of conversions at once, Burke said.

WRG's Kuhn agreed with the idea in principle. However, he expressed concern that early adopters could lose business to companies with less proactive plans.

"All we want is a level playing field," Kuhn said. "We're trying to spread the message that when Visa and MasterCard throw the switch in 2005, the merchants could have their machines shut down. But there are companies out there telling them that they don't need to worry about spending any extra money. It's hard to compete with that."

Included In This Story

ATM Industry Association (ATMIA)

The ATM Industry Association, founded in 1997, is a global non-profit trade association with over 10,500 members in 65 countries. The membership base covers the full range of this worldwide industry comprising over 2.2 million installed ATMs.

Request Info
Learn More

Related Media

Recent Posts
Nymeo Federal Credit Union wins recognition as 1 of the best workplaces in Maryland
ParaScript intros verification solution for checks
SEC accuses former ATM businessman Daryl Heller of funneling $185M from investors
Fifth Third named as top veteran friendly employer
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'