MasterCard and Visa made Triple DES an issue by mandating that all ATMs participating in their respective
global networks become compliant.
De-Mystifying Triple DES
The new super-encryption standards imposed by the card networks have provoked plenty of
questions, some of which don’t yet have answers. Now that compliance deadlines are looming,
wisdom begins with a close examination of your budgets and operations, says Dave Parlin.
Dave Parlin is president of The ATM Exchange, an ATM refurbishment, parts, repair, and technical-support
company.
When it comes to the new Triple Data Encryption Standards (Triple DES), ATM owners are having
difficulty understanding all their options and obligations. This is mainly because of major budgeting and
operation challenges.
Yet, many ATM owners, especially smaller regional financial institutions, independent community
banks, and credit unions, have to find answers fast to hard questions as they bring their installed ATMs into
compliance with Triple DES requirements from MasterCard International, Visa International, and various
regional EFT networks. Some of those questions are ones the EFT industry still cannot fully answer.
Put simply, Triple DES requires encrypting personal identification numbers (PINs) not once, as in the
past, but three times before the ATM sends the transaction to an EFT processor for authorization.
MasterCard and Visa made Triple DES an issue for retail bankers and other ATM owners by mandating
that all ATMs participating in their respective global networks become Triple-DES compliant.
Deadlines: MasterCard has mandated that by April 1, 2005 all new and existing ATMs must be TripleDES compliant unless a waiver has been granted for a special situation. Visa’s official Triple DES policy is
still fairly flexible, but it does stipulate that ATMs with newly installed Encrypting PIN Pads (EPPs) must
have Triple DES approval after July 2004.
While bank card associations, regional ATM networks, and processing companies have set clear
deadlines for Triple DES compliance, they aren’t providing ATM owners with all the answers they need to
comply. For instance, it’s still unclear how MasterCard and Visa will enforce their deadlines or whether
ATM programs will become eligible for “grace periods” or “grandfather” options, given the short window
for full compliance. Also, the Triple-DES standards are still evolving.
Hardware: What happens if an ATM owner purchases a security solution or new ATM that is
theoretically (vendor self-certified) compliant today but needs an upgrade to meet MasterCard’s or Visa’s
standards at a later date? If the equipment is not fully Triple-DES compliant, will ATM owners be faced with
product recalls or additional compliance costs or will the manufacturers pick up the bill to retrofit?
In my opinion, the entire issue of Triple-DES approval/certification needs to be demystified. As many as
380,000 ATMs exist domestically and the worldwide total is approximately 1 million. In 2003 ATM
manufacturers shipped approximately 56,000 theoretically Triple-DES compliant ATMs and an undisclosed
number of Triple-DES upgrade kits (EPPs and software). At this current rate of manufacture and delivery,
can enough product be made available by the present suppliers to meet the deadlines? Or should other nonvendor solutions be approved by Visa, as the only network to have contracted for a testing facility so far, and
supported by all the ATM service companies, such as Diebold, NCR, and independent third parties?
Choices: ATM owners need to find the Triple-DES solution that’s right for them. The choices are:
De-install ATMs that are too expensive to upgrade or replace;
Purchase new compliant ATMs;
Install Triple DES solution kits.
The solution will become obvious when considerations such as budgets and the objectives of the ATM
program are addressed. Information is plentiful by accessing TripleDES.com, ATMmarketplace.com’s Triple
DES Guide, or Visa at this link, http://international.visa.com/fb/vendors/pin/pedapprovallist.jsp, for a list of
approved vendors. At this time, the only approved Pin Entry Devices (PEDs) are for POS equipment. So far,
there are no approved PEDs for ATM equipment.
Service organizations are your most impartial source for information, but you need to research your
options just to be sure. For instance, any vendor seeking Visa’s approval for its Triple-DES hardware or
solution must go through a rigorous certification process. This includes submitting extensive documentation
and prototypes to T-Systems ITC Security, Visa’s independent testing laboratory in Bonn, Germany.
MasterCard expects to have a similar testing procedure and facility in place by July 2005.
We, along with our contract manufacturers Sagem and Thales e-Security, are among the vendors
working on a Triple-DES product approved by Visa (T-systems) and regional EFT networks such as
Shazam, NETS, Columbus Data, Moneymaker, Instant Teller, and eFunds, to name a few.
Ideas:
Form an internal task force chaired by the ATM Program Manager;
Assign to different members various considerations such as budget, cost to upgrade vs. replacement,
deadlines, etc.;
Access all sources of Triple-DES information.
Keeping both budgeting and operations perspectives in mind, it’s important for ATM owners to be fully
cognizant of fast-approaching Triple DES compliance deadlines and to form an action plan. It’s also
important for ATM owners to deal with Triple DES on a timetable that fits each program’s individual needs
and budget requirements and not use Triple-DES migration as a reason to make radical changes to their
ATM programs.
For instance, a financial institution may not need new ATMs equipped with the latest Windows
operating system software that only the manufacturers can access if older ATMs that operate on OS2
software can be Triple-DES-certified at an affordable price with a conversion kit or other security solution.
ATM owners can solve the Triple DES compliance dilemma with a realistic action plan and good
sources of information. However, they cannot wait too long. That is a luxury Visa and MasterCard aren’t
permitting.