his story was originally published on ATMmarketplace.com, Dec. 19, 2005; reprinted with permission. © 2006 NetWorld Alliance LLC. All rights reserved.

Triple DES. Some wonder if it's more of a conundrum than a definitive mandate. Since 2001, when MasterCard International first introduced the idea of moving to a harder-to-crack code, the deadline for upgrades to existing ATMs (and POS terminals) has been a moving target. A quick scroll through ATMmarketplace's archives proves that.

Jerry Silva, a Senior Analyst with Boston-based consultancy TowerGroup, said a penalty for noncompliance is doubtful and between 20% and 30% of U.S. financial institutions don't have Triple DES compliance even on the radar.

"I can't imagine there would be a big penalty," he said. "I think it will be like EMV in Europe, where you're liable if there is a case of fraud, but beyond that, it's not a big deal."

The truth, however, is that no one really knows what will happen if the Triple DES mandate isn't met, although most suspect MasterCard and Visa International won't enforce a penalty. And that absent fear of retribution has led to a great deal of hesitation, especially in the ISO space.

Other contributing factors, including deadline ambiguity, the lack of a big-picture understanding of the standard, and the cost associated with upgrading and replacing ATMs also have stalled the conversion process.

A look back

Most of the industry, by now, is very familiar with Triple DES. It's that complex encryption standard that's harder than single DES for hackers to break into.

As of Jan. 1, 2003, all newly deployed ATMs were required to support Triple DES. But deadlines for bringing existing ATMs into compliance, at least in the United States, have been confusing.

Sam Ditzion, President and Chief Executive Officer of Boston-based Tremont Capital Group, an ATM industry advisory firm, said the Triple DES deadline has been more gray than black and white.

"I suspect that we'll see a somewhat ambiguous gray period during the first part of 2006," he said. "Many ATM operators lacking formal extensions are not 100% Triple DES compliant yet, but I suspect that the networks and processors will either temporarily look the other way or officially warn, but not fine."

MasterCard's April 1, 2005, deadline didn't get pushed, but a number of extensions were granted. And Visa has come up with a compliance pyramid on which different deadlines have been set for different regions of the world.

In the United States, the deadline won't be enforced until Dec. 31, 2007, according to information posted on Visa's Web site, to which Visa referred ATMmarketplace in lieu of comment. No one at MasterCard could be reached.

"I think the difficult part is determining, 'What is the ultimate compliance method?'" said Kevin Gregoire, Executive Vice President of Products and Networks for Brookfield, Wis.-based Fiserv Inc. "How strong will the compliance be enforced?

"On one end of the spectrum the date comes, and in the event the client is not compliant, the strongest position would be that the ATM is being removed from the payment system, and that causes some disruption," which makes it unlikely.

Wayne Vandekraak, President and CEO of Beaverton, Ore.-based Solvport LLC, an independent ATM service company, said ISOs have been going in circles to understand the deadlines, and that's been an issue.

"The biggest problem has been the extension after extension," he said. "I don't think smaller ISOs realize the risks they're running, but I think larger ones do, and that's why they're moving forward."

TowerGroup's Silva said only an estimated 35% of the United States' 180,000 to 190,000 FI ATMs have been upgraded and/or replaced. He added that some mid-sized and small FIs will just wait it out.

Dean Stewart, Director of Software Product Marketing and Management for North Canton, Ohio-based Diebold Inc., the No. 1 ATM manufacturer for U.S. FIs, said compliance for Diebold customers is closer to 75% in the U.S. FI space, but it's definitely not close to 100%.

"There were so many different dates," he said. "I would have thought that we'd be a little further along than we are now, but with the waivers, I'm not surprised."

Stewart said confusion surrounding the mandate led many deployers, especially FIs, to wait before moving forward. And Fiserv's Gregoire said not fully understanding the benefits of Triple DES led some FIs to hold off.

On the ISO side, cost has been the hold up, said Mike Cowart, Director of Operations for Atlanta-based RBS Lynk's ATM Services Division. "It's costly. You've got to convince a merchant that you sold an ATM to [him] five or six years ago that he needs to upgrade, and that's a tough sell."

Triple DES upgrades and replacements haven't brought in the big bucks everyone expected. Executives at both NCR and Diebold have admitted that their companies were expecting higher ATM sales during the first two to three quarters of 2005, as FIs worked to replace older ATMs to meet the compliance deadline.

Sabrina Andrews-Turner, President of Grand Prairie, Texas-based Pi Systems International, which provides upgrade kits to FIs, said kit sales are just beginning to pick up. "I'd say our customer base has doubled since this time last year," she said. "We had a lot of interest in early 2003, because they thought all of this would happen in early 2005, the original deadline. And then when they realized the deadlines would be pushed, things slowed down in 2004. But now, with Visa and MasterCard saying this is it, 2005 has been a real bang-up year."

Processors put pressure on deployers

What has changed since last year is that processors are taking a lead role in spearheading the Triple DES switch.Fiserv, which owns the Accel/Exchange EFT network, is pushing for a Dec. 31, 2005 deadline but will continue to process transactions on both single and Triple DES.

RBS Lynk has extended its compliance deadline to Dec. 31, 2006 and is actively working with ISOs to bring their portfolios into compliance.

Ron Herman, Executive Vice President of Nebraska Electronic Transfer System Inc. (NETS), said all but about six of the 325 Nebraska FIs NETS works with have made the conversion. Of the 1,700 ATMs NETS processes transactions for, only 200 needed an extension until April 2006. "We're confident that we'll have all except those 200 [ATMs] switched over by end of this year," he said, "well before what Visa is requiring."

Link to original article: www.atmmarketplace.com/news_story_24738.htm