DEARBORN, MI – By 2005, technological security changes may dictate that 35 to 40% of credit union ATMs will have to be replaced, says Alan Falconer, vice president of the Dearborn, Mich.-based Paragon Data Services. As a result of the upcoming modifications, credit unions should begin changing their contracts with ATM providers to account for the technology shifts and should begin phasing in the new, higher security ATMs, he said. At issue are the so-called Data Encryption Systems (DES) which ATMs and other technologies use to transmit secure data across phone and network lines. Traditional standard ATMs use the old, now outdated, industry standard, called Single DES. The new ATMs use what is called Triple DES, or three times the security protection of the old machines. The change may require many credit unions to replace at least part of their stock of old ATMs with the new ones, Falconer says. IBM created Single DES Traditional, in the mid-1970′s to both encrypt and decrypt data. Single DES used collections of up to 56 characters to create over 72 quadrillion possible combinations to serve as "keys" to encrypt and then decrypt sensitive material for computer storage or transmission over phone lines. Single DES rapidly became the industry standard. The defense and intelligent communities adopted it, along with various other government entities and IBM released the algorithm the program used to the public domain. In ATMs Single DES encrypts the users PIN number and transaction before sending over phone lines to be verified and approved. But the Single DES had a problem; it could be cracked and defeated. Beginning in 1997, in a series of highly publicized occasions, computer experts broke Single DES. The first attempt, in 1997, took 97 days. But the second, in 1998, took only 56 hours and the third, in 1999, defeated Single DES in a mere 22 hours, 15 minutes. "Literally they simply overwhelmed it with processing power," Falconer said, adding that Single DES' defeats convinced both the defense and intelligence communities, along with the financial services industry, to abandon it as a standard. The replacement, called Triple DES, triples the security protection by using up to 128 characters to create character combinations for not one but three keys, thus making the data relatively invulnerable – at least for now. Speaking recently at the Co-Op Network's annual meeting in Las Vegas, Nev., Falconer described how the new technology would impact credit unions' ATM operations. Mastercard and Visa are going to require financial institutions to adopt the new technology and there are many ATMs that just won't be able to do so, Falconer said. "Most major ATM vendors say their new ATMs can be upgraded to work with Triple DES," Falconer said, but most of their models currently in place cannot be upgraded and will have to be replaced." For example, Diebold, a major ATM manufacturer, says all its current ATM can be upgraded to accept the new technology, but models numbered 5000, 9000, 1060, 1061, 1070i, CSP, and CSP100 cannot be, Falconer reported. In addition, after a credit union replaces its old machines with those which can be upgraded to Triple DES it will actually have to pay for the upgrades which, depending on the manufacturer and machine model, can range from $800-$1,700, Falconer said. The costs for Triple DES compliant machines "off the line" will probably only be $300-$500 more, Falconer said. The higher costs will come with making the upgrades, he added. "Given these realities, I am urging credit unions to go ahead and specify in any contracts with ATM vendors that the machines be Triple DES compliant when they buy them, even if that means the vendor will have to come and make upgrades," Falconer said. "I am also urging credit unions to begin phasing in Triple DES compliant machines now to spread the cost out over time," he added. Timetables for change So far Mastercard and Visa have taken slightly different approaches to the changeover. Mastercard has issued deadlines by which time it says its financial institutions must have Triple DES compliant machines in place. Visa has set no such deadlines but has signaled that it will also adopt a similar timetable. Currently, Mastercard requires all its members' new ATMs be able to accept upgrades to Triple DES. Credit unions' current stock of ATMs are exempt, but if a credit union moves an ATM from one location to another it cannot continue using the old machine but must replace it with an upgradeable model, if not one that is entirely Triple DES compliant. All ATMs, in all locations, have to be Triple DES compliant by 2005, Mastercard says.