ARLINGTON, Va. – As a key deadline passes for having a new security technology up and running in their ATMs and EFT switches, a significant number of credit unions and EFT networks have found it difficult to meet the new standards on time. Instead they have had to ask MasterCard, which has imposed the deadline, for more time to bring their ATM operations into compliance with the new security requirements. At issue is so-called Triple DES, an advanced encryption standard based on the 1977 Data Encryption Standard (DES). VISA and MasterCard began introducing the standard in order to proactively address increased threats to the security and soundness of the country’s most popular electronic banking service. By encrypting ATM personal identification numbers and other transaction data three times, Triple DES – when properly implemented – has the potential to make data billions of times more secure, according to the standard’s promoters. By roughly the spring of 2005, any ATMs, EFT Networks and point of sale terminals that accept VISA or MasterCard will have to use the technology. MasterCard has set a deadline of April 1, 2003 for ATMs installed in the last year to become compliant and a deadline of April 1, 2005 for all of the ATMs to become compliant to the new standard. VISA has not published a similar final deadline but has signaled it will adopt a schedule similar to MasterCard’s, according to Kurt Helwig, executive director of the Electronic Funds Transfer Association, based in Herndon, Virginia. The Houston-based Pulse EFT network and the California based CO-OP network are among the networks that have asked for, and received, a waiver from the April 1 2003 deadline. MasterCard has declined to report which networks or financial institutions has asked for a waiver or whether or not they have received one. But the card association has estimated on the record that less than 1% of its 23,000 financial institutions will fail to meet the 2005 deadline, whether or not they have asked for a waiver from the 2003 date. Helwig declined to estimate how many ATMs across the country will be compliant to the new standard by 2005 or whether the card associations might move their final deadlines back to accommodate deployers and networks who might be slow in upgrading their equipment. To help clarify the situation, the association will hold a one-day seminar in Dallas on April 3, Helwig said. Even at this late date there is a lot of confusion about requirements, hardware and software availability and deadlines for compliance, Helwig explained. “We are hoping to get as many players in the same room as possible to clear up some of the confusion,” he added. The April 3 seminar will feature speakers from several of the EFT networks, including PULSE and STAR, along with representatives from manufacturers and banks. MasterCard and VISA are sending a representative as well, but no credit union executives are on the agenda. Matter Involves More Than ATMs People may have underestimated the time and work needed to get Triple DES ATMs up and running, including network integration and debugging, because so much attention was focused on just finding and buying Triple DES capable ATMs, explained Susan Zawodniak, executive director of the NYCE network. NYCE is not one of the networks that has asked for a waiver from the 2003 date, and Zawodniak reported that its switches, hardware and software already use the new technology. Zawodniak pointed out that many small financial institutions might not have understood the difference between having ATMs that are capable of using the Triple DES technology and actually use Triple DES, which is the standard for compliance. “There is a distinction,” she said. “It’s not enough just to have machines in place that can do this, the ATMs have to be tested using it and be connected to a network which also supports it,” she said. This was part of the reason CO-OP Network applied for and received a waiver from the standard on the behalf of some of its member credit unions, reported Gene Polito, President of CO-OP Network for EFT Services. “We had a number of members whose machines were not going to be ready and we said why don’t we just go to MasterCard on behalf of them for a waiver,” Polito said. He reported that the Network’s switches and systems are compliant already as well. Polito noted that while the 2003 deadline addressed machines that had been purchased in the last year, the deadline said nothing about the machines necessarily being new or already capable of using Triple DES. “Some credit unions will buy refurbished machines instead of new ATMs,” Polito explained, and some of those machines will only be capable of using Triple DES after an upgrade he said. Part of the credit unions’ problems had been that the upgrades might have been slow to be shipped after purchase or that they may have only become available at all recently. “We have been urging our members to meet the standard and most of them are reporting delays of a couple of months, not a year or more,” he said. A key part of the Triple DES upgrade has been a Triple DES capable keypad, Polito pointed out, which CO-OP Network only just recently had a to use in machine upgrades. Pi Systems, a Dallas based firm, has developed a Triple DES capable keypad, with help from the CO-OP Network, which MasterCard certified in early March. The new keypad will cost credit unions about $3,200 to add it to their older machines. In the case of the PULSE EFT association, Karen Gardstein, executive vice president for finance and administration, said the problem has not been putting ATM capable equipment in place but testing it once its completely installed. The Houston-based association is involved in moving its processing and switching in house, Gardstein said, and that work has delayed the effort to get the new hardware and software tested and ready to go, she said. “We are mostly capable already,” she said, “but compliance requires testing and checking.” [email protected]