A Cincinnati automated teller machine servicer is crying foul over Visa's 2004 decision to defer indefinitely a certification deadline for systems that can upgrade ATMs to comply with the Triple DES encryption standard.
ATM Exchange Inc. filed a lawsuit in mid-November in the U.S. District Court for the Southern District of Ohio against Visa International and Visa U.S.A. The servicer is seeking to recover $16.8 million of development costs and lost sales because of the deferral.
Executives from ATM Exchange would not discuss the suit, but according to the complaint, the issue centers on the company's 3DES Plus system, which lets ATM owners upgrade their machines to comply with Triple DES.
Several years ago MasterCard International mandated that all ATMs begin using the standard by the end of last year; Visa's compliance deadline will come at the end of next year. The requirement prompted an industry-wide wave of upgrades and replacements.
Visa initially required all newly deployed ATMs - and the products that owners could use to upgrade old machines - to be tested and approved at an independent, Visa-recognized laboratory by July 1, 2004.
According to the lawsuit, ATM Exchange tested its 3DES Plus product at a lab in Dusseldorf, Germany, made revisions to meet Visa International's requirements, and had the product retested in May 2004.
Visa issued a formal letter of approval dated June 24, 2004, to ATM Exchange "signifying that 3DES Plus had satisfied Visa's requirements, and Visa listed 3DES Plus on its Web site as an approved device," the complaint states.
After receiving the letter, ATM Exchange "made further substantial additional investments in components so as to begin manufacturing and selling 3DES Plus to meet the reasonably expected demand for it," the suit said.
However, ATM Exchange says that a day after the letter was sent, Visa announced on its Web site, "without any explanation," that it had issued a "temporary deferment of Visa's requirement that all newly deployed ATMs be laboratory evaluated and approved by Visa through the current Visa security testing process."
Visa has not issued a new deadline for the testing requirement, and ATM Exchange said the deferral had a "devastating negative impact on its business and financial well-being."
The suit also claims that before ATM Exchange submitted 3DES Plus to the German lab, Visa already knew that it was "not going to hold to either the previously announced standards or the July 1, 2004 deadline for ATMs."
Lance Johnson, the vice president of risk policy and operations for Visa International, would not discuss the lawsuit, but in an interview Thursday he said it deferred the testing requirement mainly because MasterCard was not ready to support independent ATM tests. The two card associations had agreed to work together on a single testing and approval program.
"We deferred the date because it caused problems in the alignment effort with MasterCard," Mr. Johnson said.
Rob Evans, the director of industry marketing for the Dayton, Ohio ATM maker NCR Corp., said one of the problems with the testing requirement was that the independent labs were not ready to test the products. For example, they did not have the proper manuals to determine whether the machines were adhering to Triple DES.
The "whole industry was lined up" to be tested, but the independent labs set up by Visa did not "have anything to test against," he said. "That's why those dates were not initially adhered to."
In the meantime, much of the industry has already shifted to Triple DES.
Warren L. Coles, the executive vice president of operations at Morgan Stanley's Pulse EFT Association of Houston, said Thursday that about 98% of his company's members are Triple DES-compliant.
