Large independent sales organizations have lagged far behind banks, credit unions, and even smaller ISOs in complying with the industry’s Triple DES encryption standard for automated teller machines.
According to a study released this month by Dove Consulting Inc., only 52% of ATMs owned by large ISOs are Triple DES-compliant. Large ISOs, those that operate more than 2,500 ATMs, generally install them in merchant locations.
Smaller ISOs are also behind most financial companies — about 77% of their machines comply with the standard. The study found that 81% of the ATMs owned by banks with assets of at least $10 billion met the standard.
MasterCard Inc. originally set April 1, 2005, as the final deadline for meeting the standard, but the Purchase, N.Y., credit card company has granted extensions to many companies. (Visa U.S.A.’s final deadline for compliance is Dec. 31, 2007.)
Several banks have signed deals to put their brand names on ATMs operated by ISOs. The banks see such a strategy as an inexpensive way to lengthen the reach of their ATM networks. The gap between banks and ISOs in Triple DES compliance does not mean that ATMs a bank owns are more secure than those that it does not own but that bear its name.
The nation’s top two ISOs, Cardtronics Inc. of Houston and TRM Corp. of Portland, Ore., have received extensions from MasterCard, until Dec. 31, 2007. Both have branding deals with financial companies.
Chris Brewster, the chief financial officer of Cardtronics said that “every bank-branded ATM we have in the system is Triple DES-compliant.”
Maureen M. Brown, a spokeswoman for Huntington Bancshares Inc. of Columbus, Ohio, said that its brand is on 80 Cardtronics ATMs.
However, she said that if there are any losses at the Cardtronics machines, “the liability is with” Cardtronics. “If a customer incurs a loss with their machines, then they are liable for that loss, and we are not.”
Ms. Brown said that 75% of the 1,000 machines Huntington owns are compliant. The ones that are not are mostly in merchant locations “where there is not a lot of traffic,” she said.
Co-op Financial Services renewed a branding deal with TRM in April. James A. Hanisch, an executive vice president for the Ontario, Calif., credit union debit company, said the contract with TRM makes “no specific mention of Triple DES. We are not concerned, because those ATMs are branded with other network marks that mandate Triple DES” and also must comply with “our operating rules.” He said that “north of 99% of” Co-op’s ATMs are in compliance.”
Jeffrey Brotman, TRM’s president and chief executive, said in an interview that about 52% of its ATMs meet the Triple DES standard. One reason for the delay in getting all of them compliant is that TRM owns less than half of the machines it operates which makes it more difficult to ensure that they have bee upgraded (the rest are owned by merchants). About 65% to 70% of the ones it owns meet the standard.
“For banks, most of their ATMs are located where the bank has a physical location, at a branch. They regularly have people who can do the upgrade,” Mr. Brotman said. “It’s logistically simpler in many cases.”
The industry has extended the compliance deadline several times in recent years, and when it comes to persuading merchants to invest in upgrading their machines, Mr. Brotman said that some “don’t believe it when you say to them, ‘This time it’s for real.’ They say, ‘We’ve heard that song before.’ ”
Mr. Brotman said that he expects to meet his deadline next year, and that TRM will not renew its contracts with merchants unable or unwilling to upgrade their ATMs.
Dawn Thompson, a spokeswoman for Cardtronics, said that “a majority” of its machines are compliant, though she would not be more specific. Cardtronics operates about 25,000 ATMs in the United States, and the ones that are not compliant are deployed in “the mom-and-pop merchants instead of the large national retailer segment,” she said.
The Dove study was sponsored by four electronic funds transfer networks: First Data Corp.’s Star Networks Inc.; the NYCE Payments Network LLC unit of Marshall & Ilsley’s Metavante Corp.; Pulse EFT Association LP of Boston (part of Morgan Stanley’s Discover Financial Services); and Co-op Financial Services. Dove is a division of Hitachi Consulting.
