With deadlines for automated teller machine upgrades fast approaching, credit unions appear to be behind schedule in compliance.
According to Co-op Network, which last week released a white paper documenting the progress among credit unions in upgrading their ATMs to Triple DES encryption, only about 30% of credit unions currently comply with the high-security standard designated by Visa U.S.A. and MasterCard International.
The first compliance deadline is still a year away, but only half of all credit unions are expected to be ready by then, according to ATM industry executives.
James A. Hanisch, an executive vice president at Co-op Network, of Ontario, Calif., said that a key purpose of the report was to alert his company's 1,500 credit union members to the Triple DES compliance deadlines. MasterCard has mandated that all ATMs on its network must be using Triple DES by April 1, 2005, Visa says that by July 1, 2004, all newly-bought ATMs must be demonstrably capable of supporting Triple DES.
"If you don't wave the flag on these things, you end up with a crisis in the first quarter of next year," he said. Large banks are probably farther along in their ATM upgrades than credit unions and community banks, he said.
Mr. Hanisch said that of the roughly 4,500 ATMs the network drives, about 30% are Triple DES-compliant. The issue, not surprisingly, is money. For Triple DES alone it could cost financial institutions $1,000 to upgrade an ATM and $35,000 to replace one with a full-functioning machine.
He recommends that credit unions set a hierarchy among the ATMs in their fleets, spending minimal amounts to upgrade off-premises machines and more on the ones in their branches.
Given the many voluntary and required changes in the ATM industry - including the mandate to make machines accessible to blind customers, and the decision by many institutions to upgrade from the OS/2 operating systems to Windows - credit unions as a group will likely have to spend as much as $200 million over the next 18 months to upgrade their ATMs, according to the Co-op Network white paper.
For instance, Pennsylvania State Employees Credit Union in Harrisburg will probably have to spend $3 million to $4 million to upgrade its 200 ATMs to Triple DES, said Greg Smith, the president and chief executive officer. The credit union plans to upgrade half this year and half next year.
That price tag will include other upgrades, such as equipping their machines with voice guidance for blind customers, Mr. Smith said.
Mr. Hanisch said that the costs of Triple DES compliance are a bigger consideration for credit unions than for most banks. "A small organization is exactly that, a small organization," he said. "Individuals have many varying responsibilities, and gaining attention to this issue may be a challenge."
Rob Evans, the director of industry marketing for the ATM manufacturer NCR Corp. of Dayton, Ohio, said it is hard for small credit unions "running out of a broom closet" to pay for the changes. NCR and Diebold Inc. of North Canton, Ohio, are among the handful of companies that have been working to upgrade ATMs to Triple DES compliance.
Large banks such as Bank of America Corp., which has about 15,000 ATMs, can carry out an upgrade with "breathtaking speed" because "they do this stuff all the time," Mr. Evans said.
Many financial institutions and processors have obtained waivers from MasterCard's deadline. Co-op Network, for example, received a reprieve until yearend 2005, as have the other major electronic funds transfer networks - First Data Corp.'s Star Systems and NYCE, and Pulse EFT Association.
Indeed, the industry blew some of the earlier Triple DES deadlines set by MasterCard and Visa because of the complexity of converting to Triple DES, said Tom Ruback, the vice president of card services for Pennsylvania State Employees Credit Union. "Even though the mandates were in place, the associations realized this was a pretty demanding, extensive process for both financial and equipment manufacturers," he said. "As a result they just extended some of the due dates."
Mr. Evans said that about 30% of NCR's financial institution customers are Triple DES-compliant and the rest are "working off of a waiver date." When the April 1, 2005, deadline is reached, only about half the ATMs in the country will be Triple DES-compliant, he said. Organizations that miss the deadline will probably fall into two groups, he said: "Stragglers - very small institutions - and larger institutions that might say, 'You know what, we'll just pay the fines.' "
