Triple DES, the new data-encryption standard for automated teller machines and point of sale terminals, is proving a bigger implementation challenge than many banks had expected.
April 1 is the deadline MasterCard International has set for all ATMs installed within the last year to be using Triple DES, both for transactions and in their connections to MasterCard. MasterCard says it anticipates 99% compliance.
But the vast majority of the approximately 300,000 ATMs in the United States will not have to process in Triple DES until the final "sunset" deadline of April 1, 2005, when all MasterCard ATMs must be compliant.
Several banks and electronic funds-transfer networks say that by the deadline next week they will not be ready to support Triple DES, which is intended to combat fraud.
First Tennessee National Corp. - which has about 500 ATMs, including 50 that have to be compliant by April 1 - will miss the deadline by about a month, said Fred Spratlin, a senior vice president and the manager of electronic banking at the Memphis company. But he said it has not asked for a waiver.
"We're not going to be ready April 1st, because our processor is not ready," Mr. Spratlin said. "The gateways aren't totally ready." First Tennessee has done a lot of ground work on the project and has been putting together a conversion plan for years, he said.
Mr. Spratlin said he thinks "the majority of the industry will not be ready" April 1 to turn on Triple DES.
But he said First Tennessee will easily meet MasterCard's 2005 deadline. Larger banks will also likely make that date as well, but "some of the banks that are our size and smaller will struggle," he said.
MasterCard says it stands by its assertion that its deadline is being met. "I'm happy to say that the vast majority of our members are falling in place and are going to be compliant," said John Schettino, a vice president of security and risk management at MasterCard.
Mr. Schettino said "much less than 1%" of the association's 23,000 members worldwide will not be in compliance, and that those members had already asked for and received a variance from MasterCard.
Variances were not rubber-stamped, Mr. Schettino said; they were reviewed by MasterCard to make sure they were legitimate. "We denied the variance for some members, but we worked with them to come up with a variance, so ultimately their variances were granted," he said. "If someone comes in and requests 2010, that's not a legitimate variance request."
As for point of sale terminals' compliance, "We don't have a sunset date at this point in time," Mr. Schettino said. "But it is highly recommended that POS terminals be operating in Triple DES if possible."
Other processors, such as Visa U.S.A. and Concord EFS, have set later compliance deadlines. While MasterCard required that new equipment be Triple DES-compliant by last April, Visa's deadline was last Jan. 1. By next Jan 1, all newly deployed POS PIN pads must support Triple DES, though they do not actually have to use it then, said Visa spokeswoman Janet Yang.
Rob Evans, the director of industry marketing at ATM manufacturer NCR Corp., said MasterCard recognized the implementation problems and scaled back its requirements last year. Instead of having to use Triple DES, he said, new ATMs merely had to be capable of supporting it by April 1 of 2002.
It seems several financial institutions will not be using Triple DES on their new machines by April 1, Mr. Evans said. "I think it's a pretty good number - more than 1%."
Pulse EFT Association of Houston has asked for and received a waiver from next week's deadline, said Karen Gardstein, the executive vice president of finance and administration for Pulse. The network sponsors 378 small to midsize financial institutions into Cirrus, MasterCard's ATM network, and all of those have received waivers as well, Ms. Gardstein said.
"We're very much on board moving to Triple DES. We want to see the industry do that," she said. "We just had to identify what our No. 1 priority was, and that is moving our switch in-house."
Susan Zawodniak, the executive director of the NYCE Network, a subsidiary of First Data Corp., said the industry is "concerned about the relative expense to upgrade their ATM base."
Ms. Zawodniak said that the problems confronting deployers are financial institutions' myriad compliance issues. Large deployers, she said, have ATMs from multiple vendors, so maintenance varies: Some machines can be upgraded, some are too old.
But "everyone's intending to comply," Ms. Zawodniak added. "The Triple DES train is out of the station. It's moving and it's gathering speed. Whether every car attached will be able to make the date, remains to be seen."
Industry insiders all said that financial institutions are also wrestling with other details, such as the need to make their ATMs voice-activated for blind customers and to convert from the OS/2 operating system. Moreover, the industry is weighing the possibility that Congress will pass the Check 21 Act, which would permit check truncation at ATMs, allowing the machines to convert paper checks to electronic checks.
Metavante Corp., the Milwaukee processing company, said it is busy helping its bank customers comply with MasterCard's deadline. The Marshall & Ilsley Corp. subsidiary said it has installed Triple DES-capable ATMs for Peoples National Bank of McLeansboro, in Fairfield, Ill., and that it is working with several other clients, including California Bank and Trust of San Diego; Citizens Bank, of Flint, Mich.; and Carrollton Bank of Baltimore.
Metavante has also been authorized to support Triple DES encryption for MasterCard, Cirrus, and Maestro debit transactions. "Our host-to-host connection has been certified and we'll be going live on March 26," said Bruce Hopkins, a vice president of EFT and card solutions for Metavante. "MasterCard certified that our process is correct."
