Visa International and MasterCard International have signed an agreement designed to ease the expense of certifying automated teller machine PIN pads as compliant with the Triple Data Encryption Standards.
The two networks say they will work together to test PIN pads to certify that they conform to U.S. and international standards of Triple DES. Consequently, ATM manufacturers will not have to undergo certification twice. The agreement was announced last week.
Visa, of Foster City, Calif., and MasterCard, of Purchase, N.Y., had previously agreed on little when it comes to Triple DES deadlines, and that disagreement has confused and angered some ATM manufacturers.
The decision to standardize PIN-pad certification does not settle the issue of when the procedure should be completed. Visa has a July 1 deadline, but MasterCard has not set one. Instead, it has focused on a April 1 deadline for overall Triple DES compliance - which Visa has not issued.
To complicate matters further, some MasterCard members have already requested and received a postponement of the April 1 deadline to December 2005.
Visa's July 1 deadline requires all newly deployed PIN pad models to be tested and passed by a Visa-recognized laboratory. Until that date, ATM makers are allowed to self-certify their PIN pads as capable of encryption.
Tim Boccia, a director of ATM products for Visa U.S.A., said the PIN pad test covers more security checks than encryption. "Triple DES is only one component." Another is ensuring that the pad is tamper-resistant.
Visa has made three laboratories available to ATM manufacturers for PIN pad certification, one in San Luis Obispo, Calif., another in Germany, and the third in the Netherlands.
There has been some grumbling in the industry about too many manufacturers and not enough labs or enough time to complete the testing, but executives for Diebold Inc. of North Canton, Ohio, NCR Corp. of Dayton, NexTran Industries Inc. of South Hackensack, N.J., and the Cincinnati reseller ATM Exchange said they expect to meet the July 1 deadline without any holdups to their sales.
MasterCard does not have a deadline for requiring all PIN pads to be certified, but it is a moot point for manufacturers, because most ATMs accept both Visa and MasterCard transactions. Nevertheless, MasterCard's agreement with Visa will help eliminate concerns that manufacturers would have to test their PIN pads again at a later date.
John Schettino, a vice president of security risk management services for MasterCard, said it may also permit manufacturers to use additional labs - ones they are more familiar with - to ensure that the PIN pads are certified in a timely manner.
"I don't like to get hung up on the short-term timelines," he said. "We look more toward" the overall compliance deadline.
Mr. Boccia said that feedback from many financial institutions suggests that MasterCard's compliance deadline will be too difficult to make. Visa is working with its members to come up a sensible timeline, which would come out within the next 12 months, he said.
"We don't want to put dates out there and receive a lot of variance requests and postpone dates that aren't realistic," he said.
Just how many of the vendors have received an extension from MasterCard is in dispute. Mr. Schettino said the number is "less than 1%." Nearly all the machines in Europe, for example, have been converted already. Latin American countries are further behind in compliance, while the United States is somewhere in the middle.
