ATMs Triple DES Encryption

DEAR BOARD OF DIRECTORS:

The purpose of this letter is to ensure credit unions are aware of the new minimum encryptions standards being required by the major ATM switch network vendors. The new encryption standard, called Triple DES (3DES), was adopted by MasterCard and VISA to ensure the security of their networks. Eventually, all ATMs connected to the networks must be capable of handling the new encryption standard which uses 2 encryption keys, chosen independently at random, to encrypt a message multiple times.

The original data encryption standard (DES) that has been universally used since 1981 in the ATM market to encrypt personal identification numbers (PINs) is vulnerable to attack because of the exponential increase in computing power from personal computers. In addition, the ATM market is moving towards transacting business over the Internet, which brings its own set of risks.

Since April 2002, all new ATM installations were required to be 3DES capable. The primary issue is migrating the thousands of legacy (old but in current use) ATM machines across the country to the new standard. In many cases, upgrades in the software and keypads will make them compliant. In other cases, the machine will need to be replaced. Costs associated with the conversion/upgrade vary depending on the ATM vendor and age of the machine.

The primary responsibility for ensuring compliance with the 3DES requirement, by the published dates, rests with ATM vendors and individual owners. However, because of the potential systemic risk posed by some ATM owners’ failure to upgrade, or replace, their legacy systems and the resulting possible loss of service to members, credit unions should be proactive in meeting the migration deadlines (see enclosure, section III, The Migration).

Should you have any questions or concerns, please contact your NCUA Regional Office or State Supervisory Authority.