Press Release

Customer Update: DUKPT Interlink and STAR

The following provides an update on Concord’s progress regarding the mandates set forth by Interlink and STAR for enhanced key encryption security. As we have communicated in the past, the mandates require the use of a "unique key per device". Concord has implemented DUKPT (Derived Unique Key Per Transaction) as our solution.

Although the mandates were effective January 1, 2001, Concord EFS, as a sponsoring financial institution for both networks, requested and received extensions for EFS-sponsored merchants until January 1, 2004. In order to meet this deadline, Concord has established the following timeline for compliance;

Effective January 1, 2003, all new installations of terminal applications must support DUKPT encryption. NOTE: Concord defined this date to ensure the EFS-sponsored merchants meet the debit networks compliance dates. Effective January 1, 2004, all merchants that accept Interlink and/or STAR must utilize terminals/devices that support DUKPT. In November 2001, Concord sent a notification to all Concord terminal vendors informing them to support the DUKPT methodology effective January 1, 2002. In our letter to them, we indicated this meant all new vendor application certifications and any certifications required for enhancements or modifications to existing vendor applications. We recommend you review your device(s) to determine if they are compliant. If the device(s) are not DUKPT compliant, we suggest you contact the terminal vendor to determine the status and/or timeframe for DUKPT support. If your terminal vendor has not already scheduled certification time with Concord, they must do so as soon as possible in order to meet the January 1, 2003 deadline. Note: Concord will continue to work independently with vendors to get devices certified.

Please be aware, any fines or fees assessed by the debit networks for non-compliance of their unique key per device requirement will be passed onto the appropriate merchant. Should a key become compromised due to non-compliance with the requirement, any financial impact resulting from this compromise will be passed along to the appropriate merchant. This includes re-encryption, deployment, etc. of all compromised devices. Non-compliance fines range from $500.00 - $1,000.00 per day for each day of non-compliance.

Interlink and STAR have indicated that processors need to submit conversion plans for all customers that will not meet the above listed compliance dates. Concord understands the many challenges of upgrading to DUKPT, and would like to work in partnership with you to develop these conversion plans

Thank you for your attention to this important compliance issue.