Clock ticking for gas stations to pump up data security
Lower gas prices aren't the only thing that's new at the pumps these days. Data encryption tools are also becoming part of the picture.
Starting Jan. 1, Visa Inc. is requiring all new fuel-dispensing machines being installed at gas stations around the U.S. to support the Triple Data Encryption Standard, a mandate that is designed to make it harder for identity thieves to steal debit card data from gas pumps by shielding the personal identification numbers (PIN) of customers.
So-called card-skimming devices placed on gas pumps have been used to compromise payment card data in the past ? for example, in 2005 at stations operated by Wal-mart Stores Inc. 's Sam's Club division.
Visa's new requirement calls on gas retailers to ensure that all new pumps capable of processing debit card purchases are equipped with an encrypting PIN pad, or EPP, that supports Triple DES . Although Visa is the only credit card company mandating the use of the encryption technology now, the requirement is expected to become part of a broader specification for unattended point-of-sale systems that is being developed by the PCI Security Standards Council , which is responsible for the Payment Card Industry Data Security Standard and other data protection measures.
Gas station owners have until July 1, 2010, to ensure that all of their existing pumps are upgraded to support Triple DES. Robert Renke, executive vice president of the Petroleum Equipment Institute in Tulsa, Okla., estimated that about 1.4 million gas pumps would need to be retrofitted with new software ? for an average of more than 2,500 per day in order for retailers to meet Visa's deadline.
The chances of that happening are remote, according to some analysts. The upgrade requirement is "a major deal for gas stations with old equipment," said Gartner Inc. 's Avivah Litan . And with the economy in tatters and drivers cutting back on gas consumption after prices hit record levels last summer, "this could not come at a worse time for gas station operators," Litan said. "I'm sure many will be late when it comes to compliance."
She added that if an existing gas pump can't support a software upgrade to make it compliant with Triple DES, a replacement pump may have to be installed. And on top of the encryption requirements, gas stations will need to ensure that the POS systems on their pumps comply by July 2010 with a separate payment application security standard that was crafted by Visa and then adopted by the PCI council. Full replacements can cost between $8,000 and $29,000 per pump, Litan said.
Retailers that only need to upgrade their existing pumps can expect to spend between $1,800 and $2,000 for each new EPP-equipped card reader, Renke said. But he added that given the razor-thin profit margins and fiercely competitive environments that most gas station owners face, investing even that much money in the security upgrades will be a major challenge for many.
"This is going to be a huge undertaking," agreed Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill. Between 20% and 30% of gas purchases made at the pump are processed via PIN-based debit transactions, Huguelet said. He noted that gas stations that can't or are unwilling to make the required investments in pump upgrades or replacements may have to stop accepting such transactions next year.
The new data encryption requirements for gas stations are part of a wider effort, started by Visa five years ago, to enforce tougher security standards on self-service gas pumps, ATMs, retail kiosks and other unattended POS systems, as well as PIN entry devices that are monitored by employees at a retailer or other merchant.
According to a document that Visa issued in September to outline the Triple DES requirements (download PDF) , a complete conversion to the encryption technology on POS devices will require upgrades to systems and networks at banks and payment processing firms in addition to the ones at gas stations and other merchants.
The PCI Security Standards Council announced plans in August to add security requirements for unattended POS systems that all entities accepting payment card transactions via such devices will need to comply with. A draft of the requirements has already been published for review, and council members have submitted comments about the draft. A final version is expected to be released sometime this year.