Skip the navigation

Clock ticking for gas stations to pump up data security

Visa requiring encryption of debit card PINs on new pumps now, existing ones by July 2010

January 7, 2009 12:00 PM ET

Computerworld - Lower gas prices aren't the only thing that's new at the pumps these days. Data encryption tools are also becoming part of the picture.

Starting Jan. 1, Visa Inc. is requiring all new fuel-dispensing machines being installed at gas stations around the U.S. to support the Triple Data Encryption Standard, a mandate that is designed to make it harder for identity thieves to steal debit card data from gas pumps by shielding the personal identification numbers (PIN) of customers.

So-called card-skimming devices placed on gas pumps have been used to compromise payment card data in the past. For example, in 2005, data at gas stations operated by Wal-Mart Stores Inc.'s Sam's Club division was compromised.

Visa's new requirement calls on gas retailers to ensure that all new pumps capable of processing debit card purchases are equipped with an encrypting PIN pad, or EPP, that supports Triple DES. Although Visa is the only credit card company mandating the use of the encryption technology now, the requirement is expected to become part of a broader specification for unattended point-of-sale (POS) systems that is being developed by the PCI Security Standards Council, which is responsible for the Payment Card Industry Data Security Standard and other data-protection measures.

Gas station owners have until July 1, 2010, to ensure that all of their existing pumps are upgraded to support Triple DES. Robert Renke, executive vice president of the Petroleum Equipment Institute in Tulsa, Okla., estimated that about 1.4 million gas pumps would need to be retrofitted with new software — for an average of more than 2,500 per day in order for retailers to meet Visa's deadline.

The chances of that happening are remote, according to some analysts. The upgrade requirement is "a major deal for gas stations with old equipment," said Gartner Inc.'s Avivah Litan. And with the economy in tatters and drivers cutting back on gas consumption after prices hit record levels last summer, "this could not come at a worse time for gas station operators," Litan said. "I'm sure many will be late when it comes to compliance."

She added that if an existing gas pump can't support a software upgrade to make it compliant with Triple DES, a replacement pump may have to be installed. And on top of the encryption requirements, gas stations will need to ensure that the POS systems on their pumps comply by July 2010 with a separate payment application security standard that was crafted by Visa and then adopted by the PCI council. Full replacements can cost between $8,000 and $29,000 per pump, Litan said.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!