Clock ticking for gas stations to pump up data security

08.01.2009
Lower gas prices aren't the only thing that's new at the pumps these days. Data encryption tools are also becoming part of the picture.

Starting Jan. 1, Visa Inc. is requiring all new fuel-dispensing machines being installed at gas stations around the U.S. to support the Triple Data Encryption Standard, a mandate that is designed to make it harder for identity thieves to from gas pumps by shielding the personal identification numbers (PIN) of customers.

So-called placed on gas pumps have been used to compromise payment card data in the past ? for example, in 2005 at stations operated by 's division.

Visa's new requirement calls on gas retailers to ensure that all new pumps capable of processing debit card purchases are equipped with an encrypting PIN pad, or EPP, that supports . Although Visa is the only credit card company mandating the use of the encryption technology now, the requirement is expected to become part of a broader specification for unattended point-of-sale systems that is being developed by the , which is responsible for the Payment Card Industry Data Security Standard and other data protection measures.

Gas station owners have until July 1, 2010, to ensure that all of their existing pumps are upgraded to support Triple DES. Robert Renke, executive vice president of the Petroleum Equipment Institute in Tulsa, Okla., estimated that about 1.4 million gas pumps would need to be retrofitted with new software ? for an average of more than 2,500 per day in order for retailers to meet Visa's deadline.

The chances of that happening are remote, according to some analysts. The upgrade requirement is "a major deal for gas stations with old equipment," said 's . And with and drivers cutting back on gas consumption after prices hit record levels last summer, "this could not come at a worse time for gas station operators," Litan said. "I'm sure many will be late when it comes to compliance."