She added that if an existing gas pump can't support a software upgrade to make it compliant with Triple DES, a replacement pump may have to be installed. And on top of the encryption requirements, gas stations will need to ensure that the POS systems on their pumps comply by July 2010 with a separate that was crafted by Visa and then adopted by the PCI council. Full replacements can cost between $8,000 and $29,000 per pump, Litan said.

Retailers that only need to upgrade their existing pumps can expect to spend between $1,800 and $2,000 for each new EPP-equipped card reader, Renke said. But he added that given the razor-thin profit margins and fiercely competitive environments that most gas station owners face, investing even that much money in the security upgrades will be a major challenge for many.

"This is going to be a huge undertaking," agreed Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill. Between 20% and 30% of gas purchases made at the pump are processed via PIN-based debit transactions, Huguelet said. He noted that gas stations that can't or are unwilling to make the required investments in pump upgrades or replacements may have to stop accepting such transactions next year.

The new data encryption requirements for gas stations are part of a wider effort, started by Visa five years ago, to enforce tougher security standards on self-service gas pumps, ATMs, retail kiosks and other unattended POS systems, as well as PIN entry devices that are monitored by employees at a retailer or other merchant.

According to a document that Visa issued in September to outline the Triple DES requirements , a complete conversion to the encryption technology on POS devices will require upgrades to systems and networks at banks and payment processing firms in addition to the ones at gas stations and other merchants.