Visa Requires all New Fuel Pumps to Support Triple DES

Press enter to search
Close search
Open Menu

Visa Requires all New Fuel Pumps to Support Triple DES

01/09/2009
NEW YORK -- Starting Jan. 1, Visa Inc. is requiring all new fuel-dispensing machines being installed at gas stations around the U.S. to support the Triple Data Encryption Standard, a mandate designed to make it harder for identity thieves to steal debit card data from gas pumps by shielding the personal identification numbers (PIN) of customers, according to a report by Computerworld.com.

Card-skimming devices placed on gas pumps have been used to compromise payment card data in the past, such as the 2005 examples of both Walmart and Sam's Club, the report stated.

Visa is now requiring all gas retailers to ensure any newly installed pump with the capability of processing debit card purchases are equipped with an encrypting PIN pad, or EPP, that supports Triple DES. This requirement is expected to be mandated by the PCI Security Standards Council in the future.

Additionally, retailers have until July 1, 2010, to ensure all of their existing pumps are upgraded to support Triple DES.

Robert Renke, executive vice president of the Petroleum Equipment Institute in Tulsa, Okla., estimated about 1.4 million gas pumps would need to be retrofitted with new software -- for an average of more than 2,500 per day in order for retailers to meet Visa's deadline, the report stated.

Retailers needed to upgrade existing pumps can expect to spend between $1,800 and $2,000 per card reader, Renke said in the report.

"This is going to be a huge undertaking," agreed Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill. Between 20 and 30 percent of gas purchases made at the pump are processed via PIN-based debit transactions, Huguelet said. He noted gas stations that can't or are unwilling to make the required investments in pump upgrades or replacements may have to stop accepting such transactions next year, the report stated.

The PCI Security Standards Council announced plans in August to add security requirements for unattended POS systems, and a draft of the requirements has already been published for review. Council members have submitted comments about the draft, and a final version is expected to be released sometime this year.