Debit-Card Security Plan Worries Gas Pump Owners — Smaller Retailers Fear Costly Upgrades Mandated By Firms
New security mandates from credit-card companies that gas stations and
other retailers upgrade equipment to protect consumer information will
prove costly to merchants.
The new standards, meant to protect against theft of credit- and
debit-card information, are part of a series of upgrades recommended by
the Payment Card Industry Data Security Council, which was formed three
years ago by the five major credit-card companies. Deadlines depend on
the type of equipment and size of the retailer.
The debit-card standard affecting the equipment at gasoline pumps goes
into effect for small retailers July 1, 2010 – a date set by Visa, not
the payment card council or other card companies.
Gas station owners are faced with shelling out for the new personal
identity number, or PIN, processors at their pumps, or stop accepting
debit cards, which are growing in popularity.
Nick Siddique, who owns five Shell stations in Little Rock, North
Little Rock and White Hall, said the upgrade would cost $3,000 for each
of his 32 pumps, a total of $96,000, and so he’ll likely stop taking
debit cards.
He thinks the card companies should pay for the upgrades.
"For the big [retailers] it’s not a problem," he said. "But for a small
guy like us it is." Bruce Gibson, owner of Gibson Oil Co. in northeast
Arkansas, said the cost to upgrade equipment at the seven gas stations
he owns and the 70 more he supplies will run about $20,000 to $80,000
per store.
LITTLE MARGINS
"A lot of stores have very little margins on gasoline, and for them to
have to spend money they can’t recoup is really hurting them," he said.
He plans to pay for the security upgrades at his seven stores, but said
some of his operators might not.
Debit purchases at the pump are allowed only with a PIN, Siddique said.
PIN debit transactions increased 12.5 percent from 2006 to 2007,
according to the 2008 Study of Consumer Payment Preferences conducted
by Hitachi Consulting, the Dallas-based consulting arm of the Japanese
firm Hitachi Ltd.
They surpassed the number of U.S. credit-card transactions in 2006. Of
consumers who prefer PIN debit, 51 percent listed security as the
reason for their preference, Hitachi Consulting reported.
And if a significant number of gas stations forgo the upgrade,
customers who have only debit cards, or prefer them over credit cards,
would find themselves increasingly forced to go inside the store to pay.
"It would of course be tremendously inconvenient for many consumers who
routinely pay for gas with debit [cards]," said Judy Dugan, research
director and energy expert at Consumer Watchdog, a California-based
group that aims to fight "corrupt corporations and crooked
politicians." "It’s an issue that ought to be solvable because you
don’t want consumers having to put more debt onto credit cards." She
said she thinks either the credit-card companies or the major oil
brands should help small-station owners pay for the upgrade or work out
a schedule to pay over time.
"It’s unfair for the people at the bottom of the chain the way it’s
structured now, which is the consumer and the small-station owner,"
Dugan said.
Costs to upgrade will depend on how old the equipment is, said Ann
Hines, executive vice president of the Arkansas Oil Marketers
Association.
She said she doesn’t fault the card companies for their objective –
trying to stop fraud – but said most Arkansas gas station operators are
alarmed at the cost.
"I think the credit-card companies who are making so much money should be able to help retailers with this process," she said.
According to a survey by the National Association of Convenience
stores, credit-card costs to the industry totaled $7.6 billion in 2007,
the latest year for which figures are available.
"One of our biggest expenses is taking credit-cards to start with,"
Gibson said, citing numerous fees. "The credit card companies make more
money on gasoline than most of my operators." Gibson and his operators
plan to do surveys to see if customers at his locations prefer to use
PIN debit. Siddique said his margins are already suffering because of
fees levied on customers’ PIN debit transactions.
The new security rules originate from an effort to coordinate security
standards across the payment card industry, making it easier for
retailers to avoid breaches.
The Payment Card Industry Data Security Council was formed in 2006 by
American Express, Discover, Visa, Master-Card and JCB (a Japanese
credit card brand) to develop practices for securing cardholder
information, said Troy Leach, technical director at the council.
SECURITY BREACHES
Security breaches can be financially devastating to retailers and come
at a high cost to consumer confidence as well. When New Jersey-based
Heartland Payment Systems was breached in January, in what was
considered one of the largest breaches ever, Arkansas banks had to
issue customers new credit and debit cards. This incident is unrelated
to the possible thefts the councils’ standards aimto guard against, but
card companies are invested in protecting consumer information and
their brands.
"Securing cardholder data is among Visa’s highest priorities and a
shared responsibility among financial institutions and merchants," Visa
spokesman Jennifer Fischer wrote in a prepared, e-mailed statement.
The council issued its latest version of the standard in October 2008,
Leach said. However, the council only makes recommendations. Each
credit-card brand can choose which standards to enforce, can set its
own deadlines for enforcement and can create other security standards
above the council’s requirements.
The resulting web of standards is confusing for many retailers.
"It is extremely frustrating," said Jeff Lenard, vice president of
communications for the National Association of Convenience Stores. "The
rules are complex, and the clock is ticking." Leach said the system
helps retailers because they know that if they buy software from
approved developers and buy equipment from approved manufacturers, they
will be compliant.
Still, the cost of new software and equipment must be shouldered by
retailers, who risk huge fines and having their ability to accept
plastic taken away if their security is breached.
Gray Taylor, payment consultant for the National Association of
Convenience stores, said the council’s standards do not allow small
businesses the flexibility to pursue more creative and potentially more
effective methods of protecting their consumers.
He said the council’s standards emphasize security – not letting a
hacker access information – more than encryption – rendering data
useless so it won’t matter if a thief hacks in.
"We can comply with everything [card companies] tell us to do, and it’s
going to raise the prices [consumers] pay at retail, and they’re not
going to be more secure," he said.
Leach disagreed with that assessment of the council, saying that
existing standards have "requirements of protecting that information
from point A to point B to point C." Hines, of the Arkansas Oil
Marketers Association, said the intricacies of compliance with the
council have left her reeling.
"Every once in a while I hit something where I guess my mind refuses to
accept it," she said. "It is complex, and I think I hit a stumbling
block over the amount of money it is costing."