Rising Costs And a PCI Upgrade Drive Gas Sellers to Reconsider PIN Debit

Rising processing costs and Visa Inc.'s mandate that point-of-sale terminals be upgraded to do Triple-DES encryption for PIN-based debit transactions are prompting gas sellers to rethink PIN debit acceptance. Fuel sellers are talking about dropping PIN debit because of the hike in cost for authorization, says Branden Williams, director of PCI compliance for Verisign. “There's no cost advantage any more or the cost advantage is smaller,” he says. Indeed, an analysis of the 1,000 stores in the National Association of Convenience Stores card processing program found that if “we took all of the PIN debit transactions that we processed last year for those 1,000 stores and processed them as signature debit, it would cost the same,” says Gray Taylor, NACS payment consultant. “We look at our PIN debit costs and they've been going up over 14% compounded annually,” Taylor says. “So clearly, within three years, the decision (to drop PIN debit) is going to be an absolute no-brainer, regardless of which EFT network has most of your transactions.” While gas retailers also are unhappy with rising interchange rates on credit card transactions, they have no alternative to credit card acceptance, Taylor says. “There's not a fallback position on credit cards,” he says. “There is on debit. If they've got a bug on them, I'm going to process them as signature.” But higher PIN debit interchange rates are only part of the problem. “All things being equal nobody would turn off PIN debit because of the cost,” Taylor says. “The stake in the heart really is the PCI PED (Payment Card Industry PIN Entry Device) upgrade. And that's costing anywhere from $2,500 to $3,000 per dispenser.” To continue to accept PIN debit, many fuel retailers would have to replace existing payment-processing equipment to comply with the PCI PED Standard, which requires Triple DES encryption, Verisign's Williams says. “As a fuel provider that is looking at a five-to-10 year payback on any equipment purchased, do you make the jump to comply with these standards now,” he says. “Or do you just turn off the PIN-based debit support?” About 88% of gas retailers surveyed by NACS accept PIN debit, Taylor says. “You can do a very simple amortization on the equipment over three years, and what it ends up to be is 'well, what the heck, 80% of those cards going through there have a Visa or MasterCard bug anyway, I may as well throw it though the signature debit system,'” he says. At least one major oil company and at least three middle size independents “have said categorically once Triple-DES is mandated, they'll turn off PIN debit,” Taylor adds. He declined to name the companies, citing confidentiality agreements. Visa has “softened up” up on the original July 2010 deadline for PCI PED compliance, saying gas retailers may use single DES Derived Unique Key per Transaction (DUKPT) encryption “for the time being,” unless a data breach of a single DES device occurs, Taylor says. Visa has set an Aug. 1, 2012, deadline for gas retailers to implement Triple DES or face penalties. Once the PCI PED deadline is imposed, Visa and MasterCard will pick up an additional 10% to 15% in transactions in the petroleum marketplace by default as gas retailers drop PIN debit, Taylor estimates. “With Visa and guys at PCI so vociferous about getting everybody PCI compliant, it's ironic that one of their mandates is going to take away one of the most secure transactions at the point of sale,” he says.