New security mandates from credit-card companies that gas stations and other retailers upgrade equipment to protect consumer information will prove costly to merchants.
The new standards, meant to protect against theft of credit- and debit-card information, are part of a series of upgrades recommended by the Payment Card Industry Data Security Council, which was formed three years ago by the five major credit-card companies. Deadlines depend on the type of equipment and size of the retailer.
The debit-card standard affecting the equipment at gasoline pumps goes into effect for small retailers July 1, 2010 – a date set by Visa, not the payment card council or other card companies.
Gas station owners are faced with shelling out for the new personal identity number, or PIN, processors at their pumps, or stop accepting debit cards, which are growing in popularity.
Nick Siddique, who owns five Shell stations in Little Rock, North Little Rock and White Hall, said the upgrade would cost $3,000 for each of his 32 pumps, a total of $96,000, and so he’ll likely stop taking debit cards.
He thinks the card companies should pay for the upgrades.
"For the big [retailers] it’s not a problem," he said. "But for a small guy like us it is." Bruce Gibson, owner of Gibson Oil Co. in northeast Arkansas, said the cost to upgrade equipment at the seven gas stations he owns and the 70 more he supplies will run about $20,000 to $80,000 per store.
"A lot of stores have very little margins on gasoline, and for them to have to spend money they can’t recoup is really hurting them," he said. He plans to pay for the security upgrades at his seven stores, but said some of his operators might not.
Debit purchases at the pump are allowed only with a PIN, Siddique said.
PIN debit transactions increased 12.5 percent from 2006 to 2007, according to the 2008 Study of Consumer Payment Preferences conducted by Hitachi Consulting, the Dallas-based consulting arm of the Japanese firm Hitachi Ltd.
They surpassed the number of U.S. credit-card transactions in 2006. Of consumers who prefer PIN debit, 51 percent listed security as the reason for their preference, Hitachi Consulting reported.
And if a significant number of gas stations forgo the upgrade, customers who have only debit cards, or prefer them over credit cards, would find themselves increasingly forced to go inside the store to pay.
"It would of course be tremendously inconvenient for many consumers who routinely pay for gas with debit [cards]," said Judy Dugan, research director and energy expert at Consumer Watchdog, a California-based group that aims to fight "corrupt corporations and crooked politicians." "It’s an issue that ought to be solvable because you don’t want consumers having to put more debt onto credit cards." She said she thinks either the credit-card companies or the major oil brands should help small-station owners pay for the upgrade or work out a schedule to pay over time.
"It’s unfair for the people at the bottom of the chain the way it’s structured now, which is the consumer and the small-station owner," Dugan said.
Costs to upgrade will depend on how old the equipment is, said Ann Hines, executive vice president of the Arkansas Oil Marketers Association.
She said she doesn’t fault the card companies for their objective – trying to stop fraud – but said most Arkansas gas station operators are alarmed at the cost.
"I think the credit-card companies who are making so much money should be able to help retailers with this process," she said.
According to a survey by the National Association of Convenience stores, credit-card costs to the industry totaled $7.6 billion in 2007, the latest year for which figures are available.
"One of our biggest expenses is taking credit-cards to start with," Gibson said, citing numerous fees. "The credit card companies make more money on gasoline than most of my operators." Gibson and his operators plan to do surveys to see if customers at his locations prefer to use PIN debit. Siddique said his margins are already suffering because of fees levied on customers’ PIN debit transactions.
The new security rules originate from an effort to coordinate security standards across the payment card industry, making it easier for retailers to avoid breaches.
The Payment Card Industry Data Security Council was formed in 2006 by American Express, Discover, Visa, Master-Card and JCB (a Japanese credit card brand) to develop practices for securing cardholder information, said Troy Leach, technical director at the council.
Security breaches can be financially devastating to retailers and come at a high cost to consumer confidence as well. When New Jersey-based Heartland Payment Systems was breached in January, in what was considered one of the largest breaches ever, Arkansas banks had to issue customers new credit and debit cards. This incident is unrelated to the possible thefts the councils’ standards aimto guard against, but card companies are invested in protecting consumer information and their brands.
"Securing cardholder data is among Visa’s highest priorities and a shared responsibility among financial institutions and merchants," Visa spokesman Jennifer Fischer wrote in a prepared, e-mailed statement.
The council issued its latest version of the standard in October 2008, Leach said. However, the council only makes recommendations. Each credit-card brand can choose which standards to enforce, can set its own deadlines for enforcement and can create other security standards above the council’s requirements.
The resulting web of standards is confusing for many retailers.
"It is extremely frustrating," said Jeff Lenard, vice president of communications for the National Association of Convenience Stores. "The rules are complex, and the clock is ticking." Leach said the system helps retailers because they know that if they buy software from approved developers and buy equipment from approved manufacturers, they will be compliant.
Still, the cost of new software and equipment must be shouldered by retailers, who risk huge fines and having their ability to accept plastic taken away if their security is breached.
Gray Taylor, payment consultant for the National Association of Convenience stores, said the council’s standards do not allow small businesses the flexibility to pursue more creative and potentially more effective methods of protecting their consumers.
He said the council’s standards emphasize security – not letting a hacker access information – more than encryption – rendering data useless so it won’t matter if a thief hacks in.
"We can comply with everything [card companies] tell us to do, and it’s going to raise the prices [consumers] pay at retail, and they’re not going to be more secure," he said.
Leach disagreed with that assessment of the council, saying that existing standards have "requirements of protecting that information from point A to point B to point C." Hines, of the Arkansas Oil Marketers Association, said the intricacies of compliance with the council have left her reeling.
"Every once in a while I hit something where I guess my mind refuses to accept it," she said. "It is complex, and I think I hit a stumbling block over the amount of money it is costing."