U.S. gas stations are under a mandate to improve security at their pay-at-the-pump keypads, but even with a 2010 deadline approaching, very few are buying secure keypads, according to VeriFone Holdings Inc.
In November the San Jose terminal maker introduced a PIN pad that meets the standard, but it has yet to see a substantial return on that investment, according to its chief executive Douglas G. Bergeron.
"We've spent millions investing in a whole new portfolio of products," Mr. Bergeron said in an earnings conference call last week. "We're the only guys out there with it, but the retail side of petroleum today is suffering and they are not buying."
The requirement stemmed from an earlier mandate that required the use of Triple-DES encryption at PIN pads on automated teller machines and other payment devices. Visa Inc. had set a 2004 deadline for that shift, prompting a wave of ATM upgrades and replacements.
But gas stations had no way then to meet the 2004 deadline, said Jeff Wakefield, the vice president of marketing for VeriFone's integrated systems unit.
The original mandate said that "in January of 2004 all devices that were sold had to meet that requirement and all devices that haven't been tested have to be removed from service by the end of June 2010," Mr. Wakefield said in an interview Tuesday. "Visa gave a couple of extensions to the fuel industry; at the time they did it, nobody was making secure devices."
Visa would not make an executive available for an interview on this topic, but it has published documents online detailing its stance on gas station payment systems.
"Recognizing that U.S. petroleum merchants had no lab-evaluated" PIN entry devices "to purchase, Visa granted an extension to the January 1, 2004 requirements" mandating Triple-DES encryption for new PIN pads installed starting in January 2009, according to an April Visa bulletin. Systems in place need to be upgraded or replaced by July 2010.
Mr. Wakefield said shrinking margins in the petroleum industry are a big reason gas stations have been slow to upgrade.
"When gas goes to $4, retailers are now paying 8 cents" to process that transaction, he said. "The typical margin that a retailer gets on fuel is in the 10-to-12-cent range. On 8 cents a gallon on interchange fees, they're not making a lot of money, so that has caused them in many cases to slow down any kind of investment in their stations."
VeriFone's terminals takes less than an hour to install, per pump, and can cost up to $5,000 a pump, Mr. Wakefield said, depending on how they are customized.
However, even if gas prices drop and margins improve, many merchants still may put off the upgrade, he said. "They're waiting for the date that they absolutely have to do something. They're trying to honestly figure out if they can get away with doing nothing, which I don't think will happen."
Mr. Wakefield the card companies will likely announce some kind of penalty as the 2010 deadline approaches to encourage them to upgrade.
The difference in security would be substantial, he said.
Beyond providing stronger encryption, VeriFone would protect the PIN as it is entered, which is not how most of the devices in deployment today do it.
"The PIN number is transmitted through a bunch of wires from every pump … into a module in the gas station, and that's where the encryption occurs," Mr. Wakefield said. "So the data is, I won't say it's sent in the clear — it's masked a little bit — but it is sent over wires where it can easily be grabbed inside the station. The Visa mandate is you have to do that encryption at the keypad where the consumers enter it."
VeriFone's top U.S. rival, Hypercom Corp. of Phoenix, said it does not serve the U.S. petroleum market; the French terminal maker Ingenico SA did not return a call requesting comment.
Avivah Litan, a vice president and research director at Gartner Inc., a market research company in Stamford, Conn., said that Visa is doing more than other card brands to push security standards, but that merchants are cautious about the investment needed to meet them.
She did not agree with Mr. Wakefield that some are trying to avoid an upgrade. "I don't think they want to put it off," she said.
One issue is the deadline may already be too close to allow for upgrades on a large scale for major gas companies, Ms. Litan said. "In many cases, if they started today, they still wouldn't meet the deadline, because it's an enormous task for these large brands. But the biggest issue is they don't have any clarity."
The PIN entry device rule is just one of many that merchants have to meet, and even those merchants eager to upgrade do not want to do so without assurance from the payment card industry that the investment will bring them into compliance, Ms. Litan said. Even then, they would need the cooperation of the pump manufacturers as well.
Gas stations "don't want to do a hodgepodge implementation, and they don't want to be a guinea pig for new technology," she said. "They don't want to spend millions of dollars testing the technology only to find out they're not compliant."
And many do not have the money to spend, Ms. Litan said.
"For the franchisees, these local gas station owners, some of them have already gone out of business because of the price of gas," she said. The cost of a terminal upgrade might push even more out of business, she said.
MasterCard Inc. also requires Triple-DES encryption for pin pads. It set separate, though similar, deadlines for ATMs. MasterCard representatives did not return calls requesting comment on its policies for gas station payment systems.