Nationwide, the petroleum retail industry is slowly coming to the realization that many merchants are simply unprepared for PCI compliance .  Considering that the mandate is July 1, 2010 (a mere 320 days away!), a last-minute rush towards compliance is all but guaranteed.  Undoubtedly, a great many retailers without a plan are going to be left out in the cold.

Similar to the California Enhanced Vapor Recovery (EVR) example of earlier this year, PCI compliance is the perfect storm of the following factors: first, compliance is mandatory; second, the timeline to mandated compliance is near; and third, a limited group of qualified labor is capable to perform the work.  Added together, these contributing factors added up to a 300% increase in the cost of an EVR installation.  Should we expect the same with PCI?  Do you really want to wait around and find out?

So, what PCI mandates are relevant to the fuel retailer?  All merchants that continue to take credit or debit transactions must be PA-DSS compliant, with a PCI-certified POS system.  For debit transactions, customer data (specifically Personal Identification Numbers or PINs) must be encrypted using PCI-certified PIN Entry Devices (PEDs) inside or Encrypting PIN Pads (EPPs) on the forecourt.  And it must be completed before July 1, 2010.

Non-compliance isn’t really an option.   PA-DSS is required for ALL card transactions (credit or debit) and EPP/PED compliance is required if a merchant accepts debit transactions.  Before you decide to circumvent this requirement by simply shutting off debit, consider the following facts:

1.  PIN-debit transactions are less expensive than credit or signature-debit transactions.  So much so, the average fuel retailer will see an ROI on compliance of just 11 months.  

2.  Debit transactions will soon make up the majority of fuel purchase transactions.  For the first time in history, debit transactions have surpassed credit transactions in both volume and value.

PCI is not going away.  If you are going to become PCI compliant (and most merchants are), you’d be well-advised to act while you still can. 

Enjoy the articles below, and good luck on your path to PCI.

Debit Domination - CSP Daily News, August 13 2009

When Will It Register? - CSP, by: Angel Abcede, August 2009