We probably all saw the press pick up on the gas pump deadline Visa has put in place for 2010 yesterday, January 7, 2009.

However, what has never been clear to me was if this was a total cut over, i.e., any pumps installed after January 1, 2010 MUST be 3DES capable. OR is this like the MasterCard IP-based ATM program of a couple of years back where if you are moving an older ATM to a new location you still can reuse it, but if you were buying a new ATM, you could only buy an IP-based ATM.

In addition, just because the pumps are 3DES capable, does 3DES also have to be implemented? Based on my reading of the directive, I'm also not clear that 3DES has to necessarily be implemented.

Anyone that can provide clarifications on this topic, we would appreciate it.

You will probably be interested in this document:

http://usa.visa.com/download/merchants/pin_security_and_automated_fuel_dispensers.pdf

Which states on page 17:

"Effective 7/1/2010
-All transactions originating at attended and unattended POS PEDs must be encrypting PINs using TDES from the point of transaction to the issuer (end-to-end)"

This means that all _installed_ devices must be not only TDES capable, but must be _using_ TDES for PIN encryption.

My concern is who is going to install 3DES in all the zillions of pumps in a year and a half. Is this realistic? I was also a bit surprised by Visa's move as the pre-auth Special Interest Group is still working and might have something to say/recommend in this area. Oh well...

As a PIN security mandate, I am not sure how this would affect any pre-auth issues. PINs must be encrypted at the time and point of entry, and the PIN and PED programs do not concern themselves with the security / storage of other cardholder data (such as track or PAN data).