Avivah Litan, a fraud analyst with Gartner Inc., said the deadline shift wasn’t unexpected given how many U.S. fuel stations are behind on costly updates, noting that in some cases it can cost more than $10,000 per pump to accommodate chip card readers. The National Association of Convenience Stores estimates that station operators will spend approximately $30,000 per store to accommodate chip readers, and that the total cost to the fuel industry could exceed $4 billion.
“Some of them you can just replace the payment module inside the pump, but the older pumps will need to be completely removed and replaced,” Litan said. “Gas stations and their unattended pumps have always been an easy target for thieves. The fraud usually migrates to the point of least resistance, and we’re seeing now the fraudsters really moving to targeting unattended stations that haven’t been upgraded.”Credit card fraud from pull pumps is around 1% of all card fraud., which is about $16B world wide. At $4B for the upgrade, mathematics says that fraud would need to be $400B a year for the expense to be justified. What the delay will allow is for station owners to plan a technology refresh for their pumps (something that will be in the works anyway) and so the cost of the chip readers will be a minimal portion of the overall upgrade, rather than the whole thing.
This situation is actually quite a good view into the workings of the "security as risk management" approach. Yes, the technology exists. Yes, security will be better after this is implemented. No, there's no way to justify the cost of an immediate upgrade. Yes, there will be a cost to carry if you don't upgrade immediately. No, that doesn't make an immediate upgrade the right decision.