Dive Brief:
-
The National Retail Federation has asked the Federal Trade Commission to investigate the Payment Card Industry (PCI) Security Standards Council, saying that credit card companies “unfairly leverage their brands” and that their market power entails antitrust concerns. The PCI council was formed a decade ago by Visa, MasterCard, American Express, Discover and JCB.
-
In March the FTC said it has issued orders to nine companies requiring them to provide information on how they measure retailers' compliance with the council's Data Security Standards.
-
The PCI council said the NRF letter contains “unfounded assertions” and that it “has an ongoing and productive dialog with the FTC and looks forward to discussing the NRF’s letter with them,” according to Reuters.
Dive Insight:
The NRF letter to the FTC is just the latest salvo in an series of battles between retailers and credit card companies, which includes a disagreement about whether new EMV cards in the U.S. should employ personal identification numbers. But the issue at hand is complex, because the Payment Card Industry Security Standards Council has so far played an important role in protecting data security.
“Using secure software and making sure that the software is installed and maintained correctly is a critical part of protecting payments,” PCI Security Standards Council General Manager Stephen Orfei said in a statement last month about the new version of its data security standard for payment software, known as PCI DSS.
The council requires audits of retailers and other businesses processing more than 1 million annual credit card transactions to ensure they’re providing adequate protection to consumers’ sensitive personal information, according to the FTC, which is peering into that process as part of its investigation.
But the NRF says that the requisite to work with the credit card companies’ organization actually “exhausts” funds and other resources that retailers could use for data security, according to its white paper. The organization would like to see the government find another way to benchmark data security and work instead with what it calls “legitimate U.S. standard setting bodies” like the American National Standards Institute.
“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” NRF Senior Vice President and General Counsel Mallory Duncan said in the letter to the FTC. “Notably, PCI fails to satisfy any of the principles adopted by the federal government for voluntary standard-setting organizations that are intended to promote sound, fair standards and avoid the competition problems that can be inherent in a standard-setting process that is not carefully constructed.”
