WASHINGTON -- The National Retail Federation recently asked the Federal Trade Commission to conduct an investigation into the Payment Card Industry (PCI) standards body, an organization founded by the credit-card industry that sets data-security standards (DSS), saying the group’s controversial practices raise antitrust concerns.
“We urge the FTC (Federal Trade Commission) not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data-security standards in the payment system or any other sector,” said Mallory Duncan, senior vice president and general counsel for the National Retail Federation (NRF), in a letter to Edith Ramirez, chairwoman of the Washington-based FTC, and other commission members.
The PCI Security Standards Council, Wakefield, Mass., is “a proprietary organization formed and controlled by a single industry sector—the major credit-card networks” and “fails to meet any of the principles adopted by the federal government for voluntary standard-setting organizations,” Duncan said. “We believe you will conclude PCI itself is an inappropriate exercise of market power by the dominant U.S. payment-card networks and PCI should not continue setting data-security standards through its current processes.”
“PCI SSC is aware of the NRF letter and strongly disagrees with the unfounded assertions it contains,” said Stephen Orfei, general manager for the PCI Security Standards Council in an emailed response to CSP Daily News. “PCI SSC has an on-going and productive dialogue with the FTC and looks forward to discussing the NRF’s letter with them.”
NRF’s request comes as the FTC is conducting an inquiry into how third-party companies perform assessments of PCI compliance by retailers and other businesses that accept credit cards. Washington-based NRF officials said they understand the FTC is also considering PCI requirements as an example of industry best practices.
The PCI council was formed in 2006 by the major credit-card companies—Visa, MasterCard, American Express, Discover and JCB. It imposes its rules on millions of U.S. businesses but continues to be governed by an executive committee made up of representatives of only those five companies.
In a 19-page white paper submitted to the FTC, the NRF said the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes,” including the council. While portrayed as voluntary, the PCI Data Security Standard requirements set by the council are “forced upon businesses that cannot refuse to accept credit and debit cards.”
The council’s practices “raise antitrust concerns” for a number of reasons, including “general antitrust dangers when competitors collaborate on setting market standards” and “more targeted concerns insofar as they allow the networks to leverage their proprietary technology,” the paper said.
Among other concerns, PCI requirements act as “as an anticompetitive barrier to innovation” because they “exhaust” funds and other resources retailers have available for data security, according to the paper.
The NRF asked that the FTC investigate the council’s practices in general and particularly their effect on competition. The FTC should also reject government use of PCI standards as any benchmark for data security, and instead work with “legitimate U.S. standard setting bodies” such as the American National Standards Institute, the NRF said.
The NRF is one of the world’s largest retail-trade associations, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and internet retailers from the United States and more than 45 countries.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.