The National Retail Federation has asked the FTC to investigate the Payment Card Industry (PCI) Security Standards Council on the grounds that credit card companies “unfairly leverage their brands." The NRF further alleges that the market power exerted by the credit card companies — Visa, MasterCard, American Express, Discover and JCB — carry obvious antitrust concerns.
A little over two months ago, the FTC issued orders to nine card firms to provide information on how exactly retailers' compliance with PCI standards is measured in regards to PIC Data Security Standards.
In response, the PCI council has noted that the NRF's letter is full of “unfounded assertions." PCI also affirms that it “has an ongoing and productive dialog with the FTC and looks forward to discussing the NRF’s letter with them."
This latest front is yet a new one in the ongoing war between retailers and card companies over the new EMV standard and whether or not PIN should be used as opposed to signature-based verification methods that are currently the norm.
“Using secure software and making sure that the software is installed and maintained correctly is a critical part of protecting payments,” PCI Security Standards Council General Manager Stephen Orfei said in a statement last month about the new version of its data security standard for payment software, known as PCI DSS.
PCI further requires that retailers and business that process over 1 million annual card transactions must be audited to make sure their practices are in line with current security standards. The NRF contends the requirement that they work with credit card companies “exhausts” funds and resources that retailers might otherwise use to invest in data security. The NRF further notes that the government ought to find a new method by which to benchmark data security. Its preferred solution involves working with what it terms “legitimate U.S. standard setting bodies” like the American National Standards Institute.
“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” NRF Senior Vice President and General Counsel Mallory Duncan said in the letter to the FTC. “Notably, PCI fails to satisfy any of the principles adopted by the federal government for voluntary standard-setting organizations that are intended to promote sound, fair standards and avoid the competition problems that can be inherent in a standard-setting process that is not carefully constructed.”