NRF asserts that the PCISSC allowed credit card companies to leverage their brands.
The National Retail Federation has asked the Federal Trade Commission to investigate the Payment Card Industry (PCI) Security Standards Council, saying that credit card companies “unfairly leverage their brands” and that their market power entails antitrust concerns, according to a statement from the NRF. The PCI council was formed a decade ago by Visa, MasterCard, American Express, Discover and JCB.
“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” NRF Senior Vice President and General Counsel Mallory Duncan said in a letter to FTC Chairwoman Edith Ramirez and other commission members.
Duncan explained that the Payment Card Industry Security Standards Council is “a proprietary organization formed and controlled by a single industry sector – and the major credit card networks” and “Notably, PCI fails to satisfy any of the principles adopted by the federal government for voluntary standard-setting organizations that are intended to promote sound, fair standards and avoid the competition problems that can be inherent in a standard-setting process that is not carefully constructed.”
The letter stated that “we believe you will conclude PCI itself is an inappropriate exercise of market power by the dominant U.S. payment card networks and PCI should not continue setting data security standards through its current processes.”
The PCI council, formed in 2006 by the major credit card companies – Visa, MasterCard, American Express, Discover and JCB, imposes its rules on millions of U.S. businesses but continues to be governed by an executive committee made up of representatives of only those five companies.
In March the FTC said it has opened an inquiry, issuing orders to nine companies requiring them to provide information on how they measure retailers' compliance with the council's Data Security Standards. The nine companies include: Foresite MSP, LLC’ Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NBD LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (known as CyberTrust). The FTC will use the requested information to study the state of PCI DSS assessments.
Reuters reported that the PCI council said the NRF letter contains “unfounded assertions” and that it “has an ongoing and productive dialog with the FTC and looks forward to discussing the NRF’s letter with them.”