Retailers to FTC: PCI DSS part of an 'anticompetitive scheme'
In the ongoing saga that is the National Retail Federation vs. the major credit card networks, NRF has asked the Federal Trade Commission to investigate the Payment Card Industry Security Standards Council for possible antitrust violations.
PCI SSC is the standards-setting body established in 2006 by Visa, MasterCard, American Express, Discover and JCB and governed by representatives of those networks. Banks and merchants must implement security standards developed by the council or face banishment from network participation.
NRF's request comes as the FTC is conducting an inquiry into how third-party companies perform assessments of PCI compliance by retailers and other businesses that accept credit cards.
In a letter to FTC Chairwoman Edith Ramirez, NRF Senior Vice President and General Counsel Mallory Duncan wrote:
It is … our understanding that the FTC may be considering PCI DSS as indicia of industry best practices and/or reasonable data security standards.
We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute reasonable data security standards in the payment system or any other sector.
An accompanying white paper warned that the motivations behind PCI "conflict with the interests of businesses and consumers who use the payment card system":
PCI effectively stifles competition and innovation by consuming funds otherwise available for data security, and for adoption and implementation of new — possibly more secure — payment technologies.
The card networks, in other words, unfairly leverage their brands and proprietary technology through webs of closely-controlled interdependent bodies and compliance regimes. PCI is very much a part of this overall anticompetitive scheme. The FTC should be very wary of the nature of PCI and the effects of its standards and processes. Ultimately, PCI is a mechanism through which the payment card networks that control it unfairly leverage their market power.
NRF asked that the FTC investigate the council's practices in general and particularly their impact on competition. The FTC should also reject government use of PCI standards as any benchmark for data security, and instead work with "legitimate U.S. standard setting bodies" such as the American National Standards Institute, NRF said.