The National Retail Federation (NRF) has asked the Federal Trade Commission (FTC) to conduct an investigation into an organization founded by the credit card industry that sets data security standards.
According to a letter from NRF senior VP and general counsel Mallory Duncan to FTC chairwoman Edith Ramirez, the practices of the Payment Card Industry Security Standards Council (PCI DSS) raise antitrust concerns.
“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” said the letter.
The letter went on to say PCI DSS is “a proprietary organization formed and controlled by a single industry sector – the major credit card networks,” and “fails to meet any of the principles adopted by the federal government for voluntary standard-setting organizations,. We believe you will conclude PCI itself is an inappropriate exercise of market power by the dominant U.S. payment card networks and PCI should not continue setting data security standards through its current processes.”
NRF’s request comes as the FTC is conducting an inquiry into how third-party companies perform assessments of PCI compliance by retailers and other businesses that accept credit cards. NRF understands that the FTC is also considering PCI requirements as an example of industry best practices.
The PCI council was formed in 2006 by the major credit card companies – Visa, MasterCard, American Express, Discover and JCB. It is governed by an executive committee made up of representatives of those five companies.
In a 19-page white paper submitted to the FTC, NRF said the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes. While portrayed as voluntary, the Payment Card Industry Data Security Standard requirements set by the council are “forced upon businesses that cannot refuse to accept credit and debit cards.”
NRF asked that the FTC investigate the council’s practices in general and particularly their impact on competition. The letter also said the FTC should reject government use of PCI standards as any benchmark for data security, and instead work with “legitimate U.S. standard setting bodies” such as the American National Standards Institute.
PCI DSS has not yet responded to the NRF’s request.