The Green Sheet Online Edition
June 27, 2016 • Issue 16:06:02
Retailers challenge PCI, seek federal intervention
The National Retail Federation disclosed on June 2, 2016, that it had asked the Federal Trade Commission to use its investigative powers to determine if the PCI Security Standards Council (PCI SSC) violates federal anti-trust laws.
The PCI SSC was formed in 2003 by the leading card companies (Visa, MasterCard Worldwide, American Express Co., Discover Financial Services and JCB International Credit Card Co. Ltd.) to implement uniform requirements to protect credit and debit cardholder data and reduce card fraud.
The Payment Card Industry Data Security Standard (PCI DSS), which came out of that initiative was controversial with merchants from the start. Many have balked over PCI compliance fees, which are typically imposed by acquirers and ISOs, as well as the hefty fines that ensue when cardholder data is determined to have been breached at merchant locations.
FTC undertakes PCI 'study'
In addition, the FTC revealed in March 2016 that it was undertaking a "study" of the PCI DSS – a study that has the markings of an inquiry. "Information collected by the FTC will be used to study the state of PCI DSS assessments," the commission said in a statement issued March 7.
That statement noted that it had "issued orders" to the following nine companies specializing in PCI compliance assessments: Foresite MSP LLC, Freed Maxick CPAs P.C., GuidePoint Security LLC, Mandiant, NDB LLP, PricewaterhouseCoopers LLP, SecurityMetrics, Sword and Shield Enterprise Security Inc., and Verizon Enterprise Solutions (also known as CyberTrust).
The nine were given 45 days to respond to a seven-page questionnaire requesting detailed information. Among other things, the companies were asked to explain how they hire and train qualified security assessors, price services and bid on clients contracts, establish audit polices and methodologies, and deal with noncompliance issues. Also requested were sample past assessments and information about any data breaches that occurred following successful compliance audits.
Although the FTC did not request public comments on the initiative, the NRF provided the commission with a 19-page white paper that argues the PCI SSC is anything but a standards-setting body, and the PCI DSS requirements and related standards "are forced upon business owners" who can't afford not to accept card payments.
In a letter accompanying the white paper, Mallory Duncan, NRF Senior Vice President and General Counsel, urged FTC commissioners "not to rely on PCI DSS for any purpose," insisting that "PCI fails to satisfy any of the principals adopted by the federal government for voluntary standard-setting organizations."
The white paper stated that PCI presents "significant antitrust concerns" and that the FTC needs to investigate whether the standards and enforcement actions undertaken by the card brands under PCI violate federal laws.
EMV flawed, too
The NRF white paper also takes aim at EMVCo. Owned by the card brands, EMVCo manages the technical specifications and testing processes for compliance with EMV standards for chip-secured credit and debit cards and chip-reading card terminals. The white paper blasts the October 2015 liability shift, which put merchants on the hook for card fraud losses that can be traced back to any of the merchants' card-reading devices that are not EMV compliant.
"The EMV mandate was effectuated in the same way PCI operates – without any input from the non-network affected parties (i.e.: merchants, banks, processors, etc.) and through a top-down, take-it-or-leave-it compliance approach," the NRF said in the white paper. The NRF concluded the white paper by urging the FTC to "reject the use of PCI standards as a benchmark for data security," and to work with "legitimate standard-setting bodies," such as the American National Standards Institute.
In a statement provided to The Green Sheet, PCI SSC General Manager Stephen Orfei said his organization "strongly disagrees with the unfounded assertions" in the NRF's correspondence with the FTC. "PCI SSC has an ongoing and productive dialogue with the FTC and looks forward to discussing the NRF's letter with them," he said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.