GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

Payments' place in the retail playbook - Part 2

Dale S. Laszig


Industry Update

Retailers challenge PCI, seek federal intervention

Data breaches, EMV advance new fraud trends

CFPB to processors: Don't turn blind eye to fraudsters

CFPB seeks public comment on 'payday' loan guidance


U.S. credit card users like installments. A lot

Open-loop prepaid will play a role in next loyalty move by Starbucks

Aaron Mercurio and John Grund

Be vigilant about data vulnerability

MCX pulls plug on CurrentC


The misguided 'kill the check' chorus

Brandes Elitch
CrossCheck Inc.

Guide your startup so it won't implode

Ken Musante
Eureka Payments LLC


Street SmartsSM:
The alternative financing rebrand wrap up

John Tucker
1st Capital Loans LLC

Think PII, not just PCI

Fran Sachs and Ross Federgreen
CSR Professional Services Inc.

Paper reports, online portals can coexist

Steven Feldshuh
Merchants' Choice Payment Solutions East

Consolidation in acquiring

Adam Atlas
Attorney at Law

How integrated, complementary technologies lift valuations

Adam Hark

Company Profile


New Products

Brandable, EMV-certified mobile payments

AprivaPay Plus
Apriva LLC

Biometrics for enhanced, selfie authentication

Eyeprint ID
EyeVerify Inc.


The pursuit of large merchant accounts


Letter from the editors

Readers Speak

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

June 27, 2016  •  Issue 16:06:02

previous next

Retailers challenge PCI, seek federal intervention

The National Retail Federation disclosed on June 2, 2016, that it had asked the Federal Trade Commission to use its investigative powers to determine if the PCI Security Standards Council (PCI SSC) violates federal anti-trust laws.

The PCI SSC was formed in 2003 by the leading card companies (Visa, MasterCard Worldwide, American Express Co., Discover Financial Services and JCB International Credit Card Co. Ltd.) to implement uniform requirements to protect credit and debit cardholder data and reduce card fraud.

The Payment Card Industry Data Security Standard (PCI DSS), which came out of that initiative was controversial with merchants from the start. Many have balked over PCI compliance fees, which are typically imposed by acquirers and ISOs, as well as the hefty fines that ensue when cardholder data is determined to have been breached at merchant locations.

FTC undertakes PCI 'study'

In addition, the FTC revealed in March 2016 that it was undertaking a "study" of the PCI DSS – a study that has the markings of an inquiry. "Information collected by the FTC will be used to study the state of PCI DSS assessments," the commission said in a statement issued March 7.

That statement noted that it had "issued orders" to the following nine companies specializing in PCI compliance assessments: Foresite MSP LLC, Freed Maxick CPAs P.C., GuidePoint Security LLC, Mandiant, NDB LLP, PricewaterhouseCoopers LLP, SecurityMetrics, Sword and Shield Enterprise Security Inc., and Verizon Enterprise Solutions (also known as CyberTrust).

The nine were given 45 days to respond to a seven-page questionnaire requesting detailed information. Among other things, the companies were asked to explain how they hire and train qualified security assessors, price services and bid on clients contracts, establish audit polices and methodologies, and deal with noncompliance issues. Also requested were sample past assessments and information about any data breaches that occurred following successful compliance audits.

Although the FTC did not request public comments on the initiative, the NRF provided the commission with a 19-page white paper that argues the PCI SSC is anything but a standards-setting body, and the PCI DSS requirements and related standards "are forced upon business owners" who can't afford not to accept card payments.

In a letter accompanying the white paper, Mallory Duncan, NRF Senior Vice President and General Counsel, urged FTC commissioners "not to rely on PCI DSS for any purpose," insisting that "PCI fails to satisfy any of the principals adopted by the federal government for voluntary standard-setting organizations."

The white paper stated that PCI presents "significant antitrust concerns" and that the FTC needs to investigate whether the standards and enforcement actions undertaken by the card brands under PCI violate federal laws.

EMV flawed, too

The NRF white paper also takes aim at EMVCo. Owned by the card brands, EMVCo manages the technical specifications and testing processes for compliance with EMV standards for chip-secured credit and debit cards and chip-reading card terminals. The white paper blasts the October 2015 liability shift, which put merchants on the hook for card fraud losses that can be traced back to any of the merchants' card-reading devices that are not EMV compliant.

"The EMV mandate was effectuated in the same way PCI operates – without any input from the non-network affected parties (i.e.: merchants, banks, processors, etc.) and through a top-down, take-it-or-leave-it compliance approach," the NRF said in the white paper. The NRF concluded the white paper by urging the FTC to "reject the use of PCI standards as a benchmark for data security," and to work with "legitimate standard-setting bodies," such as the American National Standards Institute.

In a statement provided to The Green Sheet, PCI SSC General Manager Stephen Orfei said his organization "strongly disagrees with the unfounded assertions" in the NRF's correspondence with the FTC. "PCI SSC has an ongoing and productive dialogue with the FTC and looks forward to discussing the NRF's letter with them," he said.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios