August 24, 2016
Retailers Urge FTC to Discount PCI as Standard, Investigate Group for Antitrust Violations
June 28, 2016
The most powerful retailer advocacy group in the world has asked the Federal Trade Commission to discount the standards set by the PCI Standards Security Council when considering data security. Retailers have long chafed at requirements mandated by the PCI DSS—not because they don’t want to secure their data, they say, but because the PCI SSC is a proprietary organization run by the networks with their interests in mind rather than retailers’. The National Retail Federation said an inquiry into how retailers leverage third parties to conduct PCI assessments should not consider the PCI DSS illustrative of best practices for data security.
“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute reasonable data security standards in the payment system or any other sector” said Mallory Duncan, senior vice president and general counsel for the NRF, in a letter to FTC leadership. Duncan called PCI “a proprietary organization formed and controlled by a single industry sector—the major credit card networks—that is not an open organization built on standard-setting principles recognized by the United States Standards Strategy.”
The NRF called for an anti-trust investigation of PCI, calling the organization an “inappropriate exercise of market power by the dominant U.S. payment card networks and PCI should not continue setting data security standards through its current processes.”