On the surface one would expect a major retailer advocate, and an agency dedicated to keeping purchasing transactions safe, to be well-aligned in their views. But the National Retail Federation (NRF) has made a very public complaint about the Payment Card Industry Security Standards Council (PCI), accusing it of antitrust practices.
Retail shoppers of all types expect the businesses they transact with to adhere to best practices to protect their payment methods. A lack of trust could push a consumer away from making a purchase from a given online seller. It’s with such concerns in mind that retailers who accept credit cards must conform to standards set by PCI.
But what appears to be long-simmering resentment over PCI’s practices boiled over publicly last month when the NRF publicly disclosed their complaint to the Federal Trade Commission (FTC) about how PCI engages with retailers on credit card data security.
“We believe you will conclude PCI itself is an inappropriate exercise of market power by the dominant U.S. payment card networks and PCI should not continue setting data security standards through its current processes,” NRF’s Mallory Duncan, Senior Vice President and General Counsel, said in the letter to FTC, accompanied by a 19-page white paper detailing their concerns about whether the standards PCI sets are anti-competitive in nature.
The FTC already requires businesses to engage in “reasonable data security practices to protect sensitive consumer information or face administrative enforcement actions for unfair or deceptive acts or practices,” as noted in the NRF white paper. Credit card networks in turn rely on PCI to establish those practices and communicate them to retail customers.
Failure to comply with PCI standards could cause a business to lose its eligibility to process credit card payments. In a time where data breaches by criminal efforts regularly make news, consumers are increasingly avoiding making purchases onlinedue to lack of trust. No business wants to be viewed as unsafe by its target market.
Craig Shearman, Vice President for Government Affairs Public Relations for NRF, told EcommerceBytes the issues retailers have had over credit card security go back years. “Rather than fixing the cards, the industry came up with PCI,” he said.
“While PCI purports to set security standards, it is really devised as a system where the banks and card companies can play “gotcha” with retailers and blame retailers for data breaches and other security issues. Retailers take extensive measures to protect card data and did so even before PCI. The problem is that the card system has inherent security flaws. Even with EMV starting to replace magnetic stripe cards, these issues have not been resolved.”
The PCI council in turn said in a statement to EcommerceBytes that they are “aware of the NRF letter and strongly disagrees with the unfounded assertions it contains. PCI SSC has an on-going and productive dialogue with the FTC and looks forward to discussing the NRF’s letter with them.”
PCI further noted that NRF “was a PCI Participating Organization from 2007 to 2011. NRF ran for seat on the PCI Council’s Board of Advisors in 2009. Voting for Board of Advisor members is open to all (700+) PCI Participating Organizations. NRF did not win its bid for a seat.”
Also, PCI noted a recent meeting with NRF that didn’t seem to indicate a greater public expression of issues would be forthcoming. “The PCI Council’s General Manager, Stephen Orfei, met with the NRF’s Mallory Duncan on April 26th and Mr. Duncan did not mention any of the concerns listed in the NRF’s letter at that time. There was no opportunity to discuss the concerns.”
PCI further believes in their standards and the benefits of adhering to them, noting in their comments to EcommerceBytes, “The 2015 Verizon PCI Report showed that among data breaches they investigated in the past decade, there was not a single data breach in which a merchant was PCI compliant at the time of the breach. We see that finding as a reason to have confidence in the standards created and maintained by the PCI Council and our 700 member organizations.”