NRF Requests FTC Probe of Data Security Group

WASHINGTON — The National Retail Federation has asked the Federal Trade Commission to investigate a data security group affiliated with the credit card industry, charging that its practices are controversial and raise antitrust concerns.

At the heart of the NRF’s request for an FTC probe is the Payment Card Industry Security Standards Council, which was formed in 2006 by five major credit card companies, including Visa, MasterCard, American Express, Discover Financial Services and JCB International.

The NRF charged that the council “imposes its rules on millions of U.S. businesses, but continues to be governed by an executive committee made up of representatives of only those five companies.”

That raises antitrust concerns, according to the NRF, which has submitted a 19-page white paper to the FTC outlining retailers’ concerns about the council’s practices.

The retail group said credit card companies and the council use market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes. While portrayed as voluntary, the…requirements set by the council are forced upon businesses that cannot refuse to accept credit and debit cards.”

An NRF spokesman said not only does the council set standards, it also “imposes unilateral fines on retailers found to be in alleged violation of their standards, particularly when there is a data breach.”

The issue has become especially heightened in a new era of massive cyber attacks that include high-profile data breaches involving Target, Home Depot and other retailers that compromised personal and financial data of millions of consumers.

The NRF spokesman said the relationship between retailers and the credit card industry has long been contentious, with retailers asking the credit card industry for better security and the credit card industry blaming retailers for security breaches or failures.

According to a summary on PCI’s web site, “the enforcement of compliance with data security standards and the determination of any noncompliance penalties is carried out by the individual payment brands [card companies] and not by the council.”

According to the NRF, the council’s practices raise antitrust concerns for several reasons, including “general antitrust dangers when competitors collaborate on setting market standards.”

“PCI SSC is aware of the NRF letter and strongly disagrees with the unfounded assertions it contains,” a spokesman said. “PCI SSC has an ongoing and productive dialogue with the FTC and looks forward to discussing the NRF’s letter with them.”

Another allegation outlined in the paper by NRF pointed to PCI requirements acting as “as an anticompetitive barrier to innovation” because they “exhaust” funds and other resources retailers have available for data security.

NRF asked that the FTC to investigate the council’s overall practices, as well as their impact on competition.

The retail group also urged the FTC not to use PCI standards as benchmarks for setting data security and instead work with “legitimate U.S. standard setting bodies,” such as the American National Standards Institute.

“We urge the FTC not to rely on PCI [data security standards] for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” said Mallory Duncan, senior vice president and general counsel at the NRF, in a letter to FTC chairwoman Edith Ramirez. “Notably, PCI fails to satisfy any of the principles adopted by the federal government for voluntary standard-setting organizations that are intended to promote sound, fair standards and avoid the competition problems that can be inherent in a standard-setting process that is not carefully constructed.”