US retailers challenge how payment card data security standards are set on competition grounds

In a submission to the Federal Trade Commission (FTC) the National Retail Federation (NRF) said (21-page / 235KB PDF) the PCI data security standards (PCI DSS) are "not voluntary" and instead are "set by networks with market power and are forced upon business owners (and, by extension, their customers) that cannot refuse to accept credit and debit cards".

PCI DSS is the main standard related to storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions.

In March the FTC opened an inquiry into the state of PCI DSS auditing in the US. The NRF said it understands that the FTC is also considering designating the PCI DSS framework as an example of industry best practice.

However, the NRF said the FTC should not "rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute reasonable data security standards in the payment system or any other sector".

Instead the NRF called on the FTC to investigate the way the PCI sets standards to check whether the processes comply with US law. It also said the FTC should investigate the PCI DSS rules and they way they are "implemented and enforced by the payment card networks ... to determine whether the standards and their implementation violate competition laws".

"PCI effectively stifles competition and innovation by consuming funds otherwise available for data security, and for adoption and implementation of new – possibly more secure – payment technologies," the NRF said. "The card networks, in other words, unfairly leverage their brands and proprietary technology through webs of closely-controlled interdependent bodies and compliance regimes."

"Government should not embed PCI’s privately-controlled mandates into its legal determination of reasonable data security practices," the NRF said. "Not only would this entrench the monopoly positions of the large card networks, but it would put the government’s imprimatur on PCI DSS and effectively grant this closely-controlled, private entity the regulatory power of the government itself… PCI DSS should not be relied upon by any US government agency, including the FTC, as indicia of an open, competitive industry standard for reasonable data security."

In a statement PCI security standards general manager Stephen Orfei said: "PCI SSC is aware of the NRF letter and strongly disagrees with the unfounded assertions it contains.  PCI SSC has an on-going and productive dialogue with the FTC and looks forward to discussing the NRF's letter with them."

Expert in technology and payments law Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: “PCI DSS is a globally established standard and not one that I see being likely to be brought down by this challenge. Understandably, due to the costs, those that accept card payments are not always fans of the PCI standards but there are solutions out there that make it easier, for example hosted payment gateways or wallet options that hold customer card details securely out of retailers’ hands.”