The National Retail Federation (NRF) has never been a huge fan of the PCI Security Council. But in a detailed note sent to the U.S. Federal Trade Commission (FTC) late last month, NRF’s lawyers crafted an impressive takedown of PCI, arguing that PCI represents a monopoly-like attempt by the card brands to control retailers.
The trigger for the FTC letter appears to be concerns that the FTC might incorporate PCI compliance with recommendations it is preparing—a move that would solidify and increase PCI’s leverage and power.
This is one of these arguments that is best articulated in the abstract. At the legal abstract hypothetical level, NRF makes an impressive-sounding case that PCI is indeed a powerplay by the cardbrands.
PCI issued a response that was so vague it seemed to support the NRF allegations more than it undermined them. PCI’s statement, attributed to PCI Council General Manager Stephen Orfei, in its entirety said: “PCI SSC is aware of the NRF letter and strongly disagrees with the unfounded assertions it contains. PCI SSC has an on-going and productive dialogue with the FTC and looks forward to discussing the NRF’s letter with them.”
When we asked the council to specify the “unfounded assertions” at issue, it declined to identify any. Not a good sign, PCI. If you can’t cite even one error-of-fact or an incorrect conclusion, that’s hardly convincing.
And now, let’s delve into the NRF document said. “We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute reasonable data security standards in the payment system or any other sector,” the letter said.
It further described the PCI Council as “a proprietary organization formed and controlled by a single industry sector—the major credit card networks—that is not an open organization built on standard-setting principles recognized by the United States Standards Strategy (published by the American National Standards Institute, better known as ANSI). Notably, PCI fails to satisfy any of the principles adopted by the federal government for voluntary standard-setting organizations that are intended to promote sound, fair standards and avoid the competition problems that can be inherent in a standard-setting process that is not carefully constructed.”
“PCI’s standards are not voluntary. Instead, they are set by networks with market power and are forced upon business owners (and, by extension, their customers) that cannot refuse to accept credit and debit cards. PCI effectively stifles competition and innovation by consuming funds otherwise available for data security, and for adoption and implementation of new— possibly more secure—payment technologies,” the letter said. “The card networks, in other words, unfairly leverage their brands and proprietary technology through webs of closely-controlled interdependent bodies and compliance regimes. PCI is very much a part of this overall anticompetitive scheme.”
The NRF letter also went into some very interesting early history of PCI’s formation, at least from NRF’s perspective.
“Around 2003, Visa approached NRF with a proposal to impose Visa’s proprietary data security system on brick-and-mortar retailers for in-store transactions. NRF members balked at Visa’s plan largely because of concerns that the other card networks (e.g., MasterCard, JCB International) would also attempt to unilaterally impose their own—possibly different and conflicting—security standards on retailers. Complying with several involuntary proprietary data security regimes was considered infeasible and cost-prohibitive, and was vigorously opposed by NRF’s members,” the letter said. ” NRF suspected that Visa (followed by the other card networks) was attempting to shift the cost burden and liability for the data security of an increasingly antiquated and fraud-prone card system onto retailers, even though the networks and card-issuing banks controlled, as they do now, the security features on cards (e.g., magnetic stripes on cards, card numbers embossed on the front of cards, use of static account numbers to access value, availability or nonavailability of PINs associated with cards, etc.). When discussing its proposed imposition of CISP with NRF and its members, Visa also showed (as it still does) an unwillingness to consider security measures that placed costs or burdens on the networks or card-issuing banks. Instead, Visa was only willing to discuss some measures that impacted retailer and acquiring-bank obligations. Finally, it was clear that Visa’s proposal had been developed without any significant consideration of retailers’ business operations or ripple effects on other card brand acceptance. All of this fueled NRF’s apprehensions about, and strong opposition, to Visa’s plan.”
NRF then made the essence of its monopoly argument: “Retailers—through NRF and others—have made repeated requests to participate on PCI’s Executive, Standards, and Operations Committees and have some material role in establishing and implementing PCI DSS. All of those attempts have been rejected by the networks. Today, retailers that accept credit or debit cards are kept completely out of all critical PCI decision-making processes and do not have the ability to assess and voluntarily adopt these requirements, let alone determine whether their business will be governed by PCI’s mandated security scheme. In sum, the founding networks are the sole members of all PCI committees and control all technical and operational functions of the organization, including: setting PCI policies and priorities, establishing PCI DSS, implementing PCI DSS, and enforcing PCI DSS. Other (i.e., non-network) members of PCI have very limited opportunities to offer non-binding recommendations and feedback to the founding networks on PCI DSS issues. But again, retailers and other non-founding members have no control or authority with respect to standard-setting or PCI DSS compliance requirements, nor the ability to determine whether they will be governed by these mandates.”
The NRF bigger-picture argument is that the card brands—through all of these specific security rules—have the potential to control the payments world and the retailers who are key players in that world.
“Through hundreds of pages of technical requirements spread across (and cross-referencing) numerous documents, PCI’s founding networks maintain a veritable web of control over every aspect of transaction processing, from approved software and hardware, to network and computer system maintenance, to annual audits and approved auditors, to ongoing reporting requirements to the networks with respect to PCI DSS compliance. At every step of the way, PCI dictates merchants’ choices with respect to eligible third-party service providers, software and hardware vendors, approved equipment, certified auditors, etc.,” the letter said. “The networks, in turn, reinforce PCI’s control over these products and business relationships by incorporating PCI’s approved/certified entities and products directly into their own operating rules. The ultimate result of PCI’s structure and activities is a complex and costly system in which merchants bear the compliance burden (with the attendant costs and risk) but are not permitted to participate in any decision-making.”
NRF also argued that PCI’s embrace of EMV is a hint of how the card brands are trying to control retailers to the detriment of both retailers and consumers.
“Throughout the rest of the world, the networks have imposed a chip-and-PIN policy. For the U.S., however, the networks have adopted a chip-only policy. Again, given the relative simplicity, low expense, and effectiveness of requiring PIN, it defies logic and recognized standard-setting principles that the networks would choose instead to mandate a new EMV regime (with all of its attendant costs and complications) and not take the additional step to require PINs for chip cards to maximize security in the U.S. payment card system as it does in Europe, Asia, the U.K., Canada, and the largest global economies,” the NRF letter said. “In light of the successful worldwide deployment of chip-and-PIN, one might question why an open standard-setting body genuinely concerned with protecting the payments system did not require the use of PINs to promote better security here in the U.S. But PCI is not an open organization founded to maximize results. It is a proprietary organization dominated by a single interest group—the networks—with motivations apart from, and in conflict with, the interests of other payment card system participants on whom PCI’s requirements are being imposed. Its “standards” should not be relied upon by any government body, in part because the process by which they are developed is fatally flawed.”
The argument that EMV advocates have made for still accepting signature is that U.S. consumers are resistant to change and that a signature approach would be more comfortable initially. That argument has that PIN authentication can always be added later, after consumers are comfortable with the dip versus swipe change.
The letter also took the EMV argument to its next-level anticompetitive argument.
“These scenarios present issues of hold-up by the owner of the technology after the technology has been adopted as part of a standard. Because of sunk costs, it becomes difficult or cost prohibitive for merchants to switch to a different standard or technology. Put another way, as with PCI, the technology owners occupy all of the available dollars or spend and starve the market for innovators and new technologies. Then, the technology owners can extract unfair royalties and licensing terms because of the lack of competition, and consumers may be harmed in the form of higher prices. In turn, security suffers because innovations that might otherwise have advanced security have no foothold in the market and never develop. In this respect, PCI acts as an anticompetitive barrier to innovation because the payments system participant market (e.g., retailers) exhaust available resources complying with PCI’s ever-changing security requirements,” the letter said. “Some SSOs have policies to mitigate hold up problems, which include, among other things, requiring advance disclosure of proprietary technologies that might be used in a standard and ex ante negotiations over post-standard licensing and royalty terms for the technology in question. Per the FTC/DOJ Paper, neither agency supports or requires any particular disclosure or licensing policy. The agencies do recognize, however, the strong potential for procompetitive benefits associated with such remedial actions (as long as those actions are structured properly and do not themselves cause antitrust problems). PCI raises antitrust concerns around hold up, and to our knowledge, does not require or even encourage any disclosure or negotiations by the networks regarding their proprietary technology used in, or advanced by, PCI DSS. As one example, the PCI founding networks, along with China UnionPay Company, control—in virtually the same way they control PCI—EMVCo. EMVCo manages the technical specifications and testing processes for EMV (named for the Europay, MasterCard and Visa card brands), which is the proprietary technology in chip-embedded payment cards. The EMV technology is owned by the EMVCo networks (i.e., the PCI networks plus China UnionPay).”
All in all, NRF has taken the time to lay out a fairly compelling argument against PCI being the ideal organization to get the federal government’s stamp of approval.