NRF's attack on PCI is strong on theory, weak on specifics

After 12 years of operation, shouldn’t NRF be able to point to better and more concrete examples?

Citibank credit card with an EMV chip

This Citibank credit card has an EMV chip

Credit: Blair Hanley Frank

In a letter to the U.S. Federal Trade Commission (FTC), lawyers for the National Retail Federation (NRF) tried to take down PCI, making an impassioned plea that the government not give any more clout to a standards body that is fully controlled by the card brands, including Visa and MasterCard.

Impassioned, but abstract. The NRF made its case almost entirely as a hypothetical, arguing that this kind of effort could in theory be used to advance an anti-consumer and anti-merchant agenda. This is odd, given that the PCI Council released Version 1.0 of its guidelines back in 2004 and has released many more over the years. If the NRF's argument is solid, why after all these years couldn't it flood the FTC with volumes of actual instances of abuse rather than still arguing the potential?

NRF halfheartedly mentioned one specific — EMV — but that's hardly a powerful case for the NRF side.

The trigger for the NRF letter appears to have been concerns that the FTC might incorporate PCI compliance with recommendations it is preparing — a move that would solidify and increase PCI's leverage and power. This is one of those arguments that are best articulated in the abstract. At the legal, abstract, hypothetical level, the NRF makes an impressive-sounding case that PCI is indeed a power play by the card brands.

But an examination of the mundane and extensive guidelines that PCI has published for many years reveals no grand scheme of global domination. Instead, it seems to be a relatively innocuous listing of security best practices. A better argument against PCI would be that its security guidelines are too timid. (Note: PCI is also now trying to get more senior executives involved, which seems to be a wise move.)

And some of that criticism is muted by the pragmatic realities of PCI's limits, where it must post security guidelines that will apply equally to massive retailers and tiny ones, including every possible vertical. That forces a certain lowest-common-denominator approach that explains some of that apparent timidity.

If the NRF arguments of extraordinary influence are to be believed, it would suggest influence by way of nuance and subtlety — which are two words rarely applied to the tactics of Visa and MasterCard.

With that all said, PCI issued a response that was so vague, it seemed to support the NRF allegations more than it undermined them. PCI's statement, attributed to PCI Council general manager Stephen Orfei, said in its entirety: "PCI SSC is aware of the NRF letter and strongly disagrees with the unfounded assertions it contains. PCI SSC has an on-going and productive dialogue with the FTC and looks forward to discussing the NRF's letter with them." 

When we asked the council to specify the "unfounded assertions" at issue, it declined to identify any. Not a good sign, PCI. If you can't cite even one error of fact or an incorrect conclusion, that's hardly convincing.

And now, let's delve into what the NRF document said. (For those interested, here are my highlights of the FTC filing, along with the full text of the NRF FTC letter and the full text of the NRF FTC document.) "We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute reasonable data security standards in the payment system or any other sector," the letter said.

It further described the PCI Council as "a proprietary organization formed and controlled by a single industry sector — the major credit card networks — that is not an open organization built on standard-setting principles recognized by the United States Standards Strategy (published by the American National Standards Institute, better known as ANSI). Notably, PCI fails to satisfy any of the principles adopted by the federal government for voluntary standard-setting organizations that are intended to promote sound, fair standards and avoid the competition problems that can be inherent in a standard-setting process that is not carefully constructed."

This is what I was referencing earlier. What the NRF just said was an argument for why PCI might not deliver fair and legitimate security guidelines, but it never takes the next logical step to cite security guidelines issued that were indeed problematic. In a criminal court analogy, it's like establishing why a defendant might have killed the victim, without trying to prove that he actually did.

"PCI’s standards are not voluntary. Instead, they are set by networks with market power and are forced upon business owners (and, by extension, their customers) that cannot refuse to accept credit and debit cards. PCI effectively stifles competition and innovation by consuming funds otherwise available for data security, and for adoption and implementation of new — possibly more secure — payment technologies," the letter said. "The card networks, in other words, unfairly leverage their brands and proprietary technology through webs of closely-controlled interdependent bodies and compliance regimes. PCI is very much a part of this overall anticompetitive scheme."

All true. But it still attempts to paint PCI as a potential force for evil without bothering to establish that PCI has done anything evil. This would have been a perfect argument many years ago, when PCI was launched as a concept. But given that PCI has been fully operational for so many years, the absence of any meaningful list of deficiencies involving actual guidelines issued sharply dilutes the power of the NRF argument.

In short, the NRF argument legitimately makes the case that PCI has the potential to engage in anticompetitive behavior. Even if PCI hasn't yet leveraged that power, the argument continues, it can, and if the FTC gives it its stamp of approval, the temptation to abuse that power could prove irresistible. Unfortunately, the NRF didn't opt to make that argument.

The NRF's bigger-picture argument is that the card brands, through all of these specific security rules, have the potential to control the payments world and the retailers that are key players in that world.

In the one specific it cited, the NRF argued that PCI's embrace of EMV is a hint of how the card brands are trying to control retailers to the detriment of both retailers and consumers.

"Throughout the rest of the world, the networks have imposed a chip-and-PIN policy. For the U.S., however, the networks have adopted a chip-only policy. Again, given the relative simplicity, low expense, and effectiveness of requiring PIN, it defies logic and recognized standard-setting principles that the networks would choose instead to mandate a new EMV regime (with all of its attendant costs and complications) and not take the additional step to require PINs for chip cards to maximize security in the U.S. payment card system as it does in Europe, Asia, the U.K., Canada, and the largest global economies," the NRF letter said. "In light of the successful worldwide deployment of chip-and-PIN, one might question why an open standard-setting body genuinely concerned with protecting the payments system did not require the use of PINs to promote better security here in the U.S. But PCI is not an open organization founded to maximize results. It is a proprietary organization dominated by a single interest group — the networks — with motivations apart from, and in conflict with, the interests of other payment card system participants on whom PCI’s requirements are being imposed. Its 'standards' should not be relied upon by any government body, in part because the process by which they are developed is fatally flawed."

The argument that EMV advocates have made for still accepting signatures is that U.S. consumers are resistant to change and that a signature approach would be more comfortable initially. The argument is that PIN authentication can always be added later, after consumers are comfortable with the change to dip from swipe.

But with all of this said, there is a very legitimate concern. Unfortunately, it's one that the NRF merely implies. Yes, PCI has huge potential for doing the bidding of the card brands, a potential that it appears to have barely used. Yet. And that's the point. Were PCI to get the official embrace from the U.S. government, in the form of adoption by the FTC, it would have far more power to shape the industry to its owners liking.

There is a classic quote from John Dalberg-Acton that says, "Power tends to corrupt, and absolute power corrupts absolutely." (By the way, the next line in that quote is almost never cited, but it's intriguing nonetheless: "Great men are almost always bad men.")

In other words, the more power that PCI gets, the more difficult its owners will find it to resist playing payments gods. The NRF's point, then, is that the FTC should look at who the PCI owners are and whether it wants that group to have so much power. Had the NRF said that point explicitly, it would have been far more compelling. As it stands, though, it's still a sobering thought.

This article is published as part of the IDG Contributor Network. Want to Join?

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Related:
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.