When it was created in 2006, the Payment Card Industry Security Standards Council was billed as an independent body to manage the data security standards process for the payments industry. It has been under fire from merchants ever since.
The main gripe against the council is that it is not truly the enforcer of PCI compliance. That role stayed in the hands of the payment card brands and acquiring banks.
The major card brands had the key role in developing the standards two years earlier, while merchants of all sizes were to have a seat at the table through the PCI working groups. Merchants haven't liked the view from that side of the table, and it has resulted in a decade of conflict both in and out of the courtroom.
But is there a more viable option, for which merchants and the networks could agree? It is not likely they would want the government to take over, considering the years of chaos and conflict the Durbin amendment created with debit card routing and pricing.
Merchant discontent with PCI has also been fueled by interchange rate disputes, chargeback confusion and disenchantment with the migration to EMV chip cards. Many also opted out of a $5.7 billion settlement that was supposed to end a longstanding legal dispute over card swipe fees.
"For some reason, these two will never agree," said Richard Mader, president of Mader International Consulting. "The interchange charge is still the big issue and the root of the problem, and they can't see past it."
The National Retail Federation, a trade group, made it clear last week that it would like to see the PCI Council either change how it operates, or turn over data security responsibility to another governing body. In a 19-page letter to the Federal Trade Commission dated May 23, the NRF asks commissioners to take a closer look at what it describes as an "inappropriate exercise of market power."
"It just seems like one lawsuit after another, and meanwhile the payments industry is going back and forth with all of these different payment methods that are all being hurt by the continuing war between bank cards and the merchants," Mader said.
Even if the retailers came up with a set of security guidelines for self-policing, the networks would likely say they couldn't trust the merchants to do that, Mader added.
"But who takes the heat here?" Mader asked. "Bank cards have eaten some of it, but now the fraud liability goes to merchants not accepting EMV."
The NRF isn't suing the PCI Council in this case, nor does it take issue with the general concept of adhering to a standard over data security.
"We are saying the same thing about PCI that we have said in the past: that it has to be turned into an open process and a fair system that we should all be sharing to make sure it works," said Mallory Duncan, senior vice president and general counsel for the NRF. Among other issues, merchants feel locked into what the networks dictate, usually at high fees, because they aren't in a position to turn down payment card transactions.
The card networks essentially view their plastic cards as a form of currency, Duncan said. As such, they should bear more of the responsibility and costs for fraud detection. "If they consider it a valuable product, the brands should take the lead in fixing their product," he added.
If an open and fair process is not possible through PCI, the retail industry needs to "go to an honest broker like the American National Standards Institute," Duncan said. In his letter to the FTC, Duncan states that the PCI Council "fails to satisfy any of the principles adopted by the federal government" through organizations like the United States Standards Strategy, as published through the ANSI.
"There has to be reasonable standards, but they have to be fair," Duncan added. Compliance is costly to merchants and "after you comply, they reserve the right to fine you anyway," Duncan added, referring to cases in which merchants are fined because they may have missed deadlines on rule changes they may not have known about.
The PCI council has endured other attacks since its inception.
In one example in November of 2009, a law firm representing seven restaurants in Louisiana and Mississippi that suffered data security breaches filed a class action against Radiant Systems, a Georgia-based point of sale hardware manufacturer; and Computer World Inc., a Louisiana-based POS system distributor. The suit alleged those companies sold the restaurants Aloha POS systems that were incorrectly described as compliant with PCI related security standards, even though Visa informed the POS sellers those units were not compliant.
Confusion has also surfaced when a retailer or processor pass audits for PCI compliance only to find out after a data breach that it was out of compliance due to previously undiscovered vulnerabilities. At the times of their respective breaches, both Target Inc. and Heartland Payment Systems told investigators the company had passed security audits prior to the data compromises.
The PCI Council has declined to address the NRF letter and its allegations at this time.
Given the level of contention between the NRF and the networks, it’s really not very likely that the NRF would agree with anything that the networks and their constituents attempt to do, and that’s probably an ongoing and never-ending issue, said Thad Peterson, senior analyst with Boston-based Aite Group.
"Merchants want to minimize any barrier to a sale or incremental expense that could negatively impact their business," Peterson said. "The networks want to protect their constituents, which include the retailers but also include the acquirer/processors, issuers and ultimately, consumers, from the risk of losses due to fraud or theft."
Agreement is unlikely, and the stakes are "driven pretty firmly in the ground on both sides," Peterson added.
But seeking more government intervention, ultimately, could make things worse — or at least far slower, Peterson said.
"The dynamism of the problem dictates that the entities responsible for managing the process and setting requirements are close to the problem and able to move fairly quickly," he added. "Neither of these requirements are part of governmental DNA."
The NRF request for PCI scrutiny occurred a week after the Merchant Advisory Group asked the Federal Financial Institution Examination Council to investigate some debit card issuers in the industry, alleging they are violating the Durbin amendment ruling mandating at least two network choices for debit transaction routing.
The MAG's pursuit of a closer look at debit routing came right on the heels of Walmart pursuing the same concern in filing a lawsuit against Visa. Walmart accuses the card brand of compromising cardholder security by pushing for acceptance of debit transactions authorized through cardholder signature, rather than with a PIN. The end result robs merchants of debit routing options while also requiring them to pay higher fees for card acceptance, according to Walmart.
If interchange, transaction routing and security standards bodies aren't enough to keep merchants and the card networks banging heads, the merchants last week reminded the industry that the concept of "honor all cards" still doesn't sit well with them, particularly as it advances into modern technology with an "honor all wallets" concept.
"We just never seem to get out of this constant conflict," International Consulting's Mader said. "There is dirt on both sides, but let's make it easy, convenient and safe for consumers. Can we do something together on this? I don't know."