The National Retail Federation wants the Federal Trade Commission to do more than merely check up on the companies that routinely assess merchants for compliance with the Payment Card Industry Data Security Standards (PCI DSS).
The FTC in March asked nine companies that conduct PCI DSS audits for merchants that handle more than 1 million card transactions annually to document their processes, but the NRF today said it wants the agency to investigate the PCI Council itself for possible antitrust violations.
The PCI Council is a “proprietary organization formed and controlled by a single industry sector, the major credit card networks,” and its practices represent an “inappropriate exercise of market power,” the NRF said in a June 2 press release.
The FTC already is looking into the practices of companies that focus on PCI DSS audits, including Foresite MSP, Freed Maxick CPAs, GuidePoint Security, Mandiant, NDB, PricewaterhouseCoopers, SecurityMetrics, Sword and Shield Enterprise Security and Verizon Enterprise Solutions/CyberTrust.
The FTC is seeking details about how the companies conduct routine and forensic audits, the agency said in a March 7 press release.