A long simmering feud between retailers and credit card issuers over data security came to a head early this month with the National Retail Federation formally asking the Federal Trade Commission to determine whether the credit card industry is in breach of antitrust regulations.
The core issue is the way credit card issuers have been trying to enforce the Payment Card Industry Data Security Standard (PCI DSS). Many retailers perceive that the audits associated with this standard are arbitrary, resulting in fines imposed by credit card issuers that are at the very least questionable in terms of their legal authority to impose.
According to NRF Senior Vice President and General Counsel Mallory Duncan, “PCI itself is an inappropriate exercise of market power by the dominant U.S. payment card networks and PCI should not continue setting data security standards through its current processes.”
Naturally, solution providers that specialize in IT security are caught in the middle of this quagmire. They are frequently asked to help IT organizations comply with a broad range of PCI DSS requirements. On one hand, that creates a significant opportunity. Some even perform PCI DSS audits. But there have been complaints for years concerning how strictly those PCI DSS standards should be interpreted. In many instances, retailers shop around for auditors that interpret those standards are leniently as possible.
But more often than not, in the event of a breach, the credit card carriers almost invariably find that at the time of the breach a retailer was out of PCI DSS compliance, which makes them in the eye of the carrier liable for the loss. The trouble is that even when an organization is in PCI DSS compliance, it’s almost impossible to stay that way. Any change to the IT environment subsequent to the last PCI DSS audit usually winds up taking the retailer out of compliance. In this day and age, it’s almost impossible to go a week without having to change an IT configuration one way or another.
The NRF and the credit card issuers are involved in data security gamesmanship. It will be years before the FTC formally rules on the NRF request and even longer before any actual court battle is concluded. In the meantime, solution providers would do well to take simple note of the fact that no matter what they do in regard to PCI DSS, nobody is going to be entirely happy with the result.
Michael Vizard has been covering IT issues in the enterprise for more than 25 years as an editor and columnist for publications such as InfoWorld, eWEEK, Baseline, CRN, ComputerWorld and Digital Review.