The National Retail Federation is dead wrong about PCI

Walk through a mega-mall and odds are a majority of the retailers are members of The National Retail Federation (NRF). The NRF is to retail what The American Medical Association (AMA) is to the medical establishment: big and powerful. As the world’s largest retail trade association, its members include the largest department and specialty stores, to independent retailers, chain restaurants and smaller grocery stores.

As far back as 2009, they have been complaining about PCI. In June 2009, Bob Russo, then general manager of the PCI Security Standards Council (SSC), wrote a cogent and detailed response to the NRF.

Despite NRF assertions to the contrary, the payment card industry has asserted that their card security standards are voluntary. Merchants have a definite choice if they want to accept credit and debit cards or not. It’s quite safe to say if retail establishments couldn’t accept payment cards; most would see massive sales reductions, and a large number would simply go out of business.

Given the significance of payment cards, we would have expected the NRF to be at the forefront of PCI advocacy and compliance. Yet the reality is that they have an extremely disdainful view towards PCI.

The NRF is once again mounting a highly publicized disinformation campaign regarding the motives of major credit card brands and their cardholder information protection plans, as well as the intent and effectiveness of the entire portfolio of PCI Data Security Standards (DSS). This latest salvo is similar to that what they did in 2009 with their complaint letter and testimony before Congress. Their testimony and open letter was laden with disdain, innuendo and convoluted rationalizations.

The NRF started their PCI trash talk again a few weeks ago with a 21-page PCI complaint to the heads of the Federal Trade Commission.

The authors of this article have decades of combined PCI experience in addition to PCI QSA, PA-QSA, P2PE certifications, and will nonetheless be the first to tell you that the PCI DSS are far from perfect. Without them however, retailers would have been ravaged by theft and fraud far more than it has been since the standards were conceived and adopted. Nonetheless, the complaints by the NRF are for the most part without foundation and based on histrionics and protectionism.

Writing a response to their 21-page complaint would be equally as long, but we’ll just cover some of the most egregious errors:

NRF states: PCI does not satisfy globally accepted principles for standards development and does not follow standard-setting principles recognized by the U.S. government.

Apparently the NRF is a bit confused by the credit card industry terminology. PCI is the Payment Card Industry and references an industry, not a standards development organization. The PCI SSC is a standards body and recognized as such by the five major card brands. The PCI DSS references, and heavily leverages well established governmentally recognized standards bodies including NIST, ANSI, FIPS, ISO and others.

NRF states: PCI is not a qualified standards development organization or voluntary consensus standards body recognized by the US government.The NRF writes in their complaint that the definition of a standards body is “a domestic or international organization that plans, develops, establishes, or coordinates voluntary consensus standards using procedures that incorporate the attributes of openness, balance of interests, due process, an appeals process.”

The PCI SSC is precisely both a domestic and international organization that plans, develops, establishes, or coordinates voluntary consensus standards using procedures that incorporate the attributes of openness, balance of interests, due process, an appeals process. To that end, the PCI SSC routinely solicits constructive feedback on how to improve the standards by community review and publicly sponsored town hall sessions.

That’s not to say the NRF letter is without any merit. Like the AMA, the NRF works to promote professionalism and duty of care standards for their constituents. Their critique is accurate regarding the time and expense involved with the EMV rollout, and that throughout the rest of the world the networks have imposed a chip-and-PIN policy. For the US, however, the networks have adopted a watered down chip and signature policy.

The complaint is signed by Mallory Duncan, NRF senior vice president and general counsel. As a graduate of Yale Law School, Duncan certainly knows how to compose a legal complaint, which the NRF letter is full of legalese. But what Duncan and the NRF don’t seem to grasp is that PCI DSS is not a law or regulation. It’s a set of contractual requirements between the card brands, acquirers, service providers and merchants. Their fear though is that somehow the FTC will accept PCI as a federal regulation and the ensuing PCI boogeymen will wreak havoc on all of the NRF members.

As information security professionals, we are all ears for any improvement to PCI DSS. But the nature of the NRF complaints, full of contempt and lacking any real critique, may simply fall upon ears deafened by their previous rants on this topic.

David Mundhenk, CISSP, PCIP, QSA (P2PE), PA-QSA (P2PE) is a Senior Consultant for the Application Validation team at Coalfire Labs.