NRF Says Overturning Dodd-Frank Would Reinstitute Price Fixing by Card Companies

June 7, 2016 WASHINGTON – The National Retail Federation today released the following statement after Rep. Jeb Hensarling, chairman of the House Financial Services Committee, announced plans to repeal swipe-fee reform and the Dodd-Frank Wall Street Reform Act.

“Today Jeb Hensarling announced that he wants to repeal an important competitive change in Dodd-Frank reform and return to the bad old days when card companies and banks freely picked the public’s pocket,” NRF Senior Vice President and General Counsel Mallory Duncan said.

 

“Protecting bank profit margins at the expense of competition is not sound public policy and it will harm merchants and consumers. The financial services industry attempted to get Congress to reject transparency and competition in 2010 and again in 2011. Both efforts failed. On behalf of retailers and their customers, NRF will fight for free and open markets.”

Swipe fees on debit and credit cards are many retailers’ second-largest operating cost, behind labor. These fees threaten small retailers with failure and keep merchants from hiring and expanding, slowing the entire economy. Exorbitant swipe fees also mean consumers pay higher prices. American merchants and consumers still pay the highest swipe fees in the world on debit and credit cards, according to the Federal Reserve Bank of Kansas City.

Under the Dodd-Frank Consumer Protection and Wall Street Reform Act of 2010, the Federal Reserve was required to adopt regulations that would result in debit swipe fees that were “reasonable and proportional” to the actual cost of processing a transaction. Federal Reserve staff calculated the average cost at 4 cents per transaction and proposed a cap no higher than 12 cents. Nonetheless, after heavy lobbying from banks the Federal Reserve Board of Governors eventually settled on 21 cents plus 0.05 percent of the transaction for fraud recovery and allowed another 1 cent for fraud prevention in most cases. The cap, which applies only to financial institutions with $10 billion or more in assets, took effect in 2011 and totals about 24 cents on a typical debit card transaction.

NRF is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and Internet retailers from the United States and more than 45 countries. Retail is the nation’s largest private sector employer, supporting one in four U.S. jobs – 42 million working Americans. Contributing $2.6 trillion to annual GDP, retail is a daily barometer for the nation’s economy. NRF’s This is Retail campaign highlights the industry’s opportunities for life-long careers, how retailers strengthen communities, and the critical role that retail plays in driving innovation. nrf.com

###

Retailers Ask FTC to Investigate Credit Card Industry’s PCI Security Group for Antitrust Concerns

WASHINGTON – The National Retail Federation today announced that it has asked the Federal Trade Commission to conduct an investigation into an organization founded by the credit card industry that sets data security standards, saying the group’s controversial practices raise antitrust concerns.

“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” NRF Senior Vice President and General Counsel Mallory Duncan said in a letter to FTC Chairwoman Edith Ramirez and other commission members.

The Payment Card Industry Security Standards Council is “a proprietary organization formed and controlled by a single industry sector – the major credit card networks” and “fails to meet any of the principles adopted by the federal government for voluntary standard-setting organizations,” Duncan said. “We believe you will conclude PCI itself is an inappropriate exercise of market power by the dominant U.S. payment card networks and PCI should not continue setting data security standards through its current processes.”

NRF’s request comes as the FTC is conducting an inquiry into how third-party companies perform assessments of PCI compliance by retailers and other businesses that accept credit cards. NRF understands that the FTC is also considering PCI requirements as an example of industry best practices.

The PCI council was formed in 2006 by the major credit card companies – Visa, MasterCard, American Express, Discover and JCB. It imposes its rules on millions of U.S. businesses but continues to be governed by an executive committee made up of representatives of only those five companies.

In a 19-page white paper submitted to the FTC, NRF said the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes” including the council. While portrayed as voluntary, the Payment Card Industry Data Security Standard requirements set by the council are “forced upon businesses that cannot refuse to accept credit and debit cards.”

The council’s practices “raise antitrust concerns” for a number of reasons, including “general antitrust dangers when competitors collaborate on setting market standards” and “more targeted concerns insofar as they allow the networks to leverage their proprietary technology,” the paper said.

Among other concerns, PCI requirements act as “as an anticompetitive barrier to innovation” because they “exhaust” funds and other resources retailers have available for data security, the paper said.

NRF asked that the FTC investigate the council’s practices in general and particularly their impact on competition. The FTC should also reject government use of PCI standards as any benchmark for data security, and instead work with “legitimate U.S. standard setting bodies” such as the American National Standards Institute, NRF said.

NRF is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and Internet retailers from the United States and more than 45 countries. Retail is the nation’s largest private sector employer, supporting one in four U.S. jobs – 42 million working Americans. Contributing $2.6 trillion to annual GDP, retail is a daily barometer for the nation’s economy. NRF’s This is Retail campaign highlights the industry’s opportunities for life-long careers, how retailers strengthen communities, and the critical role that retail plays in driving innovation. NRF.com

Visa clarifies credit card truncation operating regulations

National Retail Federation and Visa promote card account elimination to advance data security

San Francisco, July 14, 2010

Visa Inc. (NYSE: V) launched a global effort to reduce unnecessary storage of sensitive card information in merchant payment systems. Understanding the significant commitment by merchants to secure the payment system and to protect sensitive cardholder information from criminals, Visa is clarifying existing operating regulations to ensure that acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.

“Visa’s priority is protecting cardholders and the integrity of the electronic payments system,” said Eduardo Perez, Head of Global Payment System Security, Visa Inc. “By reducing the amount of vulnerable data in merchant systems that must be protected from compromise, merchants can see greater security as well as more streamlined compliance needs.”

Visa and the National Retail Federation (NRF) agree that merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests. While Visa does not require merchants to store full card numbers beyond settlement, NRF’s comments indicated marketplace confusion about what information merchants are required to store for dispute resolution by issuers, acquirers or processors. To clarify, Visa operating regulations stipulate the following:

  • Issuers must accept a disguised or suppressed card number on transaction receipts for dispute resolution.
  • Merchants may keep truncated or disguised card numbers and reduce the amount of potential vulnerable data stored in their systems.

National Retail Federation senior vice president and chief information officer David Hogan welcomes Visa’s effort. “We have long advocated that retailers should not be required to store their customers’ full card numbers and instead rely on an alternative identification number to reference a transaction,” he said. “NRF has been pleased to take a leadership role working with Visa in this effort to assist retailers in our mutual goal of securing customers’ information while potentially reducing the scope of the PCI Data Security Standard. Merchants should be encouraged to minimize both the amount of card information they store and the duration they keep it. The bottom line is that they should not be penalized for not storing card information. This clarification from Visa is a promising step in that direction,” said Hogan.

“Making data less vulnerable to card thieves by eliminating it wherever possible has been a major focus by Visa for several years now,” Perez said. “Visa is committed to helping develop workable solutions that reduce the burden on merchants who must secure their payment systems from criminal threats. Working with the National Retail Federation has helped us identify an issue and address it effectively.”

Card Number Truncation Best Practices

Additionally, Visa has developed global best practices for acquirers and merchants who choose not to store full card numbers to truncate, disguise or mask card information in cardholder and merchant receipts, reducing the amount of sensitive information in storage. The following are best practices for card number truncation:

  • On the cardholder receipt, merchants should disguise or suppress all but the last four digits of the card number (####-####-####-1234) and suppress the full expiration date (currently required in the U.S.)
  • On the merchants’ copy of the receipt, merchants should disguise or suppress the card number so that a maximum of the first six and last four digits of the card number are displayed (1234-56##-####-1234) and suppress the full expiration date on the merchant copy of receipts.
  • Acquirers should support merchants who choose not to store full card numbers by providing transaction data storage. Merchants may then retain only disguised or suppressed card numbers on the merchant copy of the receipts.
  • Acquirers should evolve their systems to provide merchants with substitute transaction identifiers or tokens, in place of using full card numbers.
  • Acquirers should disguise or suppress card numbers in any merchant communications, such as email, reports, statements, etc. The Payment Card Industry Data Security Standards (PCI DSS) already requires that card numbers transmitted over public networks must be rendered unreadable (e.g. by encryption, truncation or hashing).

Visa will work with key stakeholders to consider incorporating the best practices formally into Visa Operating Regulations and is soliciting industry feedback until August 31, 2010. The best practices are available at www.visa.com/cisp.

Visa previously established efforts to ensure that merchants do not store prohibited data elements which are specifically targeted by criminals, including card security codes and PIN data. In particular, Visa has required the largest Visa-accepting merchants to confirm that they do not store such prohibited data and thus far 96 percent of Level 1 and 2 merchants globally have done so. In addition, Visa has promoted the use of secure payment applications to ensure small and medium sized merchants do not store prohibited data.

Full press release and contacts

http://corporate.visa.com/media-center/press-releases/press1033.jsp