Back in September 2008 I put myself on PCI SSC's dung list as well as a separate entry on Bob Russo's personal ignore list with my post "PCI SSC Show Their True Colors -- Regulate for Profit". Recently I found an interesting post on Magtek's website: Fraud Mythology in the Payment World. It details a speech by Magtek CEO Mimi Hart where she rips into PCI, calling it "one of the more dangerous 'false gods' in payments." Now finally I have company on the dung lists! I have one small criticism about her speech though, every false GOD is dangerous so "dangerous" in that sentence is redundant. ;-)
Within the speech, Mimi Hart states "PCI has rapidly become a self-perpetuating, self-aggrandizing, profit-motivated authority", this got me thinking, is PCI even legal? Antitrust laws prevent the card brands from getting together in a room to set rates or make common rules for members, merchants, and customers. But before I go further, let me give a brief history lesson...
In the early days, prior to cardholder data security (pre-9/11/2001), the card brands, for the most part, relied on trust that cardholder data was being securely stored and properly used by merchants and applications. Sure, there was fine print in merchant agreements and various unpublished rules stating that merchants must do this or don't do that, but for the most part, there was no mechanism to enforce these hidden rules and fine print. After 9/11, the government decided payments needed better security and told the card brands to get it under control or they would step in.
Each of the card brands rapidly scrambled to create their own set of security mandates for merchants and vendors to follow. Visa had CISP, MasterCard had SDP, American Express had DSOP, Discover had DISC, and JCB had "security standards" (hmm, very creative!). While there were many common and compatible requirements, there were many that were unique to each, and worse, there were a few mandates that contradicted or deviated from mandates of other brands. In all this turmoil, PCI SSC was formed to unite all the security mandates and create one ring to control them all.
Ok, back to my question -- Is PCI legal?
Per the PCI SSC website: "The Council's five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. -- have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs." Then a little further down on the same page, "All five payment brands share equally in the Council's governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization."
I'm not a lawyer but to me this seems to imply that while PCI SSC is a separate organization, it is controlled by a round table of the five card brands. And because this is a "for profit" organization, this seems to have antitrust implications that may threaten PCI SSC's legal legitimacy.
PCI SSC was created as a way for the card brands to conspire to create a common set of security mandates without breaking antitrust laws. The problem is, PCI SSC is setup as a "for profit" limited liability corporation controlled by the card brands. If this was setup as a non-profit organization (as I assumed it was because of the .org domain name - silly me, another future rant) and a true standards committee like ANSI or ISO, I feel there would not be an issue. But as a "for profit" organization under the direct control of the card brands, there seems to be an issue here.
My recommendation: restructure as a non-profit organization, make the books public, and become a real open standards board eliminating the antitrust concerns.
If any antitrust attorney happens to read this, I would love to get your take on this question. Until next time...
P.S. For another take on the same speech, see the post in StorefrontBacktalk: Federal Reserve Listens to Security Vendor CEO Rip into PCI
P.S.S. Mimi, welcome to the list!