The National Retail Federation asked the Federal Trade Commission to investigate an organization founded by credit card companies to set data security standards, saying the group’s practices raise antitrust concerns.
The Payment Card Industry Security Standards Council “fails to meet any of the principles adopted by the federal government for voluntary standard-setting organizations,” NRF General Counsel Mallory Duncan wrote to the FTC on May 23.
The PCI council was formed in 2006 by Visa (V), MasterCard (MA), American Express (AXP), Discover (DFS), and JCB International.
Get Data Sheet, Fortune’s technology newsletter.
NRF said the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes” including the council.
The PCI council’s Data Security Standards are forced upon businesses that cannot refuse to accept credit and debit cards and the council acts as “as an anticompetitive barrier to innovation” as they exhausts funds and other resources retailers have available for data security, the letter said.
The PCI council said it strongly disagreed with the “unfounded assertions” in the NRF letter. “PCI SSC has an ongoing and productive dialog with the FTC and looks forward to discussing the NRF’s letter with them,” the council said.
The Federal Trade Commission said in March it has issued orders to nine companies, including cyber-security firm Mandiant and auditing firm PricewaterhouseCoopers, requiring them to provide information on how they conduct assessments of companies to measure their compliance with the PCI council’s Data Security Standards.
The FTC was not immediately available for comment.
