Payment Card Security Data Flow


In March, the Electronic Transactions Association (ETA), a global association which represents those in the payments space, announced a partnership with the PCI Security Standards Council (PCI SCC).

The new partnership brought the two together at TRANSACT 15, ETA’s annual conference, to present the industry with the most recent PCI DSS updates as well as focus the payments community on data breach prevention and payments security.

This kind of collaboration is critical when it comes to combining forces in order to conquer security and compliance. If you follow recent news headlines of the many data breaches occurring at major merchants across the globe, it’s a fair assessment that we, as a whole, are failing miserably when it comes to security and compliance. The reason is simple – we’re not taking responsibility for our part in PCI compliance.

The newest version of the PCI Data Security Standard (version 3.0), became fully effective on January 1, 2015. One of the major changes in the updated version is the clarification that payment card security is now a shared responsibility.

An important thing to remember when it comes to PCI security is that the scope of the data flow is very important to the audit. Merchants have be absolving themselves of any responsibility by making broad claims that suggest that since they are using a solution that claims to be PCI compliant, they are “okay.” Meanwhile, the processors are saying it’s the merchant’s responsibility to make sure they have policies that properly govern their employees and are properly using the said solution. As you can see, responsibility has been vague, and it’s apparent that we can no longer operate that way in order to protect payment card information.

The card information flow begins with the consumer. Then the information is passed along to the merchant, then the payment processor, and finally on to the acquiring bank. Each of these parties has responsibilities along the way, and ensuring PCI compliance has to be a cooperative effort by all parties involved.

As clarified in January, your contractual obligations with third parties, payment processors, and vendors must now be very specific about which requirements each party is responsible for. Broad statements are no longer acceptable in your PCI audit. The recent breaches are calling for a higher level of security, and in order to accomplish this task, we must all work together sharing the responsibility and understanding the importance of applying security and compliance in every business aspect.

Are you doing your due diligence to ensure your part in PCI security? Contact me at to talk more about your PCI security obligations.



Sarah Morris is the Managing Editor at KirkpatrickPrice, a valued partner of AIS Network. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations up to date on information security and regulatory compliance by being a thought leader and developing valuable content that revolves around industry trends and best practices.