Who’s responsible for what? Data flow dynamic of payment card security

by Sarah Harvey / April 28th, 2015

Data flow dynamic of payment card security

Last month, the Electronic Transactions Association (ETA), a global association which represents those in the payments space, announced a partnership with the PCI Security Standards Council (PCI SCC). This partnership brought the two together at TRANSACT 15, ETA’s annual conference, to present the industry with the most recent PCI DSS updates as well as focus the payments community on data breach prevention and payments security.

This kind of collaboration is critical when it comes to combining forces in order to conquer security and compliance. If you follow recent news headlines of the many breaches occurring at major merchants across the globe, it’s a fair assessment that we, as a whole, are failing miserably when it comes to security and compliance. The reason is simple – we are not taking responsibility for our part in PCI compliance.

The newest version of the PCI Data Security Standard (version 3.0), became fully effective on January 1, 2015. One of the major changes that in the updated version, is the clarification that payment card security is now a shared responsibility. An important thing to remember when it comes to PCI security is that the scope of the data flow is very important to the audit. Merchants have be absolving themselves of any responsibility by making broad claims that suggest that since they are using a solution that claims to be PCI compliant, they are “okay”. Meanwhile, the processors are saying it’s the merchant’s responsibility to make sure they have policies that properly govern their employees and are properly using the said solution. As you can see, responsibility has been vague, and it’s apparent that we can no longer operate that way in order to protect payment card information.

The card information flow begins with the consumer. Then the information is passed along to the merchant, then the payment processor, and finally on to the acquiring bank. Each of these parties have responsibilities along the way, and it has to be a cooperative effort by all parties involved, to ensure PCI compliance.

As clarified in January, your contractual obligations with third parties, payment processors, and vendors must now be very specific about which requirements each party is responsible for. Broad statements are no longer acceptable in your PCI audit. The recent breaches are calling for a higher level of security, and in order to accomplish this task we must all work together sharing the responsibility, and understanding the importance of applying security and compliance in every business aspect.

Are you doing your due diligence to ensure your part of PCI security? Contact us today to set up a free consultation or to talk more about your PCI security obligations.