Whose Responsibility Should it be to Protect Sensitive Payment Card Data?

The payment card ecosystem is a very complex, involving multiple interconnected service providers. It has been built over the last several decades. When it was originally put together, protection of card data wasn’t the primary concern, since payment cards could only be used in face-to-face / ATM transactions and risks were manageable with original technologies and processes (mainly relying on visual cardholder signature checking and cardholder PIN verification). If the card data got stolen eventually, it could have been used only for producing counterfeit cards. That’s how EMV standard came about, with its primary goal being efficient protection from card cloning and counterfeiting. But unfortunately EMV standard did nothing (although it could) to protect sensitive card data from POS and downstream merchant systems during payment transactions. As far as card data protection was concerned, EMV just preserved the exact same legacy, inherited from the magnetic stripe cards. The same can be said for modern digital wallets, like MasterPass and Visa Checkout. They could but still do not protect card data from the e-commerce merchants servers.

To patch the existing gaps in protecting the card data, which flow completely unprotected from physical payment cards and digital wallets to the merchants systems, the merchants and payment service providers are forced to comply with complex set of PCI DSS requirements. To achieve the initial certification and to maintain the required levels of PCI DSS compliance (i.e. to ensure passing ongoing annual audits), merchants rely on expensive PCI DSS auditors, internal consultants or dedicated internal teams. Obviously the PCI compliance requirements visibly increase the overall costs of the payment card acceptance for merchants.

Despite the enforcements of PCI DSS compliance, the sophisticated fraudsters still keep finding successful ways to hack into merchant POS terminals, online and downstream systems and steal card data. Even the systems of prominent payment processors aren’t fully immune to data breaches. When those data breaches happen, they result in millions of stolen card data records. The associated costs can be devastating – those include, but are not limited to, the costs of reissuing compromised cards, costs of retail brand damage, civil class lawsuits, etc. As per recent Zurich Insurance report, it costs retailers approximately on average 168 US$ per breached consumer account.

In most of these cases it is the merchants, getting all the blame and paying the ultimate price. Many argue that it is indeed the merchant’s ultimate responsibility to protect the sensitive card data and that the added costs associated with card data protection should simply be viewed as merchant’s cost of doing business. The current payments industry participants seem to favor this view.

However, on the other side there may be a view and argument that the merchants are there really just to sell goods and/or services to their consumers, as efficiently as possible, with minimum friction and minimal costs per transaction, without being burdened with costs associated with data protection and security. Merchants could (and probably should) be relieved of primary responsibility for securing card data, which in the end they do not really own. Because the ownership of the sensitive card data really falls with card issuers and / or payment networks, it is payment networks and/or card issuers who should ensure its full protection.

In fact one could further argue that payment networks already have all necessary technology components and tools in place, to be able to already adequately and completely protect sensitive card data end-to-end, with very minimal impacts to merchants, processors and card issuers. The end-to-end card data protection should apply between:

  1. All types of consumer payment ‘devices: physical EMV cards, mobile wallets (like Apple Pay, Android pay, Samsung Pay or HCE equivalents) and digital wallets (MasterPass, Visa Checkout, etc) - on one end and
  2. Payment network systems on the other end,

by using tokenization, end-to-end format preserving encryption or combination of similar techniques.

Payment networks, in ultimately providing end to end card data protection, should be able to preserve ability of the merchant systems to detect repeat usage of the same underlying payment credentials and enable them to continue to handle returns, refunds and loyalty in pretty much the same way as they do today, with very minimal, if any changes.

Eliminating the merchants as the weakest link, with comprehensive, payment network provided end-to-end card data protection solutions and across all payment channels, would elevate payment ecosystem’s security and improve efficiency of the whole transaction processing from the merchant’s prospective. It could potentially significantly reduce the current financial burdens, associated with merchant’s PCI DSS compliance and in result save merchants significant costs per transaction. That should further enable and motivate merchants to fully embrace rapid rollout of EMV, tokenization and mobile payments, because they would see real value in doing so.