Exploring the Global Payments Industry with the ArchiMate Language Part Two: The Payment Card Industry Data Security Standard
By Iver Band
EA Principals Senior Instructor and ArchiMate Expert
This installment uses the ArchiMate Language Motivation aspect, Strategy layer and Business layer to explore a standards body that is central to the integrity of the payment card industry (PCI), and the data security standard that it manages. If you’ve missed Part One, which explores key PCI roles and processes, read it here first.
All the information modeled here is from the website of the PCI Security Standards Council (PCI SSC). This article is based solely on the PCI Data Security Standard Version 4.0, the most recent version as of this writing.
The Mission and Strategy of the Standards Body
The first diagram depicts the mission and strategy of the PCI SSC. The diagram models the mission as an ArchiMate goalelement from the Motivation aspect. The goal element is specialized with the stereotype <<Mission>>, which identifies it as an enduring and fundamental goal. A grouping of course of action elements from the Strategy layer depicts the Strategic Pillars that realize the mission. The Strategic Pillars are in turn realized by the PCI SSC, which the diagram represents as a business collaboration, i.e., a group of business actors that work together.
The Structure and Governance of the Standards Body
The second diagram adds detail to the PCI SSC business collaboration. It identifies the types of business actors (individuals and organizations) and component collaborations that compose PCI SSC. The diagram also assigns business functions (categories of behavior) to each of the component business actors and collaborations.
The third diagram models the PCI Data Security Standard (PCI DSS) with a single composite requirement element from the Motivation aspect. The composite requirement contains the twelve PCI DSS requirements.
The Assessment Process for PCI DSS Compliance
The fourth and final diagram in this installment describes the process by which Qualified Assessors work with organizations to assess their PCI DSS compliance. The diagram assigns a business collaboration consisting of the assessor and the Organization Undergoing Assessment to a composite business process. This composite process consists of six subprocesses connected with triggering (causal or temporal) relationships. An OR junction (hollow circle) offers an alternate execution path around the final subprocess if no remediation is necessary. An AND junction (filled circle) rejoins the alternate paths just after the final subprocess. A business event (rounded arrowhead) depicts the completion of the assessment process.
Until Next Time
Next time, we will explore physical and software payment devices such as terminals, payment cards, and e-wallets. We will lean heavily on the Application and Technology layers of the ArchiMate language, including the Physical elements of the Technology layer.
 Note that the business actor element (stick figure icon) represents both individual and multiple actors at various levels of specificity, and that two working groups within the PCI SSC business collaboration are also business collaborations. There are certainly other ways to model PCI SSC; the ArchiMate standard, much like natural language, provides flexibility of expression. For example, the diagram could have represented PCI SSC as a business actor, but the diagram instead focuses on the organization as a collaboration of influential industry participants.