Brumby, the merchant responsibility lies with use (transmission and storage) of the data once it reaches him. If an online purchase is made, the merchant is expected to have the following:
1. SSL for secure information on the website;
2. an e-commerce solution that encrypts sensitive data (such as credit card information) between the site of purchase and the gateway site. For instance, let's say the merchant opts for Payflow as the gateway. Between the merchant's website (secure https address) and the gateway, there must be encrypted transmission fo the data. Any shopping cart or ecommerce solution worth its salt will have this enabled;
3. If the merchant manually processes card information that is entered online, it is incumbent on him to ensure the card information is protected at all times. For instance, the page on which the card information is requested must be encrypted (https address). Furthermore, the merchant's responsibility includes not storing the c/c information once the payment is processed UNLESS EXPLICITLY REQUESTED TO BY THE CARDHOLDER. (Repeat customers who trust the seller may do this.) In all other cases, the card information must be securely removed. In any instance, the CCV must not be stored - not under any circumstances at all.
And if accepting c/c payment by other means...
4. If the merchant accepts phone orders, the card payment can be done immediately or later - but again, it's incumbent on him to protect the data. If he writes down the card information on a scrap of paper and the scrap of paper is thrown out and then later retrieved by a rummaging thief, the merchant is at fault. Thus the merchant must exercise all due care with the information.
5. if the merchant accepts orders sent by mail, with the cardholder having written down the card information, the merchant is responsible for the security of the information once he receives it. Again, he must destroy it securely once the transaction is complete.
6. The merchant can ask for credit card details by fax.
7. Under no circumstances should the merchant ask for or encourage transmission of credit card details by email. Email is NOT secure.
I hope that helps!