The Value of PCI DSS to the Insurance Industry

The Value of PCI DSS to the Insurance Industry


In today's customer-centric world, being able to shop and pay bills digitally, like purchasing insurance policies and making insurance payments, is an incredible convenience and luxury.

But alongside the benefits of the technology age are nefarious actors looking to exploit online activity by way of cyber-attacks, data breaches and identity theft. For these reasons, it's never been more important for online systems, and particularly portals involved in payment transactions, to be well-protected.

For the protection of consumers, in 2006, the five major payment card providers — Visa, Mastercard, American Express, JCB International and Discover, came together to create the Payment Card Industry — Data Security Standard (PCI-DSS).

What does PCI DSS mean?

PCI DSS is an information security standard for organizations that handle branded credit cards. These standards outline the twelve requirements of security measures that are mandated and must be undertaken by vendors when processing payments.

These requirements address everything from how their networks are constructed to their method of storing sensitive cardholder data. It was a monumental step forward towards insulating cardholders from credit card fraud and making sure businesses took their data security seriously. Once the insurance industry saw the opportunities available to them to better serve their customers with online credit card payments, formatting their payment platforms to be PCI DSS compliant was the next logical step.

How does PCI DSS benefit an insurance company, agency, and policyholders?

Let us count the ways!

Reduces the Risk of a Data Breach

One of the most obvious benefits of implementing the security controls found in the PCI DSS is exactly what they were intended for: to reduce the risk of a data breach. By requiring merchants, such as insurance companies, to take measures such as using firewalls and encryption in their offered payment services, and prohibiting the storage of cardholder information, not only does the organization become harder for hackers to break into, but the amount of sensitive data they could steal is reduced as well.

With cyber threats coming from every direction nowadays, it's hard to argue with this benefit

Helps to Avoid Fines

While the card brands can impose fines on the acquiring banks of merchants who fail to achieve PCI DSS compliance, they are not the only ones who can impose hefty penalties. Depending on where a data breach occurs and who it affects, governments can also impose fines as well. For example, HIPAA violations due to a data breach will result in fines calculated based on the number of exposed records. Each record can be fined anywhere from a range $50–$50,000. Fines are capped at $1.5 million per year, but insurance companies may receive the maximum penalty for multiple years. This is a significant amount to have to pay and could put a smaller company out of business. Following the requirements of the PCI DSS serves as a good baseline to prevent a high-profile data breach from occurring in the first place.

Protects Customers

Data privacy concerns among consumers have never been higher, and for good reason. Just about everyone has been affected by a data breach at some point now, with nearly half of all Americans having their records exposed during the Equifax data breach alone. Protecting your customers' data is not only the right thing to do, it's a sound business decision as well. When customers feel their data is safe with you, they'll reward you will their loyalty and can even serve as some of your best advocates by referring their friends and family.

Improves Brand Reputation

With technology breaking down traditional barriers to entry and continually equalizing the playing field among competitors, one of the strongest assets that any organization can rely on today is their brand. Avoiding a data breach is paramount to maintaining brand reputation and ensuring that your customers continue to trust you. An investment in security is an investment in your brand. As the number of data breaches among large companies climb higher, consumers will vote with their wallets and do business with the brands that they trust the most.

Imparts a Mindset of Security

For organizations that are just beginning to address security, the PCI DSS provides an excellent place to start. The twelve requirements serve as a robust and comprehensive framework within which to examine existing security procedures. Moreover, the self-assessment exercises that each merchant must complete are a fantastic way to reflect on how improvements can be made. For larger organizations that fall into merchant level 1, the Annual Report on Compliance (AOC) that a Qualified Security Assessor (QSA) must complete acts as an important third-party check on security controls and can also reveal any vulnerabilities that internal teams may overlook.

Serves as Globally Accepted Standard

A small and often overlooked benefit is that the PCI DSS is one of the only truly globally accepted security frameworks. Although not officially mandated by any governmental bodies, because the big five card brands operate around the world, organizations operating internationally do not have to worry about different security standards for card processing per country. This can alleviate at least one headache, as legislation varies widely around the world. For example, even within the United States itself, all 50 states have their own unique versions of data breach notification laws.

Provides a Starting Point for Other Regulations

Governments around the world are waking up to the large-scale security threats facing companies and individuals and have begun enacting legislation to address them. The main tenets of the PCI DSS, namely requiring organizations to take measures to limit the amount of sensitive information stored, provide a great starting place to comply with other regulations. The EU GDPR requires that companies only store data that is necessary only for as long as it is needed, which will probably continue to be a common thread introduced into other legislation in other regions as well.

Peace of Mind

Finally, knowing that your company has taken the proper security measures and achieved PCI DSS compliance can go a long way in helping you gain some peace of mind.

In today's world where massive data breaches occur on what seems like a daily basis, no company or individual is safe with the loss of customers' data, so goes the decades-earned trust of those same customers as well. Even though many merchants tend to think of compliance with these twelve requirements as burdensome and expensive, they can bring about a number of benefits, from increased security to a stronger brand reputation. You can rest assured that companies like Input 1 and other insurance payment platforms have jumped on the PCI DSS train and are continually looking to improve their security infrastructure to protect the confidential information of our customers.