Are Paper Checks Putting Your Insureds and Agency At Risk?

Why do people buy insurance? For protection. It’s ironic, then, that paying for insurance could leave them—as well as your agency—exposed. (Spoiler alert: it doesn’t have to.)

We’re referring to the security risks of paper checks. The insured writes a premium check and drops it in the mail. If everything goes right, the check takes a few days to reach your agency. If it doesn’t, the check could end up… who knows where. Once inside the agency, the check has more opportunities to get stuck in a file folder, under a pile of mail, or accidentally picked up off someone’s desk. It may turn up weeks or even months later. At that point, the check may no longer be cashable. In fact, you could get charged a “deposit item returned” fee from the bank.

Risks to the Insured
The main problem is not the amount of the check; it’s the information on the check. All someone needs to raid your client’s bank account is the routing and account number. Often enough, they don’t even need the name to write an electronic check from the account. But checks also contain other personally identifying information (PII) that thieves steal to wreak havoc with someone’s finances and credit. 

Name and address, both printed on a check, are PII. Some people have even been known to include their driver’s license number or Social Security number on their checks (although that’s highly unlikely for a business account). All of this PII is an open invitation for bad actors. Any enterprising imposter can simply copy the information off your client’s check, and they’re off and running. 

Risks to the Agency and the Insured
The insured is putting their PII, along with a large amount of money, at risk when they write you a check. Every pair of hands that touches the check could fraudulently cash it and/or steal the insured’s identity. This might not be likely to happen within your agency, we know you manage a  top-notch, respectable workforce. But the risk of really anyone (e.g., technicians, sales reps or other visitors) taking a paper check is there. 

As the payee, you assume some risk for that payment as well. If something happens to the check along the way, the insured could hold your agency responsible. It costs them money to put a stop payment on the check, and if you do find the check and deposit it at the wrong time for the client, it can bounce. Nobody wants those extra bank fees.

The Better, Safer Payment Option
Of course we’re not going to leave you without a solution to these security risks! You can eliminate them by accepting digital payments with ePayPolicy. On top of being faster, simpler and more convenient for the client, digital payments are incredibly more secure than checks. 

ePayPolicy is also PCI compliant. That means we take full responsibility for the data security of your insureds’ digital  payments. We don’t store payment information unless they ask to set up an account. Even then, it’s all encrypted. We never see it, and cyber thieves never could

Here’s a link, in case you missed our blog on the importance of PCI compliance for your agency.

In Summary
Whereas checks are inherently risky, we make digital payments safe. The ePayPolicy platform is hack-proof, and we’re constantly testing it to ensure the highest level of security. If you’re ready to provide the safest payment option to your insureds, sign up or schedule a demo here.

Why Does PCI Compliance Matter For Your Agency?

When asked about data security standarads and proctecting your clients sensitive digital payment information we proudly state we’re PCI level 1 compliant. But what exactly does that mean and why is it so important to you and your agency?

We put together a quick overview of the different PCI DSS levels and what they entail, how we assure Level 1 compliance, and explain why digital payments can actually be safer than paper checks.

What is PCI DSS?
The Payment Card Industry (PCI) Security Standards Council (an organization formed by the card brands) created the PCI Data Security Standard (DSS) to ensure that businesses follow best practices for protecting their customers’ payment card information.

Why is PCI Compliance Important?
The same technologies that make everyday business more efficient also make it easier for hackers to access sensitive information.

The Payment Card Industry Security Standards Council explains the seriousness this way: “The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants (that’s you) or financial institutions, their credit can be negatively affected — there is enormous personal fallout. Affected merchants and financial institutions lose credibility (and in turn, business).”

We’ve all heard the horrifying stories of major data breaches affecting millions of consumers. Credit bureau Equifax was hacked, potentially compromising 143 million US consumers. In retail giant Target’s breach, thieves hacked as many as 40 million customer credit card accounts, and up to 110 million sets of personal information such as email addresses and phone numbers were stolen.

But security breaches are not just for big name retailers or credit bureaus. Theft of sensitive financial information can happen to any size or type of business.

And the risk goes beyond financial information such as credit/debit card number, expiration date and CVV (Card Verification Value) number.

PII and Your Agency
Personally identifiable information, or PII, is any data that could potentially be used to identify a particular person. Examples include a full name, Social Security number, driver’s license number, bank account number, passport number, and email address.

If a company suffers a data breach, a major concern is what customer PII might be exposed. PII can be sold on the dark web and used to commit identity theft, putting breach victims at risk.
Notice that bank account number is considered PII.

If you’re taking payments by check, the check itself is a potential source of identity theft. Unless you promptly lock up checks in a secure file cabinet or safe prior to deposit, it’s possible that “someone” could snap a picture and steal your client’s PII.

Not to mention, checks can get “lost” (i.e., stolen) in the mail.

Secure Your Clients’ Sensitive Information with Digital Payments
When you choose a digital payment processor like ePayPolicy, you don’t have to worry about locking up checks. When the payment system is used properly the digital payment processor takes full responsibility for safeguarding the security of all credit/debit card payments on behalf of clients. We’re constantly testing our platform to make sure it’s hack proof.

We Are Level 1 Compliant
For the purposes of the PCI DSS, ePayPolicy is a Level 1 service provider. A service provider is a business entity that isn’t a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business — in our case, we are a service provider for independent insurance agents, brokers/MGAs and premium finance agencies.

There are two levels of service provider. Level 1 means we process more than 300,000 credit card transactions per year. Level 2 refers to service providers that process fewer than 300,000 transactions.

PCI requires us to validate our PCI DSS compliance through:
– Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
– Quarterly network scan by an Approved Scanning Vendor (ASV)
– Penetration Test
– Internal Scan
– Attestation of Compliance (AOC) Form

As a compliance verified Level 1 service provider,  ePayPolicy assumes all liability for cardholder security and PCI DSS compliance for every single transaction we process when our payment system is used properly.

We certify Level 1 compliance on our end — so you can concentrate on what you do best — delighting your customers and running your business.

If you’re still curious, you can educate yourself about all things PCI DSS compliance here:

Bottom Line
When it comes to your customers’ data security, be sure to ask what PCI DSS compliance level your payment processor is.