Why Does PCI Compliance Matter For Your Agency?

When asked about data security standarads and proctecting your clients sensitive digital payment information we proudly state we’re PCI level 1 compliant. But what exactly does that mean and why is it so important to you and your agency?

We put together a quick overview of the different PCI DSS levels and what they entail, how we assure Level 1 compliance, and explain why digital payments can actually be safer than paper checks.

What is PCI DSS?
The Payment Card Industry (PCI) Security Standards Council (an organization formed by the card brands) created the PCI Data Security Standard (DSS) to ensure that businesses follow best practices for protecting their customers’ payment card information.

Why is PCI Compliance Important?
The same technologies that make everyday business more efficient also make it easier for hackers to access sensitive information.

The Payment Card Industry Security Standards Council explains the seriousness this way: “The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants (that’s you) or financial institutions, their credit can be negatively affected — there is enormous personal fallout. Affected merchants and financial institutions lose credibility (and in turn, business).”

We’ve all heard the horrifying stories of major data breaches affecting millions of consumers. Credit bureau Equifax was hacked, potentially compromising 143 million US consumers. In retail giant Target’s breach, thieves hacked as many as 40 million customer credit card accounts, and up to 110 million sets of personal information such as email addresses and phone numbers were stolen.

But security breaches are not just for big name retailers or credit bureaus. Theft of sensitive financial information can happen to any size or type of business.

And the risk goes beyond financial information such as credit/debit card number, expiration date and CVV (Card Verification Value) number.

PII and Your Agency
Personally identifiable information, or PII, is any data that could potentially be used to identify a particular person. Examples include a full name, Social Security number, driver’s license number, bank account number, passport number, and email address.

If a company suffers a data breach, a major concern is what customer PII might be exposed. PII can be sold on the dark web and used to commit identity theft, putting breach victims at risk.

Notice that bank account number is considered PII.

If you’re taking payments by check, the check itself is a potential source of identity theft. Unless you promptly lock up checks in a secure file cabinet or safe prior to deposit, it’s possible that “someone” could snap a picture and steal your client’s PII.

Not to mention, checks can get “lost” (i.e., stolen) in the mail.

Secure Your Clients’ Sensitive Information with Digital Payments
When you choose a digital payment processor like ePayPolicy, you don’t have to worry about locking up checks. When the payment system is used properly the digital payment processor takes full responsibility for safeguarding the security of all credit/debit card payments on behalf of clients. We’re constantly testing our platform to make sure it’s hack proof.

We Are Level 1 Compliant
For the purposes of the PCI DSS, ePayPolicy is a Level 1 service provider. A service provider is a business entity that isn’t a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business — in our case, we are a service provider for independent insurance agents, brokers/MGAs and premium finance agencies.

There are two levels of service provider. Level 1 means we process more than 300,000 credit card transactions per year. Level 2 refers to service providers that process fewer than 300,000 transactions.

PCI requires us to validate our PCI DSS compliance through:

– Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
– Quarterly network scan by an Approved Scanning Vendor (ASV)
– Penetration Test
– Internal Scan
– Attestation of Compliance (AOC) Form

As a compliance verified Level 1 service provider,  ePayPolicy assumes all liability for cardholder security and PCI DSS compliance for every single transaction we process when our payment system is used properly.

We certify Level 1 compliance on our end — so you can concentrate on what you do best — delighting your customers and running your business.

If you’re still curious, you can educate yourself about all things PCI DSS compliance here: https://www.pcisecuritystandards.org

Bottom Line
When it comes to your customers’ data security, be sure to ask what PCI DSS compliance level your payment processor is.

 

About Author

Seth Nagle

Seth Nagle is the Director of Marketing at ePayPolicy and has built his career around product marketing, UX design, and thought leadership content.