The insurance industry faces tremendous challenges when it comes to protecting customer data. Due to the nature of the business, a vast amount of sensitive information is collected about each customer. New stringent regulations demand that the data is kept secure, with steep penalties for non-compliance. Meanwhile, large databases of sensitive data are enticing targets for increasingly savvy hackers who can use that information for identity theft, fraudulent payments, and more. The consequences of a security breach are numerous and often devastating: lost customers, damaged brand and reputation, government fines, the cost of revising the information technology infrastructure, and a public relations crisis. How do you run a successful, PCI compliant insurance company without becoming a data security expert as well?
What Is PCI?
Payment Card Industry Data Security Standard (PCI DSS) compliance is mandatory for every business that accepts credit cards. According to the PCI Security Standards Council, “The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.” PCI DSS audits examine every part of the company that interacts with sensitive data, to ensure compliance. To successfully complete a PCI DSS audit, it is in the company’s best interest to limit access to that sensitive data, thus reducing the scope of the audit. Insurance companies must examine the flow of this data throughout their system, compartmentalize it as much as possible, and ensure it is protected every step of the way.
Utilize Encryption and Tokenization
When faced with the challenge of protecting customer information, encryption and tokenization are a powerful combination. By utilizing an encrypted card reader, your customer’s information is never exposed as it enters the system. Ensure that credit card data is protected, yet still accessible by those who need access to it, using tokenization. With tokenization, a token, or unique representation of the sensitive data, is stored instead of the original data, such as a credit card, social security number, or other privacy risks. The sensitive data is stored in a protected location, and any database or application that requires the information can use the token instead. Thus, the sensitive data is safe, and business can proceed as usual. Utilizing tokenization can limit the scope of your PCI audit. There is one more step to reduce compliance burden. Defer the collection, handling and storage of sensitive data to a third-party, such as TrustCommerce.
Reduce Risk with TrustCommerce
TrustCommerce’s TC SMART Products provides for comprehensive risk mitigation and cost reduction. These solutions minimize if not entirely eliminate the responsibilities, liabilities and costs associated with payment acceptance/processing. TC Citadel utilizes tokenization to protect customers’ sensitive data. It is designed for use with recurring, installment, subscription, and utility payments, so it is ideal for insurance customers with payment plans or who want an easy way to renew their policies. After data is collected, it is stored in TrustCommerce’s PCI-compliant data storage center, not the insurance company’s system, removing it from the scope of a PCI audit.
But how can you collect the customer’s information securely? TC Trustee Host and TC Merchant Host provide two secure options. With TC Trustee Host, customers are redirected from your web site to a secure TC Trustee “Hosted Payment Page.” Customers securely enter their credit card information on that page and after the payment is authorized, the customer sees a confirmation page with the transaction details. Because this information is collected off your site, it is considered out of scope for a PCI audit. The TC Trustee Merchant Host is a merchant-hosted secure payment page that transparently redirects to TrustCommerce. Sensitive data is securely held in TrustCommerce’s PCI-compliant data storage facilities.
Put your PCI compliance game plan into action–collect credit card data securely, store data outside of your environment inside a data vault, and utilize encryption and tokenization. With your plan in place, you can focus on running a successful, PCI compliant insurance company–without becoming a data security expert.