Stephen Busateri, global managing principal, Insurance, Verizon Enterprise Solutions
Verizon Enterprise Solutions, last week, released its 2015 PCI Compliance Report, an in-depth look at the state of PCI compliance and how the management of risk is critical to organizations that process payment cards. PCI compliance is especially important to insurance companies as they look to evolve in today’s marketplace. I sat down with Stephen Busateri, global managing principal, Insurance, Verizon Enterprise Solutions to discuss why PCI compliance matters to the insurance industry. Here’s what he had to say.
Why is PCI compliance relevant to the insurance market?
The insurance industry is facing unprecedented changes in how it markets its services to its customer. As Insurers look to improve their customer experience, the industry is deciding whether or not it makes sense to exist as PCI merchants within its policy administration systems (including in-house self-service systems, mobile tools and business partner applications) or to look at other business models that outsource certain non-integral components.
PCI compliance also plays a part in how Insurers underwrite their policies for their customers or commercial entities who take payment card information from consumers. Insurers must consider risk management, visibility and liability measures when they are pricing their policies. Insurance companies carry a heavy risk when they underwrite a consumer or business that doesn't manage its own financial systems and payment card information in a PCI DSS-compliant manner.
There’s also a growing demand for cybersecurity insurance policies, and the industry is looking to meet these demands by creating policies that provide coverage when entities are breached. Ensuring that insured entities are PCI compliant at all points in time is an important component to the underwriting process.
How does payment card security fit in with the growing imperative to upgrade policy administration systems?
All segments of the insurance industry are dealing with the need to either update or completely replace their core policy administration systems. In most segments, it is the number one priority and is closely tied to specific initiatives that allow them to improve existing or new products that deliver better customer experience.
As a result of core policy administration systems being upgraded or replaced, there is an increased chance for cyberattacks to occur between PCI data at-rest and PCI data in-motion, as well as between current systems or future systems. Recent breaches in the insurance industry have brought attention to these kinds of exposures and appropriate security measures must be implemented as insurers go through system migration planning.
Is PCI compliance in insurance unique or different from other industries?
The PCI compliance process is not necessarily unique for the insurance industry and it follows the standard PCI merchant and payment card assessment process. However, insurers sometimes have to wrestle with multiple aspects of PCI compliance under a single umbrella. An insurer can be a merchant, taking payment for an insurance policy premium. At the same time, it can also be a financial institution clearing house for credit card transactions. Each of these types has specific levels of compliance standards to adhere to. At a time when insurers operate with great competitive intensity and disintermediation, making the right decision to control costs and improve the customer experience is tricky. By improving flexibility in payments to consumers the complexity to support goes up, as does the cybersecurity concerns.
Visit Verizon Enterprise Solutions today to download the full 2015 PCI Compliance report for free.