Agents Are Service Providers? You Betcha.
Those in the insurance industry are no stranger to the complexities of dealing with independent agents. These agents are essentially small business owners operating as the middle man between your (and numerous other insurers’) products and the consumer. But what insurers may not realize is the impact these agents can have on their own PCI compliance.
Why? Because agents qualify as service providers, per PCI. PCI defines a service provider as a “Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.” Since independent agents often accept credit cards as payment for insurance on behalf of the insurer, these agents qualify as “service providers.”
As such, they must comply with PCI requirements. If they don’t, any insurer who utilizes them may not be compliant themselves. You can thank the requirements under 12.8 for that one. This includes provisions for keeping a list of service providers, conducting third party due diligence, documenting responsibility for compliance, and tracking third party compliance. These requirements cover any third party with whom cardholder data (CHD) is shared.
Though this issue is especially pertinent to the insurance industry, it also applies to retailers, marketing firms, and other organizations that use independent consultants who accept credit cards on the organization’s behalf. Though you may believe these agents to be “independent,” they may have a bigger impact on your compliance than you realize.
What’s the Problem?
For organizations familiar with PCI, managing your service providers’ compliance status is nothing new. What may seem new is treating independent agents as service providers and holding them to the same standards. For some insurers, we’ve recently seen that the process for dealing with independent agents when it comes to PCI is not well understood or managed. And that could spell big trouble for these insurers.
For example, one of our clients has 5,000 independent agents. These agents accepted credit card payments on behalf of insurers, but they were not protecting CHD in line with PCI requirements. Per PCI, not only would these agents be noncompliant, but any entity that leverages these agents’ services would also be noncompliant. Since these agents had not yet experienced any pressure to comply, they had no reason to prioritize or even consider PCI obligations.
This client was hesitant to force compliance on their agents, since no other insurer was telling these agents they needed to be PCI compliant. They worried that compliance would be too much of a burden, and these agents would simply stop working with them, which of course would mean lost revenue.
The bank was asking this organization to be compliant, and the deadline was quick approaching. SecureState confirmed with the bank that the customers were indeed customers of the insurer (not just of the agent) and that the agents were, in fact, service providers to the insurer.
What’s the Solution?
In this case, a solution was to change the process by which independent agents accepted CHD on this organization’s behalf. Rather than the agents accepting CHD directly, customers were redirected straight to the insurer’s online portal for payment. This way, the insurer could funnel all payments through a process that was already compliant.
There was some pushback, as there is with any change. Some agents believed they lost a degree of intimacy with their customers. Some customers did not want the extra step of accessing the portal themselves, rather than having the agent handle the entire transaction. But in the end, it was a necessary change. CHD is much better protected now that it is handled in a secure, controlled environment. Plus – though they might not realize it – the independent agents are actually reducing their own risk by no longer directly dealing with credit cards.
This example demonstrates the importance of maintaining a mature PCI compliance program, including a proactive process for managing service provider compliance. The insurance industry – and industries that interact with independent consultants in a similar manner – should examine their relationships with their agents, because PCI may soon begin to crack down on these processes.
Are you approaching this challenge differently? We’d love to hear from you: 216.927.8200