PCI compliance doesn't have to be complicated.

Many insurance companies are not PCI compliant. Even if you are compliant, the process of achieving and maintaining compliance can be taxing on your operational resources - budget, network, and human.

Insurance leaders are trying to understand, “How can we simplify and reduce the cost of PCI compliance, while still maintaining a secure, frictionless payment experience for our policyholders?”

Check out the guide below to learn how the simple act of outsourcing payment card functions can free your company from much of the PCI compliance burden.

One Inc Logo

PCI DSS CompliantPCI:

What it Means to Your Insurance Company

What is PCI?

PCI DSS (Payment Card Industry Data Security Standard) is a set of standards that guarantees the security of credit card processing. These standards apply to companies that accept, process, store, or transmit credit card information. The PCI standards are managed by the major credit card companies, including Visa and MasterCard.

Why You Should Care About PCI Compliance

As soon as you accept credit cards, you must be PCI compliant. There are multiple levels of compliance that can apply. Depending on which applies, your burden to demonstrate compliance can vary immensely. That burden is determined by what PCI calls a Self-Assessment Questionnaire (SAQ). Levels range from the least burdensome, which is SAQ A, to the most, which is SAQ D.

If, for example, you are storing electronic cardholder data on your own systems, you will likely be a level of SAQ D. The requirements for PCI compliance at this level are extreme, requiring multiple extensive audits a year and initial systems costs that can run into millions of dollars, and require constant maintenance.

Being out of compliance is not really an option for an insurance company, as PCI compliance penalties are severe. In addition to fines that can be up to $100,000 per month, your bank may also terminate your service. Companies have gone out of business because of PCI compliance violations.

Storing Credit Cards—the Big Risk vs. the Big Benefit

Accepting credit cards is more than just a requirement for acquiring a new customer. It’s also important for customer retention. Keeping a credit card number on file for a customer makes it that much easier for a policyholder to renew their policy.

Unfortunately, this is where exposure is greatest, and why the PCI compliance requirements are so stringent at this level. Storing credit card data improperly is an invitation to hackers and security issues. In this competitive market, though, choosing to not store credit card information just so you can meet lower PCI compliance requirements is not a viable solution.

The Solution

 What is the best strategy to reduce the scope of your PCI exposure and burden? You can effectively “outsource” the acceptance and processing of credit cards to a vendor whose business is to understand and stay on top of managing PCI compliance. These vendors provide for the storage of credit card data, but not on your systems. That means you can typically be classified at a PCI level of SAQ A, which requires none of the costs and other resources associated with audits and other measures required to meet compliance requirements of higher levels. Because the vendor undertakes all those measures, you do little more than file a simple self-attestation of compliance.

For recurring payments, especially, a third-party processor is absolutely the best route. The most reputable and highly-certified vendors will use vault and tokenization technology. This strategy means the credit card number is never even in your possession—you don’t see or store the number—ever. With tokenization, the payment processor never stores credit card numbers, either. The processor, instead, passes the card information along to the credit card company, which then issues a token valid for that—and future—transactions. Even if a hacker did manage to insert themselves into the flow of information, the most they could get is a token which is worthless outside the context of the policy purchase.

PCI standards are constantly changing. Choosing a payments provider that is both conversant with the needs of the insurance industry and deeply experienced with PCI provides ongoing benefits. You would invest significant resources and take on great risk to do this on your own or by using vendors with less commitment to the payments processing space as a central part of their business.

A Final Word

When looking for a payment processor, make sure you select one that is PCI DSS Level 1 certified. Vendors achieving this highest level of certification must undergo an extensive multi-month external audit annually. You get the PCI scope reduction you need—and keep it, both over time and as your needs expand. With a vendor at this level of certification, you can offer whatever credit card capabilities your business demands.


A positive customer experience requires removing friction while keeping sensitive data secure.

Policyholders today demand convenience but also expect their data to be secure. Insurers don’t have to sacrifice customer experience to maintain security.

Want to learn more about PCI compliance and how it affects your business? We are here to help. Get in touch and let's start a conversation.

Get in Touch


Get the PDF version of the datasheet.

Download thePCI Compliance Guide for your use offline.

Have more Questions?

We are here to help and look forward to answering any questions you may have.

Contact us