Cyber Insurance Blog

PCI Compliance for Small Businesses: Protect Yourself With Cyber Insurance

PCI Compliance for Small Businesses: Protect Yourself With Cyber Insurance

If Your Clients Accept Credit Cards, They Need To Be in Compliance

An African American client consults with her female insurance professional. As payment processing becomes more sophisticated, so do cyber attacks. The Payment Card Industry Data Security Standard (PCI DSS) was created to protect sensitive consumer credit card data. If your clients accept credit cards (even one card transaction), they’ll need to make sure they’re compliant.

In addition, they’ll need PCI compliance insurance through a cyber insurance policy to make sure they’re covered in the event of any PCI fines or penalties, as PCI-compliant companies that accept credit card payments are still hacked in major data breaches. Since PCI compliance is a legal requirement, your clients could face significant fines or assesments if they’re not compliant in protecting customer data.

What is PCI Insurance?

While PCI compliance insurance isn’t a stand-alone product, your clients can protect themselves with a cyber insurance policy. This type of policy provides coverage for both first and third-party claims related to a data breach, in addition to multi-media coverage, cyber extortion, and more.

At ProWriters, our cyber experts work constantly to monitor changes in regulations and keep brokers and their clients informed.

Here, we’ve outlined the PCI compliance guidelines that small business owners need to know.


Before you continue reading, follow us on LinkedIn so you don’t miss any important cyber updates:

Understanding PCI Levels and What They Mean for Small Business

An African American client consults with her female insurance professional. What does PCI compliance cover? There are four levels of PCI compliance to which companies need to adhere. Based on the credit card companies Visa and Mastercard, the levels are as follows:

  • Level One: More than six million Visa/Mastercard transactions per year
  • Level Two: Between one and six million transactions per year
  • Level Three: Between 20,000 and one million eCommerce transactions per year
  • Level Four: Fewer than 20,000 eCommerce transactions or up to one million storefront transactions per year

For small businesses, your clients will most likely fall in the level four category, meaning they’ll need to complete the Annual Self-Assessment Questionnaire (SAQ), in addition to a possible quarterly network scan.

How to Complete the Annual Self-Assessment Questionnaire and Quarterly Network Scans

To complete the Annual SAQ, your clients will need a Payment Card Industry Data Security Standard Report on Compliance (PCI DSS ROC.) This is available on the PCI security standards website.

A blonde, female insurance professional shows her male client information on her white laptop. Your small business clients will also be required to complete a quarterly network scan. This scans for vulnerabilities with respect to receiving payments which must be completed by an Approved Scanning Vendor (ASV). You can find a searchable list of ASVs on the PCI website. At ProWriters, we highly recommend Trustwave as they can simplify the entire compliance process for your clients with step-by-step instructions.

Recent PCI Changes for Small Businesses

Small businesses are a preferred target for cyber criminals and Visa announced new data security requirements for small merchants that went into effect in 2017, which are now part of the PCI compliance guidelines.

With these changes, level four merchants must use Qualified Integrators and Reseller (QIR) Professionals who have been PCI-certified. QIRs are professionals who are authorized to install, configure, and repair payment systems. Your clients should be able to confirm that they use a QIR.

The PCI website offers the PCI Qualified Integrators and Resellers List to help find QIRs, searchable by region, individual name, company name, or certificate number.

Using a Third Party and PCI Compliance

Close up of a credit card being held by a customer as they complete an online purchase on their laptop. For small businesses that outsource their payment processing, remaining PCI DSS compliant is still required, even for businesses that have fully outsourced all payment processing and do not store or transmit any cardholder data.

While using a third party does not exempt a company from PCI compliance, it can simplify the PCI compliance process. However, a third-party breach means your client is still legally obligated to notify their clients and they can still be held liable, which is why cyber insurance protection is so important. Your client can outsource the services, but not the liability.

To learn more about PCI compliance insurance and how to best protect your clients, download our FREE eBook, How to Sell Cyber: Big Claims in Ransomware & Social Engineering.

Subscribe to Our Monthly Newsletter!

    Retail vs. Wholesale Brokerage

    Experts Weigh In

    Get the eBook