PCI Insurance: What Your Small Business Clients Need
Small businesses in the US are attractive targets for cybercriminals because they often lack the security needed to prevent data breaches, particularly ones involving payment cards.
In 2006, the three largest credit card companies—Visa, Mastercard, and American Express—established a set of rules called the Payment Card Industry Data Security Standard (PCI DSS). It was meant to help prevent data theft from organizations that process, store, or transfer credit card information. Unfortunately, most businesses struggle to maintain continuous compliance with these rules because they have limited time and resources to devote to cybersecurity. According to Verizon’s 2020 Payment Security Report, only 27.9 percent of organizations achieved full PCI DSS compliance during their interim validation in 2019.
As an insurance broker, you can help protect your small business clients against the impact of a data breach by offering PCI insurance through a cyber liability policy. But first, they must understand the magnitude of their risk and the benefit of the insurance.
Do Small Businesses Need to Be PCI Compliant?
All organizations that utilize payment cards, including small businesses, must be PCI compliant. Aside from compromising customer information, non-compliance can have several other detrimental consequences for businesses.
1. Fines and Penalties
Your clients need to know that PCI non-compliance can result in hefty penalties from banks and credit card providers ranging from $5000 to $100,000. In addition, non-compliant organizations can be fined monthly until they comply.
These penalties are based on the number of transactions handled by a small business. Therefore, the volume will determine the level of PCI DSS compliance required by the business.
Businesses would also have to pay for a PCI assessment—a time-consuming and expensive audit for validating compliance with PCI DSS. The assessment includes costs associated with reissuing cards and handling chargebacks, which are bundled and passed on to the merchant whose data was compromised.
2. Legal Disputes
A data breach could result in lawsuits against a small business. Lawsuits can be costly and contentious, draining resources that could be used for other endeavors.
Plaintiffs may seek compensation for unauthorized charges, harm to credit, card replacement, credit monitoring costs, and emotional distress.
3. Lost Reputation and Revenue
When your clients lose bank card details, it can damage their reputation irrevocably. Customers will view the company’s data security as untrustworthy, especially if they continue to be non-compliant. As a result, they risk losing sales and referrals—a situation that might ruin the business.
How Can Small Businesses Maintain PCI Compliance?
You can help your clients maintain PCI compliance by encouraging them to take the following steps:
- Run an Audit: Small businesses must evaluate their practices for collecting and storing customer payment information. They will also need to thoroughly examine these processes to identify vulnerabilities that hackers could use to steal a cardholder’s data.
- Address Vulnerabilities: Your clients could upgrade security for eCommerce websites and avoid storing cardholder information unless they conduct recurring transactions. They could also limit data access on a need-to-know basis and educate employees on PCI compliance to reduce vulnerability in their operation.
- Submit Compliance Reports: Small businesses must submit PCI compliance reports annually to their bank or card brands to avoid penalties and fees for non-compliance.
What Does PCI Insurance Coverage Offer?
Most organizations need the ability to collect payments from customers via a credit or debit card. However, fines and penalties for non-compliance will prevent them from processing card payments, crippling their business. PCI cyber insurance can protect these clients.
Some types of PCI insurance will cover PCI fines and penalties only through a sublimit. However, others are more comprehensive, offering PCI coverage for expenses, such as PCI assessments and PCI Forensic Investigators (PFIs) to determine when and how a data breach occurred. Furthermore, they may cover the cost of customer notifications and credit monitoring for affected consumers.
Given the frequency at which US and global companies are attacked by cybercriminals and their lack of security and compliance, most will suffer a breach at some point. When that happens, PCI insurance can prove invaluable.
Now, more than ever, your clients need to understand the importance of PCI compliance for small businesses. Download our free eBook to learn what you can do to help protect them against cyber risks.