A global insurer was able to build and implement a sustainable PCI governance and compliance program and achieve compliance through the QSA.
As consumer preferences evolve, a global insurance company found that its customers increasingly preferred to pay their policies using credit cards. The insurer was comparatively new to card payments, and knew its Payment Card Industry Data Security Standard (PCI DSS) compliance processes needed improvement. The company had implemented a homegrown PCI compliance process that had cost more than $10 million and taken 18 months to complete—yet it wasn’t standardized and lacked a governance framework. As a result, the insurer was spending undue time and money on inadequate PCI compliance, with no in-house expertise to address this challenge.
The insurer engaged PwC to help design a sustainable PCI compliance program. We guided the insurer through four work streams: Governance, where we worked with more than 30 stakeholders to define a governance program; sustainable security processes, where we helped integrate sustainable PCI security processes into day-to-day operations and helped identify five critical areas of PCI compliance; training and awareness, where we defined multiple training programs to ensure that employees understood their PCI roles and responsibilities; and gap analysis, where we worked with the insurer to perform a gap analysis of PCI processes and provide customized best practices for remediation.
The global insurer has achieved compliance through the PCI Qualified Security Assessor (QSA), which enables it to more securely serve its customers and protect their data. Standardized procedures also will help avoid potential fines and reputational damage that accompany breaches. The insurer expects that the program will bring operational efficiencies, productivity gains, and cost savings. The insurer is also creating a common baseline of controls by extending PCI controls to other mandates like Sarbanes-Oxley (SOX). The insurer has mapped its PCI program against the SANS 20 Critical Security Controls and has improved 16 of the 20 controls across its ecosystem.