Consulting case studies

An insurance giant assures PCI compliance

A global insurer was able to build and implement a sustainable PCI governance and compliance program and achieve compliance through the QSA.

Client challenge

As consumer preferences evolve, a global insurance company found that its customers increasingly preferred to pay their policies using credit cards. The insurer was comparatively new to card payments, and knew its Payment Card Industry Data Security Standard (PCI DSS) compliance processes needed improvement. The company had implemented a homegrown PCI compliance process that had cost more than $10 million and taken 18 months to complete—yet it wasn’t standardized and lacked a governance framework. As a result, the insurer was spending undue time and money on inadequate PCI compliance, with no in-house expertise to address this challenge.


PwC's solution

The insurer engaged PwC to help design a sustainable PCI compliance program. We guided the insurer through four work streams: Governance, where we worked with more than 30 stakeholders to define a governance program; sustainable security processes, where we helped integrate sustainable PCI security processes into day-to-day operations and helped identify five critical areas of PCI compliance; training and awareness, where we defined multiple training programs to ensure that employees understood their PCI roles and responsibilities; and gap analysis, where we worked with the insurer to perform a gap analysis of PCI processes and provide customized best practices for remediation.


Impact on client's business

The global insurer has achieved compliance through the PCI Qualified Security Assessor (QSA), which enables it to more securely serve its customers and protect their data. Standardized procedures also will help avoid potential fines and reputational damage that accompany breaches. The insurer expects that the program will bring operational efficiencies, productivity gains, and cost savings. The insurer is also creating a common baseline of controls by extending PCI controls to other mandates like Sarbanes-Oxley (SOX). The insurer has mapped its PCI program against the SANS 20 Critical Security Controls and has improved 16 of the 20 controls across its ecosystem.


Published 12/2012

Contact us for a more in-depth conversation

Dietmar Serbee
Principal, Financial Services, New York
Tel: +1 (646) 471 7270