Welcome back to our Cyber Coverage Explained series. In our newest edition, we'll be discussing PCI Fines and Penalties Coverage: the origins of PCI compliance, the cyber impact, and what to watch for in policy wordings. For more coverage explainers, you can find our past posts on Sub-limits and Coinsurance, Social Engineering and Crime Coverage, Business Interruption, and Contingent Business Interruption.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements established to safeguard sensitive cardholder data. The major credit card companies — Visa, MasterCard, Discover Financial Services, JCB International, and American Express — established standards for all businesses that store, process, and transmit cardholder data to reduce credit card fraud and data breaches.
How it Started
Back when malls and department stores reigned supreme, online shopping — now a bad habit encouraged by the Instagram algorithm — existed only as a revolutionary idea. But as everyone flocked to the internet, companies rushed to meet the demand. The downside to the new, digital consumer experience? Encryption and firewalls weren’t a given, opening the door to tech-savvy cybercriminals and credit fraud in the early ‘aughts.
Visa, the first of the major credit card companies to introduce security standards for online payments, implemented the Cardholder Information Security Program (CISP) in 2001 as a response to new online threats. American Express, MasterCard, and Discover followed. But as they independently rolled out their own security programs, merchants found widespread compliance difficult, while data breaches became increasingly consequential. After seeing the lack of cohesion, the major payment card brands collaborated to bring us The Payment Card Industry Data Security Standard (PCI DSS) in September 2006.
What You Need to Know About PCI DSS:
Compliance guidelines vary.
Every organization that handles credit card information — SMBs included — is expected to meet compliance guidelines. However, the PCI DSS categorizes four different levels of merchant, based on the amount of credit card transactions performed in a 12-month period. Expectations for small businesses will look significantly different from larger organizations that process millions of transactions annually.
It’s not law, but the fines are serious.
At the discretion of payment brands, fines can range from $5,000 to $100,000 per month until compliance is met. While penalties are originally placed on the bank, it ultimately ends up being the financial burden of the merchant. In the aftermath, the bank may increase transaction fees or terminate their relationship with the merchant altogether.
It’s always evolving.
In cyber, staying stagnant is never the answer. Threats are always changing, so the onus falls on the “good guys” to keep up. And keep up they’ll try — PCI DSS v4.0 becomes effective in Q1 of 2024, while the last iteration, PCI DSS v3.2.1, officially retires March 31, 2024. In its newest form, it will include tighter guidelines for passwords, multi-factor authentication, and email security.
Cyber Liability: The Impact of Data Breaches
Only 52.5% of all organizations are 100% PCI compliant, according to Verizon’s 2018 Payment Security Report. Research shows a direct correlation between companies that experience a data breach and those that fail to meet significant PCI DSS requirements. Translation: PCI DSS compliance actually works to decrease the chances of a breach.
The effort counts (seriously), as breaches are only getting more expensive. The 2022 Cost of a Data Breach Report from Ponemon Institute and IBM found that the average cost of a breach is up to $4.35 million, which is a 12.7% increase from 2020. Consider the impact of Target’s noteworthy 2013 breach, which cost the business $202 million — obviously a standout in losses — where $19 million in fines went to MasterCard alone after data was stolen from over 40 million consumers.
How can organizations guarantee that they’re properly addressing the growing risk of a breach? First, let’s confirm what standard cyber liability insurance covers. A standalone policy addresses first-party coverages, such as investigation costs, repairs to damaged equipment, and lost revenue, as well as third-party coverages for attorney fees, settlements, or regulatory fines.
So, third-party coverages guarantee an organization is all set in the event of PCI fines and assessments, right? Not quite, unless coverage is explicit.
PCI Fines and Penalties Coverage: What Brokers Should Keep in Mind
Read policy wording thoroughly.
Let’s look at a real-life example. In 2016, P.F. Chang’s filed a suit against their cyber insurer after being denied a claim following a data breach. Hackers gained access to the restaurant chain’s payment systems, where they gathered information from over 60,000 credit cards. P.F. Chang’s was reimbursed $1.7 million to cover the cost of the breach before being hit with another $1.9 million in fines from Bank of America Merchant Services. Their insurer then denied coverage, arguing that policy did not explicitly cover the costs tied with PCI assessment.
The devil is in the details. The scope of PCI-DSS coverage can vary widely from policy to policy, but the safest bet is to have PCI-DSS fines and assessments explicitly included in the policy wording. To clarify, a majority of the expenses brought to P.F. Chang’s from Bank of America weren’t just regulatory fines from being non-PCI compliant (that was $50,000 of the sum), but the additional cost of recovery from fraud loss and operational reimbursement.
P.F. Chang’s specific policy excluded claims based on liability under any contract or agreement. This put them in an unfortunate position due to their contract with Bank of America Merchant Services. If you’re working with any organization that accepts payment cards, be wary of wording similar to the above.
Is your client compliant? If not, you’re likely to run into sub-limits or policy exclusions.
Most cyber insurers are likely to exclude or sub-limit PCI-DSS Fines and Penalties coverage if the client is unable to prove compliance. It is important to note that when a breach happens, the PCI automatically assumes the merchant to be out of compliance even if the merchant has met all requirements. The burden of proof falls on the merchant.
PCI-DSS expenses are hard to quantify.
Corvus offers a full policy limit under a third-party agreement for PCI Fines and Penalties Coverage, but as you’re probably aware, cyber insurance is still far from standardization. Many policies are vague when it comes to PCI-DSS, as it is an exposure that remains hard to pin down. Consider the significant expenses P.F. Chang’s faced from PCI fines and assessments, on top of the original losses incurred from a breach. Insurers, brokers, and their clients need to understand the intricacies of the PCI-DSS compliance process to know exactly what they’ll need to fit their needs.
The Bottom Line
Data breaches continue to pose an imminent threat to organizations and consumers. Through adequate security measures — pushed by cyber insurers and the PCI-DSS alike — we can hopefully decrease the impact of threat actors. In the meantime, working with your clients to ensure that their cyber coverage provides them with the broadest level of protection is the best way to reduce and mitigate risk. Be wary of narrow language, and stay up-to-date with the wide world of security standards for online payments.