 |
 |
What is the Compromised Data Security Program?
|
 |
 |
|
““Compromised Data Security Program for Merchants” is a new and unique insurance product specifically designed to assist a merchant with unexpected expenses that arise from a suspected or actual data compromise of card information at the merchant’s location.
Depending how severe the compromise, a card brand can mandate the following: a forensic audit, the replacement of compromised cards, and a fine/assessment.
|
|
|
|
Why do merchants need this coverage?
|
|
|
|
A merchant could
incur unexpected costs resulting from a data breach. These
costs could significantly affect revenue…and even jeopardize
the existence of the business. This inexpensive policy
reduces a merchant’s monetary exposure when a presumed or
actual data compromise occurs, thus providing peace of mind!
|
|
|
|
What insurance company underwrites this
insurance policy?
|
|
|
|
Great American
Insurance Group (www.greatamericaninsurance.com) has
collaborated with RGS to create this program. Great American
is a well-established, financially strong insurance group
whose insurance companies hold “A” ratings from independent
third party rating agencies.
|
|
|
|
What are the coverage amounts?
|
|
|
|
The basic coverage is for an aggregate amount of $50,000 per year, per merchant account.
|
|
|
|
Can I provide my merchants a policy with higher limits?
|
|
|
|
Yes, you can also purchase limits up to $1,000,000 and have multiple limits on the same policy for each merchant level (2,3, and 4).
|
|
|
|
Is there any deductible?
|
|
|
|
There is NO deductible!
|
|
|
|
If a merchant has multiple locations, is each location covered for the policy limits?
|
|
|
|
RGS provides the coverage on a per merchant account basis, not a per location basis.
|
|
|
|
Can any merchant qualify for this insurance coverage?
|
|
|
|
Any Level 2, 3 or 4 merchant that maintains a merchant agreement with you is eligible, provided they have not already suffered a data compromise. Level 1 Merchants are not eligible for this coverage. If a Level 2, 3, or 4 merchant suffers a data compromise, the merchant can become eligible (or re-eligible) for the program once PCI DSS compliance is verified.
|
|
|
|
Must a Merchant be PCI DSS compliant in order to get this insurance product?
|
|
|
|
No. However, we highly encourage all merchants to become compliant with PCI DSS and RGS will work with you to create programs that will help drive your merchants toward compliance. In addition, a merchant that experiences a breach must become compliant before the merchant can participate in (or re-enter) the insurance program.
|
|
|
|
Won’t this program make it less likely for merchants to become PCI compliant?
|
|
|
|
No. RGS is working closely with our banking partners to make sure that the Compromised Data Security program enhances their PCI DSS compliance efforts by establishing bundled offerings with security vendors and by rewarding you with rating plans that encourage PCI DSS compliance. As we all know, the best way to reduce exposure is to ensure 100% of your merchants are PCI DSS compliant!
|
|
|
|
My merchants are primarily Level 3 and 4 merchants. They aren't breached often are they?
|
|
|
|
Absolutely, they are! The current effort to clamp down on data compromises is becoming increasingly aimed at small merchants. Recent studies by the leading security vendors have determined that Level 4 merchants have the highest risk that their POS software is storing data without the merchant’s knowledge. Level 4 merchants also tend to have faulty or non-existent business procedures to prevent only need-to-know employees from accessing data. As a result, Level 4 merchants are drawing the attention of data thieves. Keep in mind that there are approximately 6 million Level 4 merchants (those doing fewer than 1 million transactions a year) that account for nearly one-third of Visa’s volume. In fact, according to Eduardo Perez VISA USA’s Vice President of Payment Systems and Risk at the 2007 Electronic Transactions Association trade show in Las Vegas, “Hackers are concentrating on the smaller merchants…that’s where we see the greatest vulnerability.”
|
|
|
|
Can merchants that do not store magnetic stripe data have data compromises?
|
|
|
|
Yes! While it is true that merchants that store magnetic stripe data are the most vulnerable, there are a number of other risks for merchants. For example, missing or outdated security patches, using vendor supplied default settings and passwords, SQL injections by hackers, unnecessary and vulnerable services on their servers, and poor business procedures that allow for physical access to cardholder data can all lead to significant data compromises and subject merchants to audits, card replacement costs, and fines. In fact, nearly 70% of all losses are due to the physical theft of computers or records!
|
|
|
|
My merchants are all PCI DSS compliant. Do they still need this coverage?
|
|
|
|
Yes! Certification of PCI DSS compliance is not a 100% guarantee that a breach will not occur. Any time that people are part of the system, errors can occur. Sections 7 and 9 of the PCI DSS primarily involve business systems and processes, NOT technology systems and processes. The analogy that best describes the situation is this: “you can have the best alarm system in the world, but it is useless if you don’t turn it on.”
|
|
|
|
Compliance activities are expensive and negatively affecting my bottom line. Is there any way for me to recover some or all of my compliance costs through this program?
|
|
|
|
Yes. Most acquiring banks and/or ISOs that participate in this program add a small administrative fee.
|
|
|
|
Is this program easy to administer?
|
|
|
|
Yes. This simple, opt-out, program requires minimal changes to your current processes. RGS needs only a monthly list of merchant ID’s for enrolled merchants to begin the coverage.
|
|
|
|
How does a merchant submit a claim?
|
|
|
|
A merchant simply has to: (1) complete an online claim form; (2) fax the notice from the card brand that stipulates there has been (or there is the suspicion of) a data breach at the merchant’s location; and (3) provide a copy of the invoice provided by the certified PCI DSS auditor. Upon completion of the forensic audit, if a demand for payment if made for card replacement costs or assessments/fines that result from an actual data breach, the merchant submits a copy of demand for payment to RGS and RGS will submit to Great American Insurance for payment, subject to the terms and conditions of the Policy.
|
|
|
|
What if a merchant does not want to continue… or wants to rejoin… the program?
|
|
|
|
The billing and coverage for the program is processed on a monthly basis. Should a merchant wish to stop participating in the program the merchant notifies the acquiring bank / ISO/ MSP to discontinue the coverage. You simply need to remove the Merchant ID # from the active accounts submitted to RGS for the monthly billing. Should the merchant want to rejoin simply include their Merchant ID# on the next monthly billing of participating merchants you submit to RGS.
|
|
|
|
How fast do the Merchants receive their
reimbursements?
|
|
|
|
Quickly. Once the merchant provides the relevant documentation to RGS, the requests for payments will be processed. Assuming that the documentation is in order, the requests should be processed within thirty days.
|
|
|
|
Don’t I need to be licensed to provide the
Compromised Data Security Program?
|
|
|
|
No. You are not selling, soliciting or marketing insurance. You are purchasing insurance. You have shared liability with your merchants and you are collectively purchasing protection for that shared risk.
|
|
|
|
The Compromised Data Security Program is a portfolio product. Won’t that increase my attrition rates?
|
|
|
|
No. Our clients have seen little to no merchant attrition increases. Unlike other fees applied by your competitors, you are providing significant value to your merchants at very little cost. In fact, on our client programs that offer merchants an opportunity to opt-out, the average portfolio opt-out rate is less than 22%!
|
