 |
PCI Protection Plan
Program Overview
The PCI Protection Plan is a new and unique indemnification program
designed specifically to meet the expenses resulting
from a suspected or actual breach of
credit card data.
The Program Covers
|
·
|
A mandatory forensic audit required by the Payment Card Industry Data Security Standard (PCI DSS) of a merchant when a data breach is suspected. |
| · |
The data breach can be either a system/network breach or the physical theft of the credit card data from stolen receipts, stolen computers, skimming, or even employee theft.
|
| · |
Card replacement costs and related expenses resulting from the data breach.
|
| · |
All Level 2, 3 and 4 merchants regardless of their level of compliance with the standard. |
Frequently Asked Questions
Why do I need the PCI Protection Plan?
If you suffer a suspected or actual data breach, you could incur thousands
upon thousands of dollars of unexpected costs in the form of audit expenses,
card monitoring and replacement expenses, and fines. These costs could
significantly affect revenue... and even jeopardize the existence of
your business. This inexpensive program reduces your monetary exposure
when a presumed or actual data compromise occurs, thus providing peace of mind!
What company underwrites the PCI Protection Plan?
To offer the PCI Protection Plan, Trustwave is working with Royal Group Services and Great American Insurance Group. Royal Group Services (www.royalgroupservices.com) is well-known for delivering unique and innovative insurance solutions for the payment card industry and serves as broker and program manager for the PCI Protection Plan program. Great American Insurance Group (www.greatamericaninsurance.com), which underwrites the program 100%, is a financially strong insurance organization whose insurance companies are rated "A" by independent third-party rating agencies. Trustwave is bundling the PCI Protection Plan with TrustKeeper, our remote assessment and compliance solution, to create a comprehensive system designed to get merchants PCI-DSS compliant and protect them from the potentially business-threatening costs of data breach.
Is there any deductible?
There is NO deductible!
Can any merchant qualify for the PCI Protection Plan?
Any Level 2, 3 or 4 merchant is eligible, provided they have not already
suffered a data compromise. Level 1 Merchants are not eligible for this program.
Must I be PCI DSS compliant in order to be eligible for the PCI Protection Plan?
No. However, if you experience a breach, you must become compliant before you
can participate in (or re-enter) the program.
I am a Level 4 merchant. Level 4 merchants aren't breached often are they?
Absolutely, they are! Nearly two thirds of all breaches occur
at Level 4 merchant locations. In fact, Eduardo Perez,
VISA USA's Vice President of Payment Systems and Risk,
stated at the 2007 Electronic Transactions Association
trade show in Las Vegas, "Hackers are concentrating on
the smaller merchants... that's where we see the greatest vulnerability."
I don't store magnetic stripe data. Can I still have a data compromise?
Yes! While it is true that merchants that store magnetic stripe data are the
most vulnerable, there are a number of other risks. For example, missing or outdated security patches, using vendor supplied default settings and passwords, SQL injections by hackers, unnecessary and vulnerable services on your servers, stolen receipts, stolen computers, employee theft, and skimming can all lead to significant data compromises and subject you to audits, card replacement costs, and fines.
I am PCI DSS compliant. Do I still need the PCI Protection Plan?
Yes! Certification of PCI DSS compliance is not a guarantee that a breach will not occur.
The analogy that best describes the situation is this: "You can have the best alarm
system in the world, but it is useless if you don't turn it on." Also, the program
covers employee theft and the physical theft of data. PCI DSS compliance alone
cannot prevent these losses.
How do I submit a claim?
To open a claim you simply have to: (1) complete the online claim form; (2) submit (via the web or fax) the notice from the card brand or acquiring bank that stipulates there has been (or there is the suspicion of) a data breach at your covered location; and (3) submit (via the web or fax) a copy of the invoice provided by the certified PCI DSS auditor.
To submit additional expenses on an open claim you simply have to: (1) enter your claim
number in the online claim form; and (2) submit (via the web or fax) a copy of the
demand for payment from the card brand or acquiring bank that explains that
these demanded reimbursements/fines were the result of an actual data breach.
If I do suffer a loss, how quickly will my claim be processed?
Quickly! Once you provide the relevant documentation to RGS,
the requests for payments will be processed. Assuming that
the documentation is in order, the request should be processed
within thirty days.
|
