Credit card processing merchants i.e.  merchant who accepts credit card payments such as online retailers or wholesalers must keep their payment systems secure. Merchants must adhere to Payment Card Industry Data Security Standards (PCI DSS)  and undergo PCI Compliance Audits periodically to demonstrate compliance and prove security control measures are in place for secure processing of payments and the privacy of customers. A qualified security assessor (QSA)  is the first step to effective adherence to the PCI DSS standards who carries out assessments and audits of an organization’s security and compliance controls

QSAs must be certified by the PCI Security Standards Council as being qualified to assess compliance to the PCI DSS standard.

In the course of an audit, organizations get a comprehensive risk assessment that shows their level of PCI compliance and information security. Those who fail the PCI Compliance Audit may be subject to financial penalties or other contingencies as set out by the credit card companies.

In order to be qualified by the PCI Security Standards Council (PCI SSC)  the QSA must maintain adequate insurance, coverage, exclusions under the QSA Agreement at its own expenses before commencing QSA services, The policy Coverage Territory must include the entire Region(s) in which the QSA Company has qualified to operate (please refer to the to the QSA Qualification requirements booklet on PCI Security Standard Council Website for full details) Add a hyperlink to their website .

This is summary in reference to the PCI SSC insurance requirements as set out in the guidelines  (these may be subject to change):

  1. General Liability Insurance cover Products, Advertising Injuries, Personal Injuries and Contractual Liability Insurance, minimum liability limits for Bodily Injury and Property Damage based on an Occurrence basis of $1,000,000 per occurrence and $2,000,000 annual aggregate. PCI SSC to be added as “Additional Insured.”
  2. CRIME Insurance for dishonesty, fraud, theft, forgery, electronic alteration, mysterious disappearance, and destruction by employees, including cover for third-party employee dishonesty with minimum limit of $1,000,000 per loss and an aggregate limit of $1,000,000 per year.
  3. TECHNOLOGY ERRORS & OMISSIONS, CYBER-RISK and PRIVACY LIABILITY INSURANCE policies provide coverage for financial losses arising out of acts, errors, or omissions in providing computer or information technology services and  first party & third party coverage under comprehensive cyber insurance with a minimum limit of two million dollars ($2,000,000) per claim.
  4. EMPLOYER’S LIABILITY with a limit of $1,000,000
  5. WORKERS’ COMPENSATION: Statutory Workers Compensation based on applicable law

The QSA must  furnish PCI SSC with a certificate of currency from each insurance company demonstrating that the above insurances are in place and provide copies of the actual insurance policies if requested by PCI SSC at any time.

Disclaimer: “The information provided is general advice only and does not take account of your personal circumstances or needs, please seek advice from your broker or risk advisor before taking any action on the contents of this article”