Hi all,

I have seen several companies here in the UK that offer credit card insurance. Basically if someone steals your wallet you ring one number and they will cancel them all and also cover any spending on the cards, etc

However, to do this you have to send them ALL of your credit / debit card numbers so they can store them in their database and forward them to the card issuers when you make a claim.

As these companies are not actually processing payments are they still under the PCI-DSS requirements. How would Visa / Mastercard punish them for non compliance when they don't take payments?

Many thanks.

PCI applies to any entity which stores, processes, and or transmits cardholder data. The insurance companies you mentioned store and transmit the data. So they are to be PCI Compliant.

The second issue you mentioned is how does the PCI "umbrella of accountability" impact these vendors? Under PCI, these companies are considered service providers and most likely as merchants as well.

The Insurance companies probably take credit/debit cards for payment - as a ressult they are required to be PCI under their merchant agreement.

The services they render for cardholders classifies them as a service provider.
And, as a service provider, they should be registering with VISA as a service provider. This registration is done through an acquiring bank. No liability is incurred by the bank for the actions of the service provider, but they are the conduit of the registration form and associated fees. Last I checked, the registration fee for the first year is $5K with annual fees for years 2 through X of less than $1K.