It seems to me that many insurance companies follow a similar model so I was hoping for clarification on whether the insurance company had any PCI responsibilities with regards to their Agents.

So, the typical scenario for insurance companies(IC) is that they have independent, third party agents who sell policies for them. So the IC may directly sell policies to consumers, but the agents also sell IC policies to consumers. For those cases, the consumers pay thru the Agents to the IC, and thus the Agents have consumer CC data that they may receive via any method, fax, phone, in person, email, whatever.

So does the IC have any responsibility to enforce PCi to these Agents? I don't see how as the Agents are independent operators who basically act as proxies for the consumer and the IC has no control over them, nor does the IC provide them any CC data they don't already have.

As a follow up, let's say the IC has one web app that Agents, Consumers, etc all use to input payment information and thus stores CC data. When consumers log in, they can view their own CC #. When Agents log in, they can view the CC #'s of their clients they proxy for. Does that change anything?

Thanks,
Luke

In this scenario, the IC is the merchant.
The agents/brokers are service providers, and need to be addressed via 12.8 and possibly 12.10 (giving brokers/agents the CC# via the web access).

As a minimum, I'd expect the agents/brokers to have agreed to contractual terms that address 12.8 and 12.10 as part of establishing their commercial relationship with the IC.

lyal

I find it hard to believe that the Agents are service providers to the IC simply because the Agents are merely proxies for the customers. The IC doesn't treat the Agents any different than it does end user customers who use the application. Both Agents and end users have accounts, can view any PAN that they already entered in to make a payment previously. So whatever PAN data an Agent can see is because the Agent themselves put it there. You wouldn't consider end user customers to be third parties, so what is the difference between an end user and an Agent?

I think the Agents would have PCI responsibilities because they accept CC payments. However, I just don't believe that the IC has any obligation for the Agent's PCI compliance. The Agents should be PCI compliant because they accept customer CC data, not because of their relationship with the IC.

Do you disagree?
Thanks,
Luke

The Agent can access multiple card details through their login permissions - the consumer can access one (their own) as I understand the provided description.

The Agent is providing a service to the Insurance company by dealing directly with consumers, collecting and aggregating payment details on behalf of the IC among, I assume, other services.

I can imagine this will be a messy logistical process to reach all Agents, provide them with new terms and conditions that reflect PCI and get a response that addresses 12.8 and or 12.10.

I work with another client in a similar situation they have a Level 1 sized entity as a customer that has the same issue because their business involves up to 200 external 'connected entities', most of whom are banks but not Card Scheme members. Situaiton is neither pretty nor simple due to the politics of the business environment, but thats PCI. The easy thing is that my clients customer has no contracted PCI obligations at this time ( a consequence of non-US-style business models).

The Agents are in fact service providers. The definition of a service provider is just one that provides services to another company that involves the storage, processing, or transmission of credit card numbers.

The Agent is providing credit cards from multiple consumers to one or more ICs thus they are a service provider. You can be a service provider even if you only provide services to one IC.