Hi there
You have an interesting question, and I hope I am not missing any insurance industry-specific or PCI -DSS nuances here. From my perspective, I think this is somewhat straightforward; I would default to best practices requiring your organization to monitor any entity that gains access to your customer data and ensure documentation (an AOC) as evidence of that monitoring.
There may be legitimate reasons why you don't require that AOC today, but as a third-party risk expert, I always ask myself the question, "Does this practice help our organization effectively manage risk?" That question will usually guide me towards the right decision. I hope that answer is helpful, and I would love to hear other members' thoughts on this topic.
Original Message:
Sent: 12-07-2021 03:34 PM
From: Anonymous Member
Subject: PCI Compliance for Distribution Partners (independent agents/firms)
This message was posted by a user wishing to remain anonymous
We allow initial premium only card payments for certain products. Today we don't require an AOC of our distribution partners that collect cardholder data from the policyholder in order for us to collect premium. I'm curious how other insurance carriers address PCI compliance with their distribution partners. Appreciate your feedback in advance.