1. Define PCI Scope and Ownership Across Systems and Vendors

PCI compliance for your insurance agency starts with clearly defining scope and ownership. Finance teams must understand every system, workflow, and vendor involved in accepting, processing, refunding, or adjusting card payments, especially when payment activity extends beyond internal systems.

Finance leaders should inventory every touchpoint where card data could appear, including:

• Customer-facing payment portals and hosted checkout experiences.
• Embedded payment links used in emails, invoices, or AMS workflows.
• Internal systems that process, reconcile, refund, or adjust transactions.
• Reprocessed or corrected payments handled outside the original workflow.
• Third-party vendors involved in payment acceptance, processing, tokenization, refunds, chargebacks, or reporting.

Just as important as defining ownership, PCI compliance in insurance depends on documented internal accountability and clearly outlined third-party vendor compliance responsibilities. While technical controls may live with IT teams or vendors, finance remains responsible for oversight.

Finance leaders should document:

• Who owns PCI oversight internally, including validation of scope, controls, and ongoing compliance.
• Which vendors are responsible for PCI controls related to payment acceptance, processing, and tokenization.
• How PCI evidence is collected, reviewed, and stored for audits.
• Where escalation occurs when compliance questions or control gaps arise.

2. Verify How Card Data Is Handled and Stored

Understanding how card data is handled is essential for limiting compliance burden.

Key areas to review include:

• Where card data is captured.
• Whether tokenization occurs immediately.
• Whether any system stores raw card data.
• How long payment data is retained.
• How data is removed or invalidated.

Platforms that rely on tokenization and limit data exposure help finance teams reduce audit scope while maintaining reporting visibility. Less exposure means fewer controls to manage and fewer questions to answer later.

Finance teams should confirm these controls are applied consistently across collections, refunds, and payment adjustments, not only initial transactions.

Look for platforms such as AndDone that tokenize payment data at capture and avoid storing raw card information to reduce audit scope and limit risk.

3. Restrict and Review Access to Payment

Access control is both compliance and financial security.

Finance teams should regularly review:

• Who can view payment details.
• Who can initiate refunds or adjustments.
• Who can export transaction data.
• How role changes are logged and approved.

Role-based permissions and access logs protect against internal risk and support clean audit trails in platforms like the AndDone Portal.

4. Validate Daily Reconciliation and Audit Trails

Reconciliation is where compliance becomes operational.

Strong payment workflows support:

• Transaction-level detail.
• Time-stamped audit logs.
• Clear linkage between payments, refunds, and accounting entries.
• Visibility into paid, pending, failed, and reversed transactions.

Manual reconciliation increases compliance risk. Finance teams benefit from systems that support daily reconciliation.

When payment records are tied to policies and customers with time-stamped logs, reconciliation becomes faster and more accurate. 

5. Make Exceptions Easy to See and Prove

Refunds, chargebacks, and adjustments are part of every payment operation. But when they aren’t documented or visible, they become compliance risks.

Finance teams should ensure:

• All exceptions are tracked with complete transaction history.
• Refunds follow standardized and documented workflows.
• Chargebacks remain visible in reporting.
• Exceptions do not bypass approval or logging controls.

Auditors focus on the moments when processes break. That’s why visibility matters.

Exception workflows should stay connected to the original transaction and remain visible to the full team. This makes it easier to demonstrate control, even when workflows don’t follow the standard path.

6. Confirm Third-Party and Vendor PCI Compliance

Third-party vendors are part of your compliance footprint. As industry coverage regularly highlights, payment complexity in insurance often increases when responsibility for data handling and reporting is spread across multiple platforms and partners. Finance leaders should verify each vendor’s PCI status and document third-party service provider responsibilities across data handling, reporting, and audit support.

Key areas to confirm include:

• Each vendor’s current PCI certification and scope.
• Which party captures, processes, tokenizes, or stores card data.
• How vendors support audits, including access to evidence and documentation.
• Where responsibility shifts between internal teams and external partners.

When vendors manage payment data correctly, finance teams stay in control without taking on extra compliance work. The right platform provides visibility, reporting, and audit support without adding PCI scope to your internal systems. 

The right partner keeps finance in control without adding technical PCI risk. In this short video, Chase Courtney from AndDone shares how their team helps reduce audit complexity by managing tokenization, routing, and reconciliation in one system.

7. Maintain PCI Evidence and Audit Readiness

Audit readiness depends on evidence that reflects how your business actually operates.

Finance teams should centralize:

• PCI policies and procedures.
• Access logs and activity records.
• Transaction and reconciliation reports.
• Vendor compliance documentation.

Evidence should remain current and aligned with live workflows, because faulty or outdated records can directly lead to compliance problems and audit obstacles. When documentation matches real operating conditions, audits move faster. 

8. Schedule Ongoing PCI Reviews for the Year

PCI compliance in your insurance agency must remain current as systems, vendors, and workflows change.

Finance leaders should:

• Align PCI reviews with monthly close cycles.
• Reassess PCI scope whenever payment systems, vendors, or workflows change.
• Review vendor compliance on a regular cadence.
• Update documentation proactively as processes evolve.

Routine reviews prevent compliance drift and reduce last-minute remediation. Keeping PCI oversight tied to financial operations supports consistent audit readiness throughout the year.

The post The CFO’s Compliance Checklist: Key Insurance Requirements and Where PCI Fits appeared first on AndDone.

What Is Insurance Payment Processing?

Insurance payment processing includes the systems used to collect, route, track, and reconcile premium payments. It goes beyond simply accepting a payment. It covers everything from how funds are submitted to how they’re matched and confirmed.

A complete payment process answers several essential questions:

• How does the customer submit payment?
• Where do funds go after submission?
• How is the payment matched to the correct policy?
• When do teams receive confirmation?

Insurance payment processing includes:

• Payment methods, such as ACH and credit cards.
• Fund movement through banking or card networks.
• Payment matching tied to the correct customer and policy.
• Payment status visibility, including paid, pending, or failed.
• Accurate records for service, finance, and reporting.

Because insurance payments often involve binding deadlines, installments, and premium financing, this process carries more complexity than standard ecommerce transactions.

Why Insurance Payment Processing Matters for Service Teams and Owners

Payment processing affects every team in an insurance operation. Friction usually appears first in service interactions, then creates cash flow gaps and operational strain across the business.

Impact on Service Teams

Clear payment processes shape the daily workload for service teams.

When payment handling works well:

• Fewer steps make it easier to send payment links quickly.
• Clear confirmation reduces customer back and forth.
• Visible payment status prevents unnecessary follow ups.
• Faster payments help policies move forward without last minute pressure.

When payment status remains unclear, service teams spend time tracking, checking, and explaining instead of supporting customers.

Impact on Owners and Leadership

For business owners, payment processing influences both stability and reputation.

Reliable payment operations support:

• Better visibility into cash flow.
• Lower operational strain on staff.
• Consistent customer experiences that reflect professionalism.
• Modern payment options that meet customer expectations without disrupting familiar processes.

Delayed payments reduce visibility into cash flow, manual steps increase strain on staff, and inconsistent experiences can erode trust over time. As insurance operations become more data-driven and interconnected, operational efficiency plays a growing role in sustaining performance across billing, servicing, and financial oversight.

How Insurance Payment Processing Works

While specific tools may vary, insurance payment processing follows a predictable flow. Understanding each step helps teams identify where delays and confusion often begin.

Payment processing often operates behind the scenes, but it serves as the connective layer between payment collection, premium finance, and accounting. This foundational layer helps manage fund availability and ensures money moves in a way that supports both current operations and future growth.

What Slows Insurance Payments Down

Even small gaps in the payment process can create friction. These issues often appear repeatedly across service and finance teams.

Why do payments get delayed or returned?

Payment delays often stem from incorrect customer information, bank verification holds, or manual review that slows settlement. ACH returns from incorrect account details are one of the most common issues across the industry and frequently require additional follow up before funds can be posted correctly.

What happens when systems do not connect?

When systems don’t connect, teams face duplicate work and inconsistent updates. Disconnected tools lead to duplicate data entry, missed updates between service and finance, and unclear ownership of follow ups. Approaches that balance automation with human oversight help reduce these gaps by keeping processes aligned and communication clear.

Why do customers struggle to complete payments?

Customer friction often comes from unclear or complex steps. Too many screens, confusing instructions, and the lack of immediate confirmation can cause customers to assume something went wrong. This uncertainty increases inbound calls and slows payment completion.

How Modern Payment Platforms Support Insurance Payment Processing

Modern payment platforms designed for insurance focus on supporting existing processes while reducing manual effort.

With the right platform in place, teams can:

• Centralize payment collection.
• View payment status without switching tools.
• Reduce manual follow-ups tied to unclear or delayed payments.
• Provide service teams with intuitive tools.
• Give owners clearer visibility into payment activity.

Coverage from Digital Insurance highlights how insurance specific technology supports modernization without disrupting established operations.

Why Insurance Payment Processing Is Worth Getting Right

Insurance payment processing shapes service speed, staff workload, and customer confidence, and broader industry shifts toward technology that streamlines core operations reinforce why clarity and efficiency in payment workflows matter.

When payments move clearly and predictably:

• Teams stay focused on customer needs.
• Leadership gains stronger insight into cash flow.
• Customers feel supported throughout the process.

The right setup supports familiar processes while reducing friction across the business.

The post What is Insurance Payment Processing and Why Does it Matter? appeared first on AndDone.

What’s New

You can now create, read, update, and delete Coverage entities through the API. Additional actions include status updates, as well as lock and unlock controls to manage editability. The system also supports both manual and scheduled synchronization with external data sources to keep coverage data current.

Why It Matters

You no longer need separate workflows or tools to manage coverage data. You can now fully manage Coverage entities programmatically and keep them in sync automatically, reducing manual overhead and data inconsistencies.

Adds Full CRUD Support for Policy Entities

What’s New

The API now supports full lifecycle management for Policy entities, including create, read, update, and delete operations. It also introduces manual and scheduled synchronization with external policy data sources to ensure records remain up to date.

Why It Matters

You can now manage policies entirely through the API without relying on external processes. Automated sync ensures your policy data stays consistent across systems with minimal effort.

Introduces Admin Portal Data Sync Framework

What’s New

A new data synchronization framework is implemented in the Admin Portal UI. This enables direct interaction with backend entity APIs such as Program, Carrier, Coverage, General Agent, and Broker management.

Why It Matters

You can now trigger and manage data sync operations directly from the UI instead of relying solely on backend processes. This improves visibility and control over how data flows between systems.

Updates OpenAPI Specification Across All Modules

What’s New

The OpenAPI (Swagger) documentation is updated across all modules. This includes standardized naming, consolidated program definitions, improved version metadata, and support for manual sync endpoints.

Why It Matters

You now have a more consistent and accurate API contract. This makes integration easier, reduces ambiguity, and ensures your client applications align with the latest API behavior.

Enforces Required and Unique Alias for QuoteConfig

What’s New

The alias field in QuoteConfig is now mandatory for both create and update operations. The system enforces case-insensitive uniqueness, and requests with missing or duplicate values will fail with validation errors.

Why It Matters

You can rely on alias as a stable and unique identifier across configurations. This prevents duplication issues and improves consistency when referencing QuoteConfig records.

Upgrade

1. Ensure all create and update requests include a non-empty alias field.
2. Validate that the alias is unique (case-insensitive) before sending requests.
3. Update any existing records that may not meet the new requirement.

Enforces Required and Unique Alias for CommsConfig

What’s New

The alias field in CommsConfig is now required for all create and update operations. The API enforces case-insensitive uniqueness and rejects invalid or duplicate values with clear error responses.

Why It Matters

You can now depend on a consistent and unique identifier for communication configurations. This reduces ambiguity and prevents conflicts across records.

Upgrade

1. Update all create and update requests to include the alias field.
2. Ensure alias values are unique across all existing configurations.
3. Handle validation errors for missing or duplicate aliases in your integration logic.

Release Date: UAT Mar 26, 2026

Release Status: Deployed to Production

This release bundle primarily consists of premium finance development for the coverage, policy, and data sync between IPFS and anddone system using the admin portal.

PFTAD | Coverage Management (Entity API) [AN- 28221]

Introduced full CRUD support for Coverage entities (create, update, status update, lock/unlock, delete).
Added manual and scheduled (cron) sync with Datalink Coverages to keep coverage data up-to-date.

Client facing impact: No

PFTAD | Policy Management (Entity API) [AN-28221] Introduced full CRUD support for policy entities (create, read, update, and delete). Added manual and scheduled (cron) sync with Datalink policy to keep data up-to-date.

Client facing impact: No

PFTAD | Admin Portal – Data Sync [AN-38556]
Implemented front-end data sync framework for the Admin Portal
Enables UI integration with new entity-based APIs (Program, Carrier, Coverage, GA, Broker Management).

Client facing impact: Yes

Required PFTAD swagger update for all modules
Updated PFTAD Open API/Swagger specs across all modules, including PF4 → PFTAD renaming, consolidated program definition, added Manual Sync

Client facing impact: No

API, corrected naming, and standardized missing x- version metadata.

[CR] Quote Config – make alias unique and required
Enforced that alias in quote Config is now mandatory for both Create and Update APIs.
Added case-insensitive uniqueness validation for alias ; requests with missing alias return
MISSING_REQUIRED_FIELD and duplicate aliases return DULPICATE_ALIAS .

Client facing impact: No

[CR] CommsConfig – Make alias field required and unique
Enforced that alias in communication Config is now mandatory for both Create and Update APIs; requests without it return MISSING_REQUIRED_FIELD .
Implemented case‐insensitive uniqueness validation on alias ; if the value matches any existing alias , the API returns DUPLICATE_ALIAS .

Client facing impact: No

The post Production Release Notes – PFTAD (AN_PFTADN_V4) appeared first on AndDone.

Release date: March 26, 2026

Adds Email Notifications for Sub-Merchant Lifecycle Events

What’s New

Allies can now receive email notifications whenever key lifecycle events occur for the sub-merchants they manage. Covered events include onboarding, activation, deactivation, and other merchant status changes. This gives Allies a passive, real-time awareness of their portfolio without requiring them to actively check the portal.

Why It Matters

Before this change, Allies had no automated way to learn when a sub-merchant’s status changed — they had to log in and check manually. You can now rely on email alerts to stay informed about merchant lifecycle activity as it happens, reducing the risk of missing critical changes.

Sends Notifications When Webhook Configurations are Added or Removed

What’s New

Allies receive an email notification whenever a webhook is added to or deleted from their account. This ensures that any change to webhook configuration — whether intentional or unexpected — is surfaced to the Ally promptly.

Why It Matters

Webhook changes can silently break downstream integrations if they go unnoticed. You can now detect configuration changes immediately and investigate or respond before any integration impact escalates.

Restricts Merchant Management Webhook Module to IPFS Allies Only

What’s New

The Merchant Management webhook module in the Ally Portal is now only visible and accessible to Allies who are set up as IPFS Allies. Non-IPFS Allies no longer see this module in their webhook subscription interface.

Why It Matters

Previously, non-IPFS Allies could see webhook modules that were not applicable to their account type, leading to confusion. You can now expect the webhook subscription UI to reflect only the options relevant to your Ally configuration.

Fixes Recurring Scheduler Errors Caused by Special Characters in Merchant References

What’s New

The transaction correction scheduler previously failed every 30 minutes when processing records where the Merchant Reference field contained special characters, including single quotes. The underlying SQL update logic has been corrected to handle these characters safely.

Why It Matters

Transactions containing special characters in the Merchant Reference field were getting stuck and never advancing to the correct status. Those transactions now process reliably, and the scheduler no longer produces recurring errors.

Displays Split Reference Identifiers in the Payment Details UI

What’s New

When a payment is split into multiple portions, each split’s merchant-provided reference identifier is now stored and displayed in the UI. This appears in both the standard payment intent flow and the secure payments flow, within the split payment details view.

Why it Matters

You can now verify and cross-reference each portion of a split payment against the merchant-assigned reference — useful for reconciliation, auditing, and tracking individual splits through your own systems.

UAT Release: Ally Management V15 (AN_ALMGMT_V15) Release Ticket:

Release Date: Mar 26, 2026

Release Status: Done

Summary

Ally Sub‐merchant Activity Notifications – Ally notification capabilities are extended so Allies can receive email updates about key sub‐merchant activities (such as onboarding, activation, deactivation and other changes), helping them stay informed about merchant lifecycle events.

Ally Portal Webhooks & Admin UI Consistency – The Ally Portal webhook subscription experience is refined so IPFS‐specific modules are no longer shown to non‐IPFS Allies, and Admin portal Ally table visuals are aligned for a more consistent UI.

Transactions, Monitoring & Front‐end Hardening – Transaction correction handling is made robust for special characters, Additional UI support is added for displaying split references on split payments.

AN-45805: UAT Release – Ally Management (AN_ALMGMT_V15)

POST DEPLOYMENT MONITORING

Ally Notifications | Sub‐merchant related updates (Epic AN-41458) Enables Allies to receive email notifications for activity related to their sub‐merchants (such as activations, deactivations or other updates), so they are aware of important lifecycle changes for the merchants they manage.

Client Facing Impact: YES

Ally Notifications | Ally webhook Added/deleted (AN-36995) Sends Ally notifications when a webhook is added or deleted for an Ally, ensuring Allies are informed whenever webhook configurations they rely on are changed.

Client Facing Impact: YES

Ally Portal | Hide Merchant Management Webhook Module (Non‐IPFS Allies) (AN-46091) Restricts the Merchant Management webhook module

Client Facing Impact: YES

in Ally Portal so it is only listed and available for IPFS Allies, preventing non‐IPFS Allies from seeing or subscribing to IPFS‐specific webhook modules.
[PROD] – Console statement “Angular is running in development mode.” is visible on production environment (AN-46887)
Cleans up the UI console in production so the “Angular is running in development mode.” message and related development‐mode logs are no longer shown, aligning browser console behavior with production standards.

Client Facing Impact: NO

Regression Ally: Inconsistent UI on Allies table in Admin portal (AN- 46404)

Fixes a UI regression on the Allies table in the Admin Portal by restoring the missing divider line above the Actions menu, ensuring a consistent and polished table layout.

Client Facing Impact: NO

Encountered the scheduler error Transaction Entity Correction Handler for every 30 minute. (AN-45359)
Fixes an issue in Transaction Entity Correction Handler where SQL updates failed when the Merchant Reference field contained certain special characters (including single quotes), preventing recurring scheduler errors and ensuring affected transactions move to the correct status without failures.

Client Facing Impact: NO

Ability to display Split Reference in UI (AN-44749) Stores and displays each split’s merchant‐provided reference in the UI for split payment details (via existing payment intent and secure payments flows) so users can verify and track the reference associated with each split portion of a payment.

Client Facing Impact: YES

The post Production Release Notes – Ally Management V15(AN_ALMGMT_V15) appeared first on AndDone.