Learn the elements of PCI compliance and realistic PCI security budgets.Updated on November 26, 2018.
Being PCI compliant involves more than just filling out a PCI SAQ or completing a vulnerability scan. A lot of work and resources go into changing business procedures to ensure the protection of customer credit card data, and eventual PCI compliance.
Many businesses are confused about the budget they should set for PCI compliance. Often, they budget too little. Small budgets make it difficult for IT departments and third parties to upgrade equipment to the latest security standards to ensure the business protects data security.
into one of two groups:
1. Businesses that are required to have a 3rd-party validation of PCI compliance:
Merchants processing over 6 million card transactions annually (also known as Level 1 merchants) must have an onsite data security assessment by a QSA (Qualified Security Assessor). Also, large service providers who support merchants and process more than 300,000 transactions per year are deemed a Level 1 service provider and must also have an onsite assessment conducted by a QSA.
2. Business that can self-validate their PCI compliance:
These businesses don’t handle as much card data as Level 1 merchants, but remember: they’re still required to be compliant. Requirements for compliance will at least include completing a Self-Assessment Questionnaire, but may also require vulnerability scanning, penetration testing, and security training.
Even if you aren’t a Level 1 merchant, but are still a large merchant (for example, you process at least 1 million transactions per year) it’s still recommended you receive an audit. Many Level 2 (1 million to 6 million transactions) and Level 3 merchants (20,000 to 1 million eCommerce transactions) elect to schedule audits because they’re just too big to efficiently become PCI compliant by themselves.
If you are a small merchant, your acquiring bank may pay for these services as part of their PCI compliance program–or they may leave you to take care of it. Either way, it’s up to you to decide if you want a PCI DSS audit. But, if you process less than 20,000 Visa or MasterCard transactions per year, it probably doesn’t make sense to pay for an onsite audit.
How much does PCI compliance cost?The cost of PCI compliance depends on your organization setup. Here are a few variables that will affect the overall cost of PCI compliance.
- Your business type: Are you a Level 1 merchant, large franchise, service provider, or a mom-and-pop shop? Each will have varying amounts of cardholder data, environment structure, and varying risk levels, which means different requirements.
- Your organization size: Typically, the larger the organization, the more potential compliance gaps it has. More staff members, more programs, more processes, more computers, more cardholder data, and more departments means more cost.
- Your organization’s security culture: If data security is one of upper management’s top priorities, increasing security costs probably isn’t a major internal struggle. In other cases, management is very hesitant to dish out budget to data security, because they don’t understand their organization’s security liabilities.
- Your organization’s environment: The design of your network (LAN/WAN), networking technologies used, number and types of systems used, type of mobile devices, etc. can all affect PCI cost.
- Your organization’s dedicated PCI staff: Even with a dedicated team, organizations usually require outside assistance or consulting to help them better understand and meet PCI requirements.
- Your acquirer pre-pays: Some acquiring banks consult with a PCI DSS vendor and pay for their small merchants' PCI compliance. However, this is quite rare.
If you’re a small business, PCI DSS compliance should cost from $300 per year (depending on your environment).
- Self-Assessment Questionnaire ~$50 - $200
- Vulnerability scanning ~ $100 - $200 per IP address
- Training and policy development ~ $70 per employee
- Remediation (software and hardware updates, etc.) ~ Varies greatly based on where entity is today in relation to compliance and security, but estimated: ~ $100 - $10,000
If you're a very large enterprise and need a PCI DSS assessment, expect to pay $70,000+ in total costs (depending on your environment).
- Onsite audit ~ $40,000
- Vulnerability scans ~ $1,000
- Penetration testing ~ $15,000
- Training and policy development ~ $5,000
- Remediation (software and hardware updates, etc.) ~ Varies greatly based on where entity is today in relation to compliance and security, but estimated: ~ $10,000- $500,000
How much does a PCI audit cost?
Most of the factors that affect PCI compliance cost will also affect the cost of an onsite PCI assessment. Major influences include organization size and card processing methods, but a qualified security assessment from a PCI-certified QSA costs on average around $15,000.
Make PCI compliance a priority
Following the PCI DSS is the best way to start your data security, and ultimately cheaper than exposing your brand to a data breach.
SEE ALSO: 5 Simple Ways to Get PCI Compliant
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Trek quoting skills. Live long and prosper as you visit his other blog posts.