‘Is there a fixed cost for becoming PCI-DSS compliant?’ is a frequently asked question, and the short answer is no. The variance in cost depends primarily on how many transactions need to be process as well as transmission and storage methods. Before we delve into these factors, let’s begin by understanding PCI-DSS compliance.
PCI-DSS compliance is the adherence to requirements outlined in the Payment Card Industry Data Security Standard (PCI-DSS). PCI compliance ensures that credit card (payment cards) data is processed and stored in a secure manner. All businesses that accept payment cards are required to be PCI compliant. The PCI Security Standards Council (PCI SSC) handles the development and adoption of these standards, although card brands mandate them.
The cost of PCI DSS compliance can vary widely from one company to the next. For small businesses, PCI DSS compliance can cost around $300 annually, while large enterprises can expect to pay a minimum of $70,000.
The size of an organization is defined by the volume of payment card transactions it handles annually. The PCI compliance cost varies from one organization to another, depending on their sizes. The PCI SSC stakeholders (comprising of the major five payment brands) have 4 classification levels based on organization size.
|Level 1||Broadly encompasses large organizations that handle over 6 million transactions per year or organizations whose card account data has been compromised from a data breach. Service providers that process over 300,000 credit card transactions are also grouped under level 1.|
|Level 2||Comprises of organizations that handle anywhere between 1 and 6 million transactions annually and service providers that process less than 300,000 transactions annually.|
|Level 3||Consists of medium organizations that handle between 20,000 and 1 million e-commerce transactions annually.|
|Level 4||Merchants that process fewer than 20,000 transactions annually|
Depending on the number of transactions performed, organizations need to pass the quarterly or annual vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV).
Qualifying for PCI SAQ
The PCI SAQ is a self-validation tool designed by the PCI SSC to assess compliance in Level 2 to Level 4 organizations. There are 9 different SAQ questionnaires that apply depending on your compliance level. Organizations are required to choose the applicable PCI SAQ based on how they handle cardholder data, and then submit the Attestation of Compliance (AOC). Each questionnaire varies in length ranging from only 22 questions to over 329.
Basic PCI compliance requirements for level 1 include an onsite assessment by an Internal Security Assessor (ISA) or by a Qualified Security Assessor (QSA). There is also a submission Report on Compliance (RoC) to the organization and issuance of the AOC. Level 2 organizations may also need to complete the RoC.
Data Transmission & Storage Methods
Small organizations typically incur a lower cost as they can pass the risk of handling cardholder data to service providers. For large organizations, it is often more practical to have a separate environment for handling cardholder data. Although the cost is scalable, having a locked environment is generally expensive.
If data security has always been a priority and part of an organization’s culture, then the cost of PCI will be lower. With a security-focused culture, the stakeholders recognize the importance of compliance and are willing to invest in a secure environment for PCI-DSS. However, if an organization does not have a security-focused culture, it will be challenging to convince decision makers to invest as heavily. This becomes costly in the long run as the organization will face the ‘cost of non-compliance.’
As a rule of thumb, a higher level of security awareness in an organization translates to a lower cost of PCI compliance.
Dedicated PCI Staff or External Consultants?
Organizations can decide to manage their own PCI compliance by training or hiring qualified employees or go for PCI compliant consultancy services depending on the cost-effectiveness of each option. However, the cost of consultancy is rarely avoided. Even with the appropriate staff, an external consultant is often needed to oversee the process. External consultants eliminate internal biases and have ample audit experience to draw from.
Cost of Non-Compliance
The cost of PCI non-compliance can be estimated from the outcomes of not meeting the PCI requirements. The most common are data breaches that compromise cardholders’ data. Data breaches are costly, and they taint an organization’s reputation. In extreme cases, they lead to loss of revenue – fewer investors, and more costs of settling data breach cases.
There are also monthly PCI non-compliance fines that can be deemed as a loss in the long run. PCI non-compliant organizations can also be barred from handling transactions and cardholder’s data and can lead to a shutdown if it affects an organization’s business model.
The cost of PCI-DSS compliance varies widely from one organization to another, based on many influencing factors. For organizations that are security aware, PCI compliance will typically translate to a minimal additional cost. PCI SSC is one of many industry organizations that is driving best practices and increasing global security awareness. PCI compliance raises the bar for credit card payment data process security and ultimately holds companies accountable for secure data transfer.
StandardFusion + PCI DSS
PCI DSS compliance is evaluated at minimum once a year and requires ongoing management to ensure adherence. This can be done using spreadsheets and calendar reminders, although leveraging a dedicated GRC tool greatly simplifies the process. For security aware companies already compliant to 1 or more frameworks, StandardFusion is designed to be the single source of truth and the hub of your information security program. Streamline your compliance and risk today and bring all your GRC activities into one, secure and easy to use tool.