PCI compliance cost

Realistic PCI security budgets vs. wishful thinking.

Gary Glover, Director of SecurityMetrics Assessments
By: Gary Glover
Being PCI compliant is more than just filling out a PCI SAQ or completing a vulnerability scan. A lot of work and resources go into the remediation of business procedures to ensure the protection of customer credit card data, and eventual PCI compliance.

PCI compliance costMany businesses are confused about the budget they should set for PCI compliance. Often, they budget too little. Small budgets make it difficult for IT departments and third parties to upgrade equipment to the latest security standards to ensure the business protects data security.
So how much does PCI compliance actually cost?
The answer completely depends on how many transactions you process each year. Your business falls into one of two groups:
  • Business that process over 6 million Visa or MasterCard transactions per year (or, businesses that feel they need an onsite audit): Companies processing over 6 million Visa transactions annually (also known as Level 1 merchants) must undergo an onsite data security audit by a QSA (Qualified Security Assessor). But, any business can request an audit. In fact, if you aren’t a Level 1 merchant, but are still a large merchant (for example, processing 1 million transactions per year or above) it is highly recommended you receive an audit. Many Level 2 (1 million to 6 million transactions) and Level 3 (20,000 – 1 million transactions) elect to get audits because they’re just too big to accurately become PCI compliant by themselves.
  • Business that process less than 6 million Visa or MasterCard transactions per year: These companies’ requirements are a bit less stringent because they don’t handle as much card data as Level 1 merchants, but remember: they are still required to be compliant. Your requirements for compliance will at a minimum consist of completing a Self-Assessment Questionnaire, but may also require vulnerability scanning, penetration testing, or security training. Your acquiring bank may pay for these services as part of their PCI compliance program or they may leave you to your own devices. Either way, it’s up to you to decide if you want a PCI DSS audit, but if you process less than 20,000 Visa or MasterCard transactions per year, it probably doesn’t make sense to get an onsite audit.
Subscribe to SecurityMetrics' blog

Need a refresher on PCI? Here are some awesome PCI DSS compliance FAQ

Variables that affect PCI DSS compliance cost

The cost of your PCI audit entirely depends on your organization setup. Here are a few variables that will factor in to the cost of your overall compliance.
  • Your business type: Are you a franchise, service provider, or mom and pop shop? Each will have varying amounts of cardholder data, environment structure, and varying risk levels, which means different requirements.
  • Your organization size: Typically, the larger the organization, the more potential vulnerabilities it has. More staff members, more programs, more processes, more computers, more cardholder data, and more departments means more cost.
  • Your organization’s culture: If data security is one of upper management’s top priorities, increasing security costs probably isn’t a major internal struggle. In other cases, management is very hesitant to dish out budget to data security, because they don’t understand their organization’s security liabilities.
  • Your organization’s environment: The type of mobile devices, the brand of computers, the kind of firewalls, the model of backend servers, etc. can all affect PCI cost.
  • Your organization’s dedicated PCI staff: Even with a dedicated team, organizations usually require outside assistance or consulting to help them meet PCI requirements.
  • Your PCI fees: Your acquiring bank may charge PCI noncompliance fees on your monthly statement. Depending on your acquiring bank, these fees may or may not disappear after you’ve proven your PCI compliance.
  • Your acquirer pre-pays: Some acquiring banks consult with a PCI DSS vendor and pay for their merchant’s PCI compliance. However, this is quite rare.
How much does PCI DSS cost?
Now that we know the factors that could affect the cost of PCI, how much does it actually cost?

If you’re a small entity, PCI DSS compliance should cost from $300 per year (depending on your environment).

  • Self-Assessment Questionnaire ~$50 - $200
  • Vulnerability scanning ~ $100 - $150 per IP address
  • Training and policy development ~ $70 per employee
  • Remediation (software and hardware updates, etc.) ~ Varies greatly based on where entity is today in relation to compliance and security, but estimated: ~ $100 - $10,000

If you are large entity and get a PCI DSS audit, expect to pay from $70,000 per audit (depending on your environment).

  • Onsite audit ~ $40,000+
  • Vulnerability scans ~ $800+
  • Penetration testing ~ $5,000+
  • Training and policy development ~ $5,000+
  • Remediation (software and hardware updates, etc.) ~ Varies greatly based on where entity is today in relation to compliance and security, but estimated: ~ $10,000- $500,000
SEE ALSO: How Much Does a Data Breach Cost Your Organization?

Learn about the newest PCI DSS regulation released in April 2015: PCI 3.1


Securing cardholder data is a challenge facing all businesses that process credit cards. Know that following the PCI DSS is a great place to start. Ignoring the PCI DSS, or going after it half-heartedly is a recipe for disaster. PCI DSS is the best way to start your data security, and ultimately cheaper than exposing your brand to a data breach.

SEE ALSO: 5 Simple Ways to Get PCI Compliant

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

PCI Learning Center