Learn elements of reaching PCI compliance and realistic PCI security budgets.

Gary Glover, Director of SecurityMetrics Assessments
By: Gary Glover
VP of Assessments
QSA, CISSP
Note: This post was originally published on August 19, 2015 and has been updated. 

Being PCI compliant involves more than just filling out a PCI SAQ or completing a vulnerability scan. A lot of work and resources go into changing business procedures to ensure the protection of customer credit card data, and eventual PCI compliance.



Many businesses are confused about the budget they should set for PCI compliance. Often, they budget too little. Small budgets make it difficult for IT departments and third parties to upgrade equipment to the latest security standards to ensure the business protects data security.
So how much does PCI compliance actually cost?
The answer partially depends on how many transactions you process each year. Your business falls into one of two groups:


  • Businesses that process over 6 million Visa or MasterCard transactions per year (or, businesses that feel they need an onsite PCI audit): Businesses processing over 6 million card transactions annually (also known as Level 1 merchants) must have an onsite data security audit by a QSA (Qualified Security Assessor). Even if you aren’t a Level 1 merchant, but are still a large merchant (for example, processing 1 million transactions per year or above) it’s also highly recommended you receive an audit. Many Level 2 (1 million to 6 million transactions) and Level 3 (20,000 – 1 million eCommerce transactions) elect to get audits because they’re just too big to efficiently become PCI compliant by themselves.
  • Business that process less than 6 million Visa or MasterCard transactions per year: These businesses don’t handle as much card data as Level 1 merchants, but remember: they’re still required to be compliant. Requirements for compliance will at least include completing a Self-Assessment Questionnaire, but may also require vulnerability scanning, penetration testing, or security training. Your acquiring bank may pay for these services as part of their PCI compliance program or they may leave you to take care of it. Either way, it’s up to you to decide if you want a PCI DSS audit, but if you process less than 20,000 Visa or MasterCard transactions per year, it probably doesn’t make sense to get an onsite audit.

Variables that affect PCI DSS compliance cost

The cost of PCI compliance depends on your organization setup. Here are a few variables that will affect the overall cost of PCI compliance.

  • Your business type: Are you a franchise, service provider, or mom and pop shop? Each will have varying amounts of cardholder data, environment structure, and varying risk levels, which means different requirements.
  • Your organization size: Typically, the larger the organization, the more potential compliance gaps it has. More staff members, more programs, more processes, more computers, more cardholder data, and more departments means more cost.
  • Your organization’s security culture: If data security is one of upper management’s top priorities, increasing security costs probably isn’t a major internal struggle. In other cases, management is very hesitant to dish out budget to data security, because they don’t understand their organization’s security liabilities.
  • Your organization’s environment: The design of your network (LAN/WAN), networking technologies used, number and types of systems used, type of mobile devices, etc. can all affect PCI cost.
  • Your organization’s dedicated PCI staff: Even with a dedicated team, organizations usually require outside assistance or consulting to help them better understand and meet PCI requirements.
  • Your acquirer pre-pays: Some acquiring banks consult with a PCI DSS vendor and pay for their merchant’s PCI compliance. However, this is quite rare.
Now that we know the factors that could affect the cost of PCI, how much does it actually cost?
PCI DSS cost

If you’re a small business, PCI DSS compliance should cost from $300 per year (depending on your environment).

  • Self-Assessment Questionnaire ~$50 - $200
  • Vulnerability scanning ~ $100 - $200 per IP address
  • Training and policy development ~ $70 per employee
  • Remediation (software and hardware updates, etc.) ~ Varies greatly based on where entity is today in relation to compliance and security, but estimated: ~ $100 - $10,000

If you are large enterprise and need a PCI DSS audit, expect to pay from $70,000 per audit (depending on your environment).

  • Onsite audit ~ $40,000+
  • Vulnerability scans ~ $800+
  • Penetration testing ~ $5,000+
  • Training and policy development ~ $5,000+
  • Remediation (software and hardware updates, etc.) ~ Varies greatly based on where entity is today in relation to compliance and security, but estimated: ~ $10,000- $500,000
SEE ALSO: How Much Does a Data Breach Cost Your Organization?


Conclusion

Securing cardholder data is a challenge facing all businesses that process credit cards. Know that following the PCI DSS is a great place to start. Ignoring the PCI DSS, or going after it half-heartedly is a recipe for disaster.

PCI DSS is the best way to start your data security, and ultimately cheaper than exposing your brand to a data breach.

SEE ALSO: 5 Simple Ways to Get PCI Compliant

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.