How much does it cost to become compliant with the Payment Card Industry Data Security Standard (PCI DSS)? It is challenging to put a number or an actual figure of becoming PCI compliant. The reason exact dollar amounts become a problem to predict is it depends on the size of the organization, whether they are eligible for the PCI Self Assessment Questionnaire (PCI SAQ), and the way they handle and store customer information.
The good news is that an organization can look at the typical requirements around becoming PCI compliant and reverse engineer what costs might look like. PCI uses merchant levels to determine risk and ascertain the appropriate level of security for their businesses. Specifically, merchant levels determine the amount of assessment and security validation that is required for the merchant to pass PCI DSS assessment. Merchants are classified into levels based on the number of transactions processed in a given year.
Organization size
PCI compliance cost comes down to the size of an organization, the number of transactions, and what type of transactions are being processed. Visa, Mastercard, and Discover all use the same general criteria while JCB and American Express have their own versions. At a high level, the PCI DSS merchant levels are as follows:
Level 1: Merchants with over 6 million transactions a year or any merchant that has had a data breach
Level 2: Merchants with between 1 million and 6 million transactions annually
Level 3: Merchants with between 20,000 and 1 million transactions annually
Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year
The list below provides a sample of compliance requirements for the various merchant levels, grouped by size:
Small organization (Level 3 or Level 4)
- Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor (ASV)
- Annual Self-assessment Questionnaire
- remediation
- Training
Medium-sized organization (Level 2)
- Quarterly ASV-performed vulnerability scans
- Annual Self-assessment Questionnaire
- Remediation
- Penetration testing
- Training
Large or very large organization (Level 1)
- PCI environment hardware
- Networking
- Servers
- Storage
- PCI environment software
- Operating systems
- Security operations
- Self-assessment
- Onsite third-party audit by qualified security assessor (QSA)
- Remediation
- Quarterly ASV-performed vulnerability scan
- Penetration testing
- Data security, classification, and encryption
- Training
Qualify for PCI SAQ
Imagine a small business that qualifies for the PCI SAQ. Organizations that qualify for the PCI SAQ will have lower costs than those needing an onsite audit performed by a QSA.
The Self-Assessment Questionnaire (SAQ) itself may cost under $300, however the following costs also need to be considered:
- Required vulnerability scanning ~ $100-$200 per IP address
- Training and policy development ~$70 per employee
- Remediation (software and hardware updates, etc.) ~ varies greatly based on compliance and security maturity, but estimated: ~ $100 – $10,000
- ISA (internal resource) – $95k average annual salary
How is data stored and transmitted?
Large organizations often require completely separate information technology environments for processing, storing, transmitting credit card data. The reason for the separate environment is because of the stringent nature of security controls related to PCI and cardholder data. Imagine an entire organization having to comply with PCI mandates to store or transmit credit card transactions. While a dream from a security practitioner’s point of view, a totally locked-down environment is expensive and often the bane of the productive office worker.
PCI DSS compliance tends to be a scalable cost. Most small business owners leverage PCI SAQ in order to keep margins high and pass the risk of accepting credit cards on to a service provider. The cost for PCI SAQ is marginal compared to creating a separate PCI environment.
As organizations grow and accept more credit cards, the complexity increases and they may need to create a separate environment of their own. Overall, separate secure PCI environments aren’t cheap. The good news is that businesses only need a small segment of the overall network to be PCI compliant, which saves time and treasure for already-taxed information technology and security teams.
Cost of Data Breach and PCI Non-Compliance Fees
The actual costs of a data breach and PCI non-compliance are well documented. The average cost of a data breach is estimated at $4million or $148 per lost record (2018 Ponemon Cost of Data Breach Study). PCI fines for non-compliance vary from $5000 – $100k/month until the merchant achieves compliance. There are other costs related to noncompliance such as:
- Reputational damage – on average, more than 25% of a company’s market value is directly attributable to its reputation. (2012 World Economic Forum Study cited in 2014 Deloitte Global Survey on Reputation Risk)
- 87% of respondents in the Deloitte Global Survey stated that reputation risk is the top strategic business risk.
- Loss of revenue
- Potentially blocked from processing payment cards