PCI DSS Compliance Blog: Cost of PCI Compliance

« PCI SAQ Made Easy | Main | Remote Credit Card Data Storage Facilitates PCI Compliance »


Cost of PCI Compliance

'What does it cost be PCI compliant?’ is a common question by business owners and software providers facing compliance requirements.  Several estimates have been generated by industry leaders on PCI compliance costs. 

For Merchants (Complying with PCI DSS)

IT security firms Solidcore Systems, Emagined Security and Fortrex Technologies have identified three main categories of PCI compliance costs:

•    Upgrading payment systems and security infrastructure,
•    Verifying compliance (assessments), and
•    Sustaining compliance.

New components that might have to be installed to upgrade payment systems and security infrastructureWorld image include additional firewalls, upgraded anti-virus and anti-spyware software, secure wireless systems, data encryption technologies and file-integrity monitoring software. 

Compliance assessments include the PCI Self-Assessment Questionnaire (PCI SAQ) for Level 2, 3 and 4 merchants and an on-site audit for Level 1 merchants. 

In 2008, IT research giant Gartner reported that merchant spending to protect cardholder data and become PCI compliant increased nearly fivefold during the previous 18 months.  Among the Level 1 retailers Gartner surveyed, an average of $2.7 million was spent to become PCI compliant, excluding the costs of PCI assessment services. That number compares with an average of $568,000 reported by Level 1 merchants in a fall 2006 Gartner survey. Level 1 merchants spent an average of $237,000 on PCI security assessments.

Level 2 merchants reported spending $1.1 million on PCI compliance (compared to $267,000 in fall 2006) and an average of $135,000 on assessment.   Level 3 merchants, those processing between 20,000 and one million transactions per year, spent an average of $155,000, excluding security assessment.  Gartner did not discuss Level 4 merchants in the report.

For Software Developers (Complying with PA-DSS)

To achieve PA-DSS compliance, software providers must undergo the lengthy and costly process of validating their application. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA) and the development time and expense to bring the application into compliance. These PA-DSS certification costs can range from tens to hundreds of thousands of dollars.

Additionally, software providers are required to pay $1,250 annually per software application to have their solution listed as a validated PA-DSS-compliant solution.


Update October 15, 2010: Ponemon Institute released a report in March 2010, PCI DSS Trends 2010: QSA Insights Report, that adds the following information on PCI compliance assessment costs (not total PCI compliance costs):

The largest merchants and services providers are identified as Tier 1, and are required to be audited onsite by Qualified Security Assessors (QSAs). QSAs agree that aspects of the PCI DSS are more important and more difficult to achieve compliance than others. Taking into account the weeks that an audit takes, the assessment fees, as well as the lost time and opportunity costs as staff to assist with the audit, the average annual costs is $225,000 for Tier 1 merchants. It should be noted that for 10 percent of these Tier 1 merchants, assessment fees were double, exceeding $500,000 annually.

Originally, in 2009, MasterCard announced that onsite QSA audits would also be required for Tier 2 Merchants. However, MasterCard reversed this decision, and like Visa, will allow internal audit teams to perform the annual assessment. MasterCard also announced that Tier 1 merchants could be able to use qualified internal audit teams, instead of QSAs to perform their annual assessments. This is similar to the guidelines that American Express has in place.

Unsure what level of compliance your company meets? Find out at our PCI Compliance Level page.



TrackBack URL for this entry:

Listed below are links to weblogs that reference Cost of PCI Compliance:


Great informational article. I plan on posting and providing a link at the PIN Debit Payments Blog. Happy to see Element Payment Solutions growing and prospering, but not surprised, knowing Sean is the guy behind it. Had the pleasure of working with him in the past.

Panoptic Security provides a $15 1x charge for hand-holding the level 4 merchant through SAQ Selection, SAQ, and remediation plan completion, all of which are required to get the merchant's bank / processor off its back for a while.

We're using dotdefender to implement pci dss 6.6 compliance.
The costs that we check was:
Hardware solution - Imperva $45K
Software solution - dotdefender $4K
Code Security - $12K

Eventually we decided going on with dotdefender solution.


Thanks John, Jim and Dani for commenting on this post. We fully intend for our posts to be a jumping off point for discussion within the field. So keep the comments coming!

This information is very helpful. It really helps me understand more about PCI. Keep posting. Will certainly try doing that myself. Your post/article really helped. Thanks a lot.

PCI Compliance is growing, and it appears that with the increase in the number of smaller companies that are needing to become compliant something will have to be done about these costs. Perhaps we'll see an evolution in these costs.

This is pretty helpful stuff. I am an intern working on helping my company become PCI compliant. This is a great resource. God Bless you!

The comments to this entry are closed.

Search Blog

Your email address:

Bookmark and Share


About PCI DSS Compliance Blog

Email Us

PCI Compliance Resources

Industry News on Twitter

Visit Element on