Cost of PCI Compliance
'What does it cost be PCI compliant?’ is a common question by business owners and software providers facing compliance requirements. Several estimates have been generated by industry leaders on PCI compliance costs.
For Merchants (Complying with PCI DSS)
IT security firms Solidcore Systems, Emagined Security and Fortrex Technologies have identified three main categories of PCI compliance costs:
• Upgrading payment systems and security infrastructure,
• Verifying compliance (assessments), and
• Sustaining compliance.
New components that might have to be installed to upgrade payment systems and security infrastructure include additional firewalls, upgraded anti-virus and anti-spyware software, secure wireless systems, data encryption technologies and file-integrity monitoring software.
Compliance assessments include the PCI Self-Assessment Questionnaire (PCI SAQ) for Level 2, 3 and 4 merchants and an on-site audit for Level 1 merchants.
In 2008, IT research giant Gartner reported that merchant spending to protect cardholder data and become PCI compliant increased nearly fivefold during the previous 18 months. Among the Level 1 retailers Gartner surveyed, an average of $2.7 million was spent to become PCI compliant, excluding the costs of PCI assessment services. That number compares with an average of $568,000 reported by Level 1 merchants in a fall 2006 Gartner survey. Level 1 merchants spent an average of $237,000 on PCI security assessments.
Level 2 merchants reported spending $1.1 million on PCI compliance (compared to $267,000 in fall 2006) and an average of $135,000 on assessment. Level 3 merchants, those processing between 20,000 and one million transactions per year, spent an average of $155,000, excluding security assessment. Gartner did not discuss Level 4 merchants in the report.
For Software Developers (Complying with PA-DSS)
To achieve PA-DSS compliance, software providers must undergo the lengthy and costly process of validating their application. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA) and the development time and expense to bring the application into compliance. These PA-DSS certification costs can range from tens to hundreds of thousands of dollars.
Additionally, software providers are required to pay $1,250 annually per software application to have their solution listed as a validated PA-DSS-compliant solution.
Update October 15, 2010: Ponemon Institute released a report in March 2010, PCI DSS Trends 2010: QSA Insights Report, that adds the following information on PCI compliance assessment costs (not total PCI compliance costs):
The largest merchants and services providers are identified as Tier 1, and are required to be audited onsite by Qualified Security Assessors (QSAs). QSAs agree that aspects of the PCI DSS are more important and more difficult to achieve compliance than others. Taking into account the weeks that an audit takes, the assessment fees, as well as the lost time and opportunity costs as staff to assist with the audit, the average annual costs is $225,000 for Tier 1 merchants. It should be noted that for 10 percent of these Tier 1 merchants, assessment fees were double, exceeding $500,000 annually.
Originally, in 2009, MasterCard announced that onsite QSA audits would also be required for Tier 2 Merchants. However, MasterCard reversed this decision, and like Visa, will allow internal audit teams to perform the annual assessment. MasterCard also announced that Tier 1 merchants could be able to use qualified internal audit teams, instead of QSAs to perform their annual assessments. This is similar to the guidelines that American Express has in place.
Unsure what level of compliance your company meets? Find out at our PCI Compliance Level page.