PCI DSS Compliance Blog: Cost of PCI Compliance

« PCI SAQ Made Easy | Main | Remote Credit Card Data Storage Facilitates PCI Compliance »

02/17/2009

Cost of PCI Compliance

'What does it cost be PCI compliant?’ is a common question by business owners and software providers facing compliance requirements.  Several estimates have been generated by industry leaders on PCI compliance costs. 

For Merchants (Complying with PCI DSS)

IT security firms Solidcore Systems, Emagined Security and Fortrex Technologies have identified three main categories of PCI compliance costs:

•    Upgrading payment systems and security infrastructure,
•    Verifying compliance (assessments), and
•    Sustaining compliance.

New components that might have to be installed to upgrade payment systems and security infrastructureWorld image include additional firewalls, upgraded anti-virus and anti-spyware software, secure wireless systems, data encryption technologies and file-integrity monitoring software. 

Compliance assessments include the PCI Self-Assessment Questionnaire (PCI SAQ) for Level 2, 3 and 4 merchants and an on-site audit for Level 1 merchants. 

In 2008, IT research giant Gartner reported that merchant spending to protect cardholder data and become PCI compliant increased nearly fivefold during the previous 18 months.  Among the Level 1 retailers Gartner surveyed, an average of $2.7 million was spent to become PCI compliant, excluding the costs of PCI assessment services. That number compares with an average of $568,000 reported by Level 1 merchants in a fall 2006 Gartner survey. Level 1 merchants spent an average of $237,000 on PCI security assessments.

Level 2 merchants reported spending $1.1 million on PCI compliance (compared to $267,000 in fall 2006) and an average of $135,000 on assessment.   Level 3 merchants, those processing between 20,000 and one million transactions per year, spent an average of $155,000, excluding security assessment.  Gartner did not discuss Level 4 merchants in the report.

For Software Developers (Complying with PA-DSS)

To achieve PA-DSS compliance, software providers must undergo the lengthy and costly process of validating their application. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA) and the development time and expense to bring the application into compliance. These PA-DSS certification costs can range from tens to hundreds of thousands of dollars.

Additionally, software providers are required to pay $1,250 annually per software application to have their solution listed as a validated PA-DSS-compliant solution.

 

Update October 15, 2010: Ponemon Institute released a report in March 2010, PCI DSS Trends 2010: QSA Insights Report, that adds the following information on PCI compliance assessment costs (not total PCI compliance costs):

The largest merchants and services providers are identified as Tier 1, and are required to be audited onsite by Qualified Security Assessors (QSAs). QSAs agree that aspects of the PCI DSS are more important and more difficult to achieve compliance than others. Taking into account the weeks that an audit takes, the assessment fees, as well as the lost time and opportunity costs as staff to assist with the audit, the average annual costs is $225,000 for Tier 1 merchants. It should be noted that for 10 percent of these Tier 1 merchants, assessment fees were double, exceeding $500,000 annually.

Originally, in 2009, MasterCard announced that onsite QSA audits would also be required for Tier 2 Merchants. However, MasterCard reversed this decision, and like Visa, will allow internal audit teams to perform the annual assessment. MasterCard also announced that Tier 1 merchants could be able to use qualified internal audit teams, instead of QSAs to perform their annual assessments. This is similar to the guidelines that American Express has in place.

Unsure what level of compliance your company meets? Find out at our PCI Compliance Level page.

 

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a010534b0dc03970c0111686b0cc7970c

Listed below are links to weblogs that reference Cost of PCI Compliance:

Comments

Great informational article. I plan on posting and providing a link at the PIN Debit Payments Blog. Happy to see Element Payment Solutions growing and prospering, but not surprised, knowing Sean is the guy behind it. Had the pleasure of working with him in the past.

Panoptic Security provides a $15 1x charge for hand-holding the level 4 merchant through SAQ Selection, SAQ, and remediation plan completion, all of which are required to get the merchant's bank / processor off its back for a while.

We're using dotdefender to implement pci dss 6.6 compliance.
The costs that we check was:
Hardware solution - Imperva $45K
Software solution - dotdefender $4K
Code Security - $12K

Eventually we decided going on with dotdefender solution.

Dani

Thanks John, Jim and Dani for commenting on this post. We fully intend for our posts to be a jumping off point for discussion within the field. So keep the comments coming!

This information is very helpful. It really helps me understand more about PCI. Keep posting. Will certainly try doing that myself. Your post/article really helped. Thanks a lot.

PCI Compliance is growing, and it appears that with the increase in the number of smaller companies that are needing to become compliant something will have to be done about these costs. Perhaps we'll see an evolution in these costs.

This is pretty helpful stuff. I am an intern working on helping my company become PCI compliant. This is a great resource. God Bless you!

Post a comment

Comments are moderated, and will not appear on this weblog until the author has approved them.

If you have a TypeKey or TypePad account, please Sign In

Search Blog


Your email address:

Bookmark and Share




Resources

About PCI DSS Compliance Blog

Email Us

PCI Compliance Resources

Industry News on Twitter


Visit Element on