Cost of PCI Compliance
'What does it cost be PCI compliant?’ is a common question by business owners and software providers facing compliance requirements. Several estimates have been generated by industry leaders on PCI compliance costs.
For Merchants (Complying with PCI DSS)
IT security firms Solidcore Systems, Emagined Security and Fortrex Technologies have identified three main categories of PCI compliance costs:
• Upgrading payment systems and security infrastructure,
• Verifying compliance (assessments), and
• Sustaining compliance.
New components that might have to be installed to upgrade payment systems and security infrastructure
include additional firewalls, upgraded anti-virus and anti-spyware software, secure wireless systems, data encryption technologies and file-integrity monitoring software.
Compliance assessments include the PCI Self-Assessment Questionnaire (PCI SAQ) for Level 2, 3 and 4 merchants and an on-site audit for Level 1 merchants.
In 2008, IT research giant Gartner reported that merchant spending to protect cardholder data and become PCI compliant increased nearly fivefold during the previous 18 months. Among the Level 1 retailers Gartner surveyed, an average of $2.7 million was spent to become PCI compliant, excluding the costs of PCI assessment services. That number compares with an average of $568,000 reported by Level 1 merchants in a fall 2006 Gartner survey. Level 1 merchants spent an average of $237,000 on PCI security assessments.
Level 2 merchants reported spending $1.1 million on PCI compliance (compared to $267,000 in fall 2006) and an average of $135,000 on assessment. Level 3 merchants, those processing between 20,000 and one million transactions per year, spent an average of $155,000, excluding security assessment. Gartner did not discuss Level 4 merchants in the report.
For Software Developers (Complying with PA-DSS)
To achieve PA-DSS compliance, software providers must undergo the lengthy and costly process of validating their application. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA) and the development time and expense to bring the application into compliance. These PA-DSS certification costs can range from tens to hundreds of thousands of dollars.
Additionally, software providers are required to pay $1,250 annually per software application to have their solution listed as a validated PA-DSS-compliant solution.
Great informational article. I plan on posting and providing a link at the PIN Debit Payments Blog. Happy to see Element Payment Solutions growing and prospering, but not surprised, knowing Sean is the guy behind it. Had the pleasure of working with him in the past.
Posted by: John B. Frank | 02/17/2009 at 10:34 AM
Panoptic Security provides a $15 1x charge for hand-holding the level 4 merchant through SAQ Selection, SAQ, and remediation plan completion, all of which are required to get the merchant's bank / processor off its back for a while.
Posted by: Jim Kilgour | 02/18/2009 at 12:28 PM
We're using dotdefender to implement pci dss 6.6 compliance.
The costs that we check was:
Hardware solution - Imperva $45K
Software solution - dotdefender $4K
Code Security - $12K
Eventually we decided going on with dotdefender solution.
Dani
Posted by: PCI DSS 6.6 Compliance | 02/23/2009 at 07:40 AM
Thanks John, Jim and Dani for commenting on this post. We fully intend for our posts to be a jumping off point for discussion within the field. So keep the comments coming!
Posted by: Element Payment Services | 02/24/2009 at 09:48 AM
This information is very helpful. It really helps me understand more about PCI. Keep posting. Will certainly try doing that myself. Your post/article really helped. Thanks a lot.
Posted by: pci compliance | 05/18/2009 at 12:08 AM
PCI Compliance is growing, and it appears that with the increase in the number of smaller companies that are needing to become compliant something will have to be done about these costs. Perhaps we'll see an evolution in these costs.
Posted by: PCI DSS Compliance | 06/29/2009 at 08:14 AM
Finally I found this article, thanks for sharing
Posted by: Dendy | 01/25/2010 at 04:55 AM