Introduction
The Payment Card Industry Data Security Standard (PCI DSS) provides operational and technical guidelines on creating a secure cardholder data environment (CDE). It also outlines detailed testing procedures for assessing if a business is PCI compliant.
To pass annual PCI assessments, merchants often need to establish new security policies, invest in advanced software solutions, and organize employee training programs.
Find out how much it costs to become PCI compliant and how this process affects your bottom line.
Factors That Influence PCI DSS Costs
The PCI DSS is a lengthy document that lists 12 requirements and over 200 sub-requirements businesses must fulfill before they start accepting card transactions.
Organizations are expected to:
- Develop and maintain a secure network and systems.
- Introduce robust access control measures.
- Regularly test and monitor networks.
- Maintain a vulnerability management program.
- Implement policies that protect cardholder data.
- Have a thorough and well-documented InfoSec policy.
Continuously updating security policies and technical solutions can put organizations under significant financial strain.
The exact amount a company needs to spend on PCI compliance depends on its business model, size, organizational capabilities, and the number of transactions it processes annually.
Note: Refer to our PCI Compliance checklist for merchants and learn everything you need to know to be PCI compliant.
Number of Transactions Processed Annually
PCI data security requirements cannot be applied partially. All businesses that collect, store, or transmit cardholder data are expected to employ the same security standards.
Payment card brands do, however, categorize businesses into 4 PCI compliance levels based on the number of card transactions they process annually.
The compliance level determines the type of assessment a company needs to undergo and how much the annual PCI audit is going to cost.
Large companies that process more than 6 million card transactions per year need to undergo on-premises audits conducted by a Qualified Security Assessor (QSA). A third-party PCI assessment and potential data remediations for a large organization can cost more than $50,000 annually.
| Card Transactions Per Year | Annual PCI Assessment | Potential Cost | |
|---|---|---|---|
| Level 1 | 6 million+ | The audit must be performed by a Qualified Security Assessor (QSA). | $50.000+ |
| Level 2 | Between 1 million and 6 million | Self-assessment using a Self-Assessment Questionnaire (SAQ). The form is completed by an employee who is a certified Internal Security Assessor (ISA). | $10.000+ |
| Level 3 | Between 20 000 and 1 million | Self-assessment using the appropriate SAQ form. | $1.200+ |
| Level 4 | Fewer than 20 000 | Self-assessment using the relevant SAQ form. | $300+ |
Smaller merchants can complete one of several types of self-assessment questionnaires (SAQ). The cost of a PCI self-audit using an SAQ can range from several hundred to several thousand dollars.
The type of PCI audit and SAQ an organization needs to submit depends on its business model and how it plans to handle cardholder data. Merchants should consult with their bank or payment card brand to confirm their compliance level and the type of SAQ they need to complete.
Business Model
PCI DSS ensures that all participants in the payment process adhere to a minimum of data security standards regardless of their business model or size. However, the more cardholder and authentication data a business collects, stores, and transmits, the more it needs to invest in data security controls.
Merchants can reduce PCI-compliance-related costs by revising existing business practices, consolidating data, and streamlining payment flows. It is essential for merchants to only process cardholder data relevant to their business model.
Using the services of PCI-compliant payment processors, ecommerce platforms, and web hosts helps organizations reduce their exposure to PCI requirements. Established third-party payment processors can deliver PCI-compliant payment APIs, credit card tokenization solutions, and network security tools at a fraction of their cost.
It is challenging for a company with limited resources to create a PCI-compliant data environment without cooperating with several third-party providers.
Number of Employees
PCI requirements do not compel organizations to employ a certain number of people or create specific employee roles.
Businesses are required to implement authentication tools and procedures to restrict access to cardholder data. Only employees who need sensitive customer information to complete work-related tasks should be given access to the CDE.
Strong authentication systems like two-factor authentication can increase operating costs considerably depending on the number of employees.
Physical access to hardware that can be used to retrieve sensitive data also needs to be limited. Large organizations may need to invest in expensive physical authentications systems, additional security personnel, or camera surveillance.
Companies must organize training programs for existing and newly hired employees. Regular training courses and workshops ensure that staff follows company procedures and is always aware of the latest data protection standards.
The cost of conducting staff training courses increases with the number of employees.
Network Segmentation
PCI compliance audits focus on system components that are part of the cardholder data environment. These include network devices, servers, applications, and computers.
Businesses can reduce the scope of PCI assessments by separating components that manage cardholder data from the wider company network. By segmenting their network, companies can cut costs and improve data security. It is more difficult to compromise a system with multiple isolated and well-protected environments.
The initial investment in technologies that restrict access to a specific network segment, like firewalls, routers, and software solutions, is offset by the reduced scope of future PCI audits.
The PCI assessment determines if the network segmentation is sufficient to protect data and if the proper technologies and controls are deployed.
PCI Non-Compliance Fees
Card brands, banks, and customers can hold a non-compliant company accountable for a data breach. Depending on the circumstances of a breach, PCI non-compliance fees can vary from $500 to $500,000.
Businesses responsible for a breach may be required to pay:
- Higher rates for future processing and banking services.
- Compensation to customers in the form of chargebacks, card fees, etc.
- Legal fees and damages as a result of lawsuits.
- The cost of a PCI DSS investigation.
- Additional costs associated with compliance assessments regardless of how many transactions they process per year. Companies that suffer a cardholder data breach are considered PCI compliance level 1 in future audits.
The loss of reputation and strained relations with other participants in the payment process can ultimately lead to merchants losing their ability to accept card payments.
Conclusion
Creating and maintaining a PCI-compliant environment requires extensive planning, long work hours, and financial resources.
Reducing the scope of PCI assessments is one of the most effective ways to keep PCI compliance related costs in check. Organizations should also rely on third-party expertise and technical solutions for creating a secure and compliant payment environment.
If you want to learn more about payments security and compliance, check out our Payments Compliance guide for merchants.
