How Much Does PCI Compliance Cost?

PCI compliance shouldn’t be viewed as a sunk cost but, rather, an investment

Companies and organizations loathe compliance. It requires attention, labor and expenses to be assumed and there’s really no profit involved. That leads compliance frameworks like Payment Card Industry Data Security Standards (PCI DSS) with a rather onerous reputation, that — in some cases — really isn’t deserved.

PCI DSS is among the most straightforward compliance requirements. All it’s really asking you to do is take some common-sense security precautions to ensure that all the valuable payment card data you process stays safe. All of these things are best practices in their own right. Investing in these measures not only guarantees compliance but also sets your organization on a strong foundation of security. Ideally it will inspire a security-first culture among employees, too.

But, like most things in life, there are still costs associated with it. So, let’s talk about what those might be and ballpark a figure.

Two Kinds of PCI Compliance

There are, for all intents and purposes, two different types of PCI compliance. There’s level one compliance, which requires a third party to validate your organization. Every card company has its own compliance levels. And there’s levels two through four that can self-validate.

For example, VISA deems that level one organizations are those that process more than 6 million payments per year or are identified as level one global merchants by any Visa region. Anyone that fails to meet those thresholds falls within levels two through four. Obviously, the kind of validation you require has an impact on how expensive compliance runs. Hiring a third party for validation isn’t necessarily cheap. But it’s also not cost-prohibitive, either.

Some merchant banks will pay for these validation services for smaller, non-level one companies. But it varies by who your acquiring bank is.

Other Considerations for PCI Compliance Cost

Beyond how you need to validate your compliance, there are some additional factors that can influence the cost of compliance. Here are a few:

• Business Size. This kind of relates to what PCI level you’re on. Obviously, an enterprise is going to have a lot more customer data than a single proprietorship. As you can guess, this affects cost in more ways than just validation requirements.
• Business Type. The industry you fall in also is going to be a factor in how many customers you have, what kinds of customers you have, and how much PCI compliance will cost as a result.
• Your Security Culture. If your organization prioritizes security, then you’ll already have a head start. However, if you’re investing in things like antivirus programs and firewalls for the first time, it’s going to be a lot more expensive (at least initially).
• Your Environment. Different network technologies and designs require different levels of effort to secure. Some require external assistance. How much assistance you require, obviously, affects your costs.
• Your Staff. If you have a dedicated compliance or security team, you’re trading the annual costs of their salaries for the savings on consultation and external assistance. It’s a delicate calculus that varies by organization.
• Your Merchant Bank. If your acquiring bank foots some of the bill, that’s going to save on your costs.

The Costs of PCI Compliance

Small Organizations —$300+ Per Year

Smaller organizations are going to be able to self-validate, which only means paying for the questionnaire. Depending where you get it, that can run you between $50-200. You’ll also need to find vulnerability scanning services and pay for training. That’s also assuming you don’t have to invest in security products and are only worrying about keeping them up to date…

So, what do these costs look like? Let’s break it down visually:

Thankfully, PCI scans don’t have to be expensive…. So long as you choose the right ASV vendor. Comodo CA has an amazing tool — Comodo HackerGuardian. This cost-effective solution not only allows you to run your internal and external quarterly scans, but it also provides guidance and advice on remediation of vulnerabilities. And all of this is from Comodo CA, a long-recognized and reputable name in the cyber security industry.

Enterprises and Level Ones — $70,000+

PCI DSS compliance can get extremely expensive for enterprise organizations, or smaller organizations if you suffered a breach recently. In, perhaps, the biggest argument for a strong security culture is the fact you can expect to incur at least $70,000 by JUST complying with PCI DSS in the future. Or, you can save a lot by just biting your lip and doing it right, taking care of what needs to be done now.

On-site audits, which are required for third-party validation, are egregiously expensive, starting around $40,000. Scanning is also more expensive at the enterprise level. Penetration testing is required, and training and maintenance of systems and applications see their costs scale with their size.

And, again, all of this is assuming you’re not purchasing measures for the first time…

So, what do these costs look like? Let’s visually break it down again:

PCI DSS Audits Can Be Expensive

If you need third-party validation, it doesn’t come cheap. Security Metrics did some research and found the lowest pricing on qualified security assessments started around $15,000. On-site audits can cost about $40,000!

At the enterprise level, these costs are often unavoidable. But for small businesses, they serve to underscore how important it is to have good security.  

Don’t risk your customers’ information, your organization’s reputation, or face non-compliance costs because of any PCI compliance cost. Get the right PCI scanning solution for the right price. At ComdoSSLstore.com, we sell Comodo HackerGuardian for $72.42 per year. That’s cheaper than any other vendor — guaranteed.