Becoming PCI compliant entails more than merely undertaking vulnerability tests or filling out self-administered questionnaires. There’s so much that you need to do to secure customer data. Likewise, PCI compliance requires financial investment. Many businesses don’t have an idea about the budget that they should set aside for PCI compliance purposes. Often, they budget low amounts, which makes it difficult for IT staff and third-party contractors to upgrade their systems to the latest security standards and ensure ultimate data protection.

It’s hard to place an actual figure or number when it comes to the total cost of PCI compliance. The amount that you’ll end up paying is determined by the size of your organization and the number of payment card transactions that you process, your eligibility for SAQs, and the way you store and handle customer information. However, you can estimate the cost by looking at PCI compliance requirements that apply to your organization.

PCI Compliance as a Recurrent Cost

Business owners and IT professionals ought to start thinking of PCI compliance as an ongoing expense. Therefore, you should incorporate compliance into your organization’s annual budget. This will help avoid sticker shock or scrambling to meet the minimum. If your organization anticipates an incessant need to process credit card or debit card payments, PCI compliance is mandatory. Compliance won’t be a one-off undertaking, but a continuous process.

When it comes to PCI compliance, businesses fall into two broad categories. Either your organization requires third-party validation of compliance, or it can self-validate its compliance status. Merchants who process more than 6 million payment card transactions yearly (Level 1 merchants) ought to have an onsite assessment done by a Qualified Security Assessor (QSA).

Similarly, large service providers who process more than 300,000 transactions annually and support merchants are deemed to be Level 1 service providers. Therefore, they also need an onsite data security assessment by a QSA.

If your business doesn’t as much cardholder data as a Level 1 merchant, you can self-validate its PCI compliance status. In this case, requirements for compliance include filling out a Self-Assessment Questionnaire, undertaking penetration testing, vulnerability scanning, and security training. Many Level 2 and 3 merchants choose to schedule audits since they are too big to conduct self-assessments effectively.

Breaking Down the Figures Involved

For small businesses, PCI compliance costs anything from $300 annually. The cost depends on your type of business and the environment in which you operate. Self-assessment questionnaires will cost anything between $50 and $200. Vulnerability scanning costs between $100 and $200 per IP address, while policy development and training cost an average of $70 per employee. Remediation varies depending on your compliance status. However, the cost can range from $100 to $10,000.

For large organizations that require a PCI DSS assessment, the total cost of compliance is usually above $70,000. The exact figure that you’ll end up paying depends on your environment. Here’s a breakdown of the costs that large enterprises have to incur:

  • Onsite audits— $40,000
  • Penetration testing— $15,000
  • Vulnerability scanning— $1,000
  • Policy development and training— $15,000
  • Remediation (hardware and software updates, etc.) —$10,000 to $500,000. Varies depending on your organization’s compliance stance

Although compliance level is an almost accurate predictor of compliance cost, there’s a substantial variation between different levels due to the extent of external consultant services needed, physical environment, and other variables. Generally, the annual cost of meeting all vendor requirements can be anything from $10,000 to several million dollars. Typically, companies that process less than 20,000 transactions pay less than $10,000 every year.

Factors that Affect PCI Compliance Costs

Given that the cost of PCI compliance varies from one organization to another, it’s important to review factors that cause this discrepancy. Here are some of the factors that determine how much money you will spend on your PCI compliance efforts.

Number of Transactions Processed

Arguably, this is the most significant determinant of the PCI compliance cost that your organization will incur. The number of transactions that you handle also determines your organization’s level of compliance.

Levels and other associated requirements tend to vary between different vendors. Therefore, you should determine your requirements based on the vendors that you use. For instance, your level may be different for MasterCard than with American Express. Generally, a higher compliance level means more rigorous compliance requirements apply to you.

Type of Business

The size of your enterprise and kind of business that it undertakes also determines how much your compliance cost will be. The cost of PCI compliance in a small retail environment will be different from the cost of maintaining compliance in large enterprises. Other factors that can impact compliance costs include franchise status, company culture, and the number of employees.

Physical Environment

The type, configuration, and configuration of your organization’s onsite and offsite hardware affect the cost of PCI compliance. For instance, if your employees work from their homes, your compliance costs might be higher. Likewise, bring-your-own-device workplaces also face more significant risks, more so if those devices process or store payment card transactions.

Your In-House PCI Expertise

If your organization’s IT department comprises individuals with PCI expertise, your compliance costs are likely to be lower. In-house expertise makes it easier for you to monitor your compliance status and meet the requirements continually. Enterprises with little or no PCI knowledge need ongoing assistance from PCI compliance consultants to mitigate risks. This comes at a cost. However, it would be best if you kept in mind that in-house IT expertise isn’t an alternative for unbiased review and audits that ought to be undertaken by third-party assessors. It only helps you prepare for an audit.

Hardware

All hardware that your organization uses to process and transmit cardholder data should be PCI DSS-compliant. These include mobile devices, computers, servers, firewalls, and card machines. Generally, organizations that have a higher volume of hardware should anticipate higher PCI compliance costs due to the more significant amount of purchases and risk-mitigation activities needed to meet compliance requirements.

What is the Cost of PCI Non-Compliance?

Many organizations regard PCI compliance as an unnecessary expense. Such enterprises end up overlooking the basic tenets of compliance to save business costs. However, PCI compliance can be costly in the long run, especially when a data breach hits you. According to the Ponemon Institute, data breaches cost an average of $4 million, which translates to $148 per lost record.

PCI non-compliance fines can be anything between $5,000 and $100,000 monthly until you achieve compliance. Besides, you may potentially get blocked from undertaking payment card transactions. Nonetheless, the highest cost that results from PCI non-compliance is reputational damage. 25% of your company’s market value is attributed to its reputation. If a data breach occurs as a result of PCI non-compliance, your organization’s reputation and market value will suffer directly. Likewise, there will be a loss of revenue.

PCI compliance is just as substantial as any other business decision that you’ll have to make. Compliance can be an essential tool for appropriately mitigating risks that typically lead to data breaches. Although PCI DSS compliance isn’t that simple, it can help you avoid costly penalties and reputational loss. Therefore, you should see it as an ongoing effort meant to stabilize your business rather than crippling its operations. You should also be continually on the lookout for new PCI requirements that apply to your industry.