Become a security expert
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
The Payment Card Industry Data Security Standard is an information security framework for businesses that process card transactions or businesses that impact the security of businesses that do. Unless you’re a cash-only business, or in no way impacting the security of businesses that handle card transactions, PCI DSS applies to you and you must be compliant.
There are many formats of the PCI DSS, which makes understanding which PCI DSS requirements apply to your business and the level of compliance you’ll need tricky to pin down. And that complexity makes estimating your actual cost of PCI compliance difficult if not impossible.
A small business with less than 20 users will incur far fewer costs than a global enterprise with over 500 users. A business that qualifies for an SAQ will pay much less than one that needs an on-site report on compliance attestation.
On average, a large enterprise that processes millions of payments a year can expect to pay $50-200k to complete a Report on Compliance (RoC). A small company completing an SAQ or Attestation of Compliance (AoC) will likely pay $20k or less in annual PCI compliance costs.
Below, we list the typical costs associated with PCI compliance, from getting ready for your certification to annual maintenance, to help you determine a realistic budget.
PCI DSS isn’t a one-size-fits-all framework. The level of compliance you need is based on factors like:
So it should come as no surprise to learn that PCI DSS compliance costs vary quite a bit based on these same factors. A global enterprise that processes millions of credit card transactions a year is going to be looking at a much higher compliance bill than a small e-commerce shop.
Your level of PCI DSS readiness is another big factor influencing PCI costs. The more work you need to do to bring your policies, processes, and system configurations up to par, the more expensive your total certification costs will be.
That said, every organization that pursues certification will likely incur some of the same costs, but based on preparedness it may be beneficial for a company to undergo a full readiness assessment versus needing only some consulting hours.
Below, we list some typical costs of preparing for, achieving, and maintaining PCI compliance.
Compliance costs don't just include your certification audit. You'll need to take into account the cost of bringing your systems in line with PCI DSS requirements, which can include employee training, software and hardware updates, and policy development.
PCI DSS requires that you have a secure network, which can include things like firewall protection, an intrusion detection or prevention system, and DDoS mitigation.
You’ll also need to dedicate internal resources to ensure your network is continuously monitored and security alerts are followed up on 24/7.
PCI DSS is all about protecting cardholder data, the compliance standard requires that you encrypt any and all stored payment data. You’ll need to account for internal resources or the cost of utilizing a service provider to store encrypted payment data.
Antivirus software is built to detect and remove viruses and other malware from your laptops and servers. Most commercial antivirus like Norton or Kaspersky is billed as an annual or monthly subscription and will be a recurring cost.
Your most important security asset isn’t your tech stack — it’s your staff. Anyone who has access to your cardholder data environment or can impact the security of cardholder data must receive security awareness training so they understand their role and responsibilities in keeping cardholder data safe.
Developers must also go through secure coding training annually to verify they are aware of common coding vulnerabilities and build code in a secure manner. Those who are involved in incident response or part of the security response team must also be trained on their ability to discover, mitigate, and resolve a security incident.
Because the threat landscape is constantly evolving, security training is required annually to keep employees aware of the latest risks and security best practices.
PCI requires your team to create and maintain a set of security policies. Part of that process also includes putting those policies into practice, which means setting aside time to have your team formally review and accept any new policies and/or training employees on new processes.
Depending on the current state of your security policies, updating them or developing new ones can add up to a significant amount of lost productivity for your team and would require expertise in the policy and process requirements specific to PCI DSS.
An approved scanning vendor (ASV) must conduct quarterly scans of your external systems to check for any security vulnerabilities. ASVs are providers that the PCI SSC has vetted and approved to perform scanning. You can find a list of approved vendors compiled by the PCI Security Standards Council (PCI SSC) here. Internal vulnerability scanning is also required to be performed quarterly by an individual experienced in vulnerability scanning.
To maintain compliance, you’ll need to undergo quarterly vulnerability scans by an approved scanning vendor (ASV).
Like vulnerability scans, penetration tests help you find vulnerabilities in your cardholder data environment before they can be exploited by an actual attacker. Penetration tests are required to be performed manually and segmentation testing is required to be performed every 6 months for service providers. Penetration testers (also known as ethical hackers) specifically look for security issues that automated scanning systems may not identify and will exploit vulnerabilities found to verify the extent of the security issues within your environment.
Pen tests are required annually for PCI RoC, SAQ D, SAQ C, SAQ C-VT, SAQ B-IP, and SAQ A-EP.
Once you've fully prepared for PCI DSS certification, you're ready for either a Self-Assessment Questionnaire or Report on Compliance. Because certification lasts one year, plan for these certification costs to be an annual recurring investment.
A Self-Assessment Questionnaire (SAQ) is a document that asks questions step-by-step through each PCI requirement and allows you to determine your level of compliance based on your implementation and if the implementation meets the requirements. Unless you’re a Level 1 merchant or service provider, your organization qualifies for an SAQ. We recommend using an auditor to help qualify your SAQ and perform the assessment on your behalf to ensure the SAQ will pass any requirements from your customers or acquiring banks.
Level 1 merchants and service providers are required to undergo a full report on compliance audit. At the end of your audit, the QSA will issue a Report on Compliance (RoC) and Attestation of Compliance (AoC) that details your organization’s cardholder data environment, security posture, and level of PCI DSS compliance.
Your RoC/AoC or SAQ is valid for one year, so you’ll need to complete the process annually to maintain certification. The cost of your SAQ documentation and/or security audit is something you’ll incur every year.
Payment processors sometimes charge a fee to cover the costs they incur from assisting companies in becoming PCI compliant. You’ll likely see this charge reflected on your processing statements.
Companies are not legally required to be PCI compliant, but the standards are mandated by payment card companies including Visa, Mastercard, American Express, and other major card brands. If your business stores, processes, or transmits credit card payments, you must be PCI compliant and these requirements will likely directly come from acquiring banks or customers.
Ignoring PCI compliance requirements can have some serious consequences — for your business and your customers.
A credit card data breach can cost your company thousands in incident response and remediation: forensic investigations, legal fees, FTC audit costs, cardholder notification costs, customer compensation costs — even paying higher rates to banks and payment processors. And that doesn’t even cover the loss of customer loyalty and brand reputation.
Any breach that compromises cardholder data also automatically moves your company to PCI compliance level 1 no matter how many transactions you process., Level 1 compliance requires a full assessment against the report on the compliance by a QSA.
Credit card companies charge non-compliance fees to help recover the funds your non-compliance may cost them. Monthly penalties can tally up to $100k and are determined by the number of months you weren’t in compliance (the longer you weren’t compliant, the higher the penalty). You can also be charged higher processing fees, up to $90 per card.
Your acquiring bank and credit card processor may terminate your contract due to non-compliance. If your merchant license is revoked, you will no longer be able to accept credit card payments.
Compliance automation software can cut these costs significantly by providing a library of PCI-compliant security policy templates, on-demand employee security training, and automated evidence collection. Learn more about how cost-effective PCI compliance can be with a single end-to-end solution like Secureframe.