Understanding which PCI DSS requirements apply to your business and the level of compliance you’ll need is complex. That complexity makes estimating the actual cost of PCI compliance without a direct discussion with a QSA is difficult.
A small business with less than 20 users will incur far fewer costs than a global enterprise with over 500 users. A business that qualifies for an SAQ will pay much less than one that needs an on-site Level 1 attestation.
Below, we list the typical costs associated with PCI DSS compliance, from getting ready for your certification to annual maintenance, to help you determine a realistic budget.
How much does it cost to get PCI DSS compliant?
PCI DSS isn’t a one-size-fits-all framework. The level of compliance you need is based on factors like:
- The size and business type of your organization
- The number of transactions you process each year
- The requirements of your customers and acquiring bank
So it should come as no surprise to learn that PCI DSS compliance costs vary quite a bit based on these same factors. A global enterprise that processes millions of credit card transactions a year is going to be looking at a much higher compliance bill than a small e-commerce shop.
Your level of PCI DSS readiness is another big factor influencing PCI costs. The more work you need to do to bring your policies, processes, and system configurations up to par, the more expensive your total certification costs will be.
With these factors in mind, let’s take a look at an estimate of PCI compliance costs for a large enterprise and a small business.
Average cost of PCI compliance
On average, a large enterprise that processes millions of payments a year can expect to pay $50-200K to complete a Report on Compliance (RoC). A small company completing an SAQ and Attestation of Compliance (AoC) will likely pay $20K or less in annual PCI compliance costs.
Typical PCI DSS Compliance Costs
While the cost range is significant, every organization that pursues PCI certification will likely incur some of the same costs. Below, we list some typical costs of preparing for, achieving, and maintaining PCI compliance.
Compliance costs don't just include your certification audit. You'll need to take into account the cost of bringing your systems in line with PCI DSS requirements, which can include employee training, software and hardware updates, and policy development.
Network security such as Cloudflare ($200 a month and up) or an IDS/IPS ($500 and up)
PCI DSS requires that you have a secure network, which can include things like firewall protection, an intrusion detection or prevention system, and DDoS mitigation.
You’ll also need to dedicate internal resources to ensure your network is continuously monitored and security alerts are followed up on 24/7.
Data encryption: Productivity costs
PCI DSS is all about protecting cardholder data, the compliance standard requires that you encrypt any and all stored payment data. You’ll need to account for internal resources or the cost of utilizing a service provider to store encrypted payment data.
Antivirus software: $30 annually per device
Antivirus software is built to detect and remove viruses and other malware from your laptops and servers. Most commercial antivirus like Norton or Kaspersky is billed as an annual or monthly subscription and will be a recurring cost. It’s also typically priced per device so the total costs can vary drastically for businesses of different sizes.
Employee training: $20-30 per employee annually
Your most important security asset isn’t your tech stack — it’s your staff. Anyone who has access to your cardholder data environment or can impact the security of cardholder data must receive security awareness training so they understand their role and responsibilities in keeping cardholder data safe.
Developers must also go through secure coding training annually to verify they are aware of common coding vulnerabilities and build code in a secure manner. Those who are involved in incident response or part of the security response team must also be trained on their ability to discover, mitigate, and resolve a security incident.
Because the threat landscape is constantly evolving, security training is required annually to keep employees aware of the latest risks and security best practices.
Security policy development: $1k and productivity costs
PCI requires your team to create and maintain a set of security policies. If you decide to use policy templates to avoid starting from scratch, purchasing them could be an additional cost. The average cost of a policy package is $1,000.
Part of the policy development process also includes putting those policies into practice, which means setting aside time to have your team formally review and accept any new policies and/or training employees on new processes.
Depending on the current state of your security policies, updating them or developing new ones can add up to a significant amount of lost productivity for your team and would require expertise in the policy and process requirements specific to PCI DSS.
Vulnerability scans: $150-200 per IP annually for ASV scan; $3k-5k annually for internal vulnerability scanning
An approved scanning vendor (ASV) must conduct quarterly scans of your external systems to check for any security vulnerabilities. ASVs are providers that the PCI SSC has vetted and approved to perform scanning. You can find a list of approved vendors compiled by the PCI Security Standards Council (PCI SSC) here. Internal vulnerability scanning is also required to be performed quarterly by an individual experienced in vulnerability scanning.
To maintain compliance, you’ll need to undergo quarterly vulnerability scans by an approved scanning vendor (ASV).
Penetration testing: $3-30k, depending on company size and complexity
Like vulnerability scans, penetration tests help you find vulnerabilities in your cardholder data environment before they can be exploited by an actual attacker. Penetration tests are required to be performed manually and segmentation testing is required to be performed every 6 months for service providers.
Penetration testers (also known as ethical hackers) specifically look for security issues that automated scanning systems may not identify and will exploit vulnerabilities found to verify the extent of the security issues within your environment.
Pen tests are required annually for PCI RoC, SAQ D, SAQ C, SAQ C-VT, SAQ B-IP, and SAQ A-EP.
PCI DSS certification costs
Once you've fully prepared for PCI DSS certification, you're ready for either a Self-Assessment Questionnaire or Report on Compliance. Because certification lasts one year, plan for these certification costs to be an annual recurring investment.
Self-Assessment Questionnaire (SAQ): $15-50k
A Self-Assessment Questionnaire (SAQ) is a document that asks questions step-by-step through each PCI requirement and allows you to determine your level of compliance based on your implementation and if the implementation meets the requirements. Unless you’re a Level 1 merchant or service provider, your organization qualifies for an SAQ. We recommend using Secureframe support or an auditor to help qualify your SAQ and perform the assessment on your behalf to ensure the SAQ will pass any requirements from your customers or acquiring banks.
Report on Compliance audit by a qualified security assessor (QSA): $30k - $200k
Level 1 merchants and service providers are required to undergo a full report on compliance audit. At the end of your audit, the QSA will issue a Report on Compliance (RoC) that details your organization’s cardholder data environment, security posture, and level of PCI DSS compliance. Some Level 2 merchants and service providers must undergo a third party audit as well.
Your RoC or SAQ is valid for one year, so you’ll need to complete the process annually to maintain certification. The cost of your SAQ documentation and/or security audit is something you’ll incur every year.
Save money on PCI compliance
Compliance automation software can cut these costs significantly by providing a library of PCI-compliant security policy templates, on-demand employee security training, automated evidence collection, and support from a PCI DSS export. Learn more about how cost-effective PCI compliance can be with a single end-to-end solution like Secureframe.