The PCI DSS (Payment Card Industry Data Security Standard) compliance is not easy or inexpensive. In fact, depending on the size of your organisation and the complexity of your CDE (cardholder data environment), it could take months and cost tens of thousands of pounds to fulfil the twelve requirements.
But what factors specifically effect the cost of compliance? How much investment is needed? Read on and you will find the answers.
PCI DSS and compliance levels
Unlike many regulatory standards, the PCI DSS does not provide a single set of rules that apply to all organisations. There are instead four compliance levels, with each one containing slightly different requirements.
The compliance levels are determined by the number of transactions the organisation processes annually.
- Level 1: Merchants that process over 6 million card transactions
- Level 2: Merchants that process 1 to 6 million transactions
- Level 3: Merchants that process 20,000 to 1 million transactions
- Level 4: Merchants that process fewer than 20,000 transactions
One of the main differences between those levels is the assessment criteria. For Level 1 organisations, this process should consist of an external audit performed by a QSA (Qualified Security Assessor) or an ISA (Internal Security Assessor).
They are tasked with performing an on-site evaluation of the organisation to validate the scope of the assessment, to review the organisation’s documentation and technical information and to determine whether the PCI DSS’s requirements are being met.
If the organisation passes the audit, the assessor will submit a Report on Compliance to the organisation’s acquiring banks to demonstrate its compliance.
This process will take time and the organisation must pay for the on-site assessment, which could cost as much as £30,000.
By contrast, organisations in PCI DSS Levels 2–4 can complete an SAQ (self-assessment questionnaire) instead of an external audit. (Although Level 2 organisations must also complete a Report on Compliance)
There are nine types of SAQ that apply to organisations under different circumstances. However, the requirements for each are analogous and organisations should expect to spend no more than £300 to complete the process.
Other factors affecting PCI DSS compliance costs
In addition to your auditing requirements, there are several other factors that affect the cost of PCI DSS compliance – although they will depend on the size of your organisation.
The larger your business and the more complex your CDE, the more you can expect to spend. For example, organisations must test systems with a vulnerability scan, which can cost up to £100 per IP address.
Larger organisations with have many more IP addresses and therefore the cost of vulnerability scans will be much higher. Additionally, organisations with complex systems are expected to conduct penetration tests to gain a more in-depth understanding of system weaknesses. The cost of a penetration test will depend on the amount of work required, but prices generally start at about £2,500.
Organisations must also enrol their employees on training courses to ensure that they understand their compliance requirements. Those with greater responsibilities should look for comprehensive training courses. This may be a PCI DSS Foundation Training Course or a Lead Implementer Training Course. Employees who are responsible for handling payment card data will benefit from staff awareness courses.
Organisations must consider remediation costs. These are the resources that will be used to fix areas of non-compliance that have been identified during the assessments.
Those costs will vary hugely based on the amount of work required. Organisations could spend anywhere from a few hundred pounds to several thousands. If substantial remediation is required, organisations might be advised to bring in a third party to help manage the compliance process. We are that third party who can help you achieve compliance.
PCI DSS compliance made simple
For those looking to get starting with PCI DSS compliance, we are here to help.
Document pack £395 + VAT
The pack contains everything you need to complete the project, including template documents and a document checker to ensure you select and amend the appropriate records.
The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.
It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant. All you have to do is fill in the sections that are relevant to your organisation.
Book your assessment here