Being PCI compliant involves more than just filling out a PCI SAQ or completing a vulnerability scan. A lot of work and resources go into changing business procedures to ensure the protection of customer credit card data, and eventual PCI compliance.
Many businesses are confused about the budget they should set for PCI compliance. Often, they budget too little. Small budgets make it difficult for IT departments and third parties to upgrade equipment to the latest security standards to ensure the business protects data security.
The answer partially depends on how many transactions you process each year. Your business falls into one of two groups:
Businesses that are required to have a 3rd-party validation of PCI compliance:
Merchants processing over 6 million card transactions annually (also known as Level 1 merchants) must have an onsite data security assessment by a QSA (Qualified Security Assessor). Also, large service providers who support merchants and process more than 300,000 transactions per year are deemed a Level 1 service provider and must also have an onsite assessment conducted by a QSA.
Business that can self-validate their PCI compliance:
These businesses don’t handle as much card data as Level 1 merchants, but remember: they’re still required to be compliant. Requirements for compliance will at least include completing a Self-Assessment Questionnaire, but may also require vulnerability scanning, penetration testing, and security training.
Even if you aren’t a Level 1 merchant, but are still a large merchant (for example, you process at least 1 million transactions per year) it’s still recommended you receive an audit. Many Level 2 (1 million to 6 million transactions) and Level 3 merchants (20,000 to 1 million eCommerce transactions) elect to schedule audits because they’re just too big to efficiently become PCI compliant by themselves.
If you are a small merchant, your acquiring bank may pay for these services as part of their PCI compliance programs or they may leave you to take care of it. Either way, it’s up to you to decide if you want a PCI DSS audit. But, if you process less than 20,000 Visa or MasterCard transactions per year, it probably doesn’ make sense to pay for an onsite audit.
How much does PCI compliance cost?
If you’re a small business, PCI DSS compliance should cost from $300 per year (depending on your environment).
- Self-Assessment Questionnaire ~$50 – $200
- Vulnerability scanning ~ $100 – $200 per IP address
- Training and policy development ~ $70 per employee
- Remediation (software and hardware updates, etc.) ~ Varies greatly based on where entity is today in relation to compliance and security, but estimated: ~ $100 – $10,000
If you’re a very large enterprise and need a PCI DSS assessment, expect to pay $70,000+ in total costs (depending on your environment).
- Onsite audit ~ $40,000
- Vulnerability scans ~ $1,000
- Penetration testing ~ $15,000
- Training and policy development ~ $5,000
- Remediation (software and hardware updates, etc.) ~ Varies greatly based on where entity is today in relation to compliance and security, but estimated: ~ $10,000- $500,000
Make PCI compliance a priority
Securing cardholder data is a challenge facing all businesses that process credit cards. Know that following the PCI DSS is a great place to start. Ignoring the PCI DSS, or going after it half-heartedly is a recipe for disaster.
Following the PCI DSS is the best way to start your data security, and ultimately cheaper than exposing your brand to a data breach.