With twelve requirements to meet, PCI DSS (Payment Card Industry Data Security Standard) compliance is neither cheap nor easy.
In fact, depending on the size of your organisation and the complexity of your CDE (cardholder data environment), it could take months and cost tens of thousands of pounds to fulfil its requirements.
But what factors specifically effect the cost of compliance, and how much should you be looking to spend? We answer those questions and more in this blog.
PCI DSS and compliance levels
Unlike many regulatory standards, the PCI DSS does not provide a single set of rules that apply to all organisations. There are instead several compliance levels, with each one containing slightly different requirements.
Each of the five payment card brands (American Express, Discover, JCB, Mastercard and Visa) has its own programme for compliance, including its own thresholds for the levels of PCI DSS compliance. However, in general, the levels look like this:
- Level 1: Merchants that process over 6 million card transactions annually.
- Level 2: Merchants that process 1 to 6 million transactions annually.
- Level 3: Merchants that process 20,000 to 1 million transactions annually.
- Level 4: Merchants that process fewer than 20,000 transactions annually.
One of the main differences between those levels is the assessment criteria. For Level 1 organisations, this process should consist of an external audit performed by a QSA (Qualified Security Assessor) or an ISA (Internal Security Assessor).
They are tasked with performing an on-site evaluation of the organisation to validate the scope of the assessment, to review the organisation’s documentation and technical information and to determine whether the PCI DSS’s requirements are being met.
If the organisation passes the audit, the assessor will submit an RoC (Report on Compliance) to the organisation’s acquiring banks to demonstrate its compliance.
This process will take time and the organisation must pay for the on-site assessment, which could cost as much as £30,000.
By contrast, organisations in PCI DSS Levels 2–4 can complete an SAQ (self-assessment questionnaire) instead of an external audit. (Although Level 2 organisations must also complete an RoC.)
There are nine types of SAQ that apply to organisations under different circumstances. However, the requirements for each are analogous and organisations can expect to spend no more than £200 completing the process.
Other factors affecting PCI DSS compliance costs
In addition to your auditing requirements, there are several other factors that affect the cost of PCI DSS compliance – although they mostly depend on the size of your organisation.
The larger your business and the more complex your CDE, the more you can expect to spend. For example, organisations must test systems with a vulnerability scan, which will set them back about £100 per IP address.
Larger organisations with have many more IP addresses and therefore the cost of vulnerability scans will be much higher. Additionally, organisations with complex systems are expected to conduct penetration tests to gain a more in-depth understanding of system weaknesses.
The cost of a penetration test will depend on the amount of work required, but prices generally start at about £3,000.
Organisations must also enrol their employees on training courses to ensure that they understand their compliance requirements. Those with greater responsibilities should look for comprehensive training courses, such as IT Governance’s PCI DSS Foundation Training Course and Lead Implementer Training Course.
Meanwhile, employees who are responsible for handling payment card data will benefit from staff awareness courses.
Organisations must take into account remediation costs. These are the resources that will be used to fix areas of non-compliance that have been identified during the assessments.
Those costs will vary hugely based on the amount of work required. Organisations could spend anywhere from a few hundred pounds to several thousands. If substantial remediation is required, organisations might be advised to bring in a third party to help manage the compliance process.
PCI DSS compliance made simple
For those looking to get starting with PCI DSS compliance, IT Governance is here to help.
Our PCI DSS Documentation Toolkit contains everything you need to complete the project, including template documents and a document checker to ensure you select and amend the appropriate records.
The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.
It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant. All you have to do is fill in the sections that are relevant to your organisation.
