How businesses can calculate – and reduce – the cost of their PCI DSS compliance
The Payment Card Industry Data Security Standard (PCI DSS)
is a group of guidelines for businesses that accept credit cards. Anyone involved in credit card payments is required to adhere to a strict set of rules, including:
- Service providers
- Payment processors
- Payment application companies
- Payment gateways providers
PCI compliance is a significant endeavor. It requires a substantial amount of time, money, and expertise to complete. To start with, companies must define the cardholder data environment (CDE) – those areas that touch or could potentially touch credit card information. They must also identify the people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. See our article, "Compliance Simplified: Follow These 4 Steps to Achieve PCI DSS Certification."
Network Segmentation Reduces Costs
Once all cardholder data locations are identified and documented, the exact scope (or breadth) of PCI compliance is known. Less is best. Reducing PCI scope will save time, money, and effort. A key motto in PCI compliance is: “Reduce scope! Reduce scope! Reduce scope!”
One way to do this is through network segmentation so that the credit card data is limited to a section of the overall environment. Network segmentation is the process of sectioning off one network into smaller segments, or “subnetworks,” in such a way that limits or prevents communication between them.
When done properly, network segmentation provides controls that limit or stop communication from one subnetwork into another. This can greatly reduce the cost of a PCI compliance audit.
Pre-Audit Improvements Help
Once the CDE has been identified, companies next should consider improvements in their security posture before undergoing an the audit. This could reduce the cost of the audit as well as assure a better result. For example, they should:
- Secure remote access
- Patch and update credit card processing software
- Ensure virus and firewall software is in place
- Test security process
- Ensure policies exist that addresses information security for all personnel
- Ensure card data is not stored on self-managed internal servers or workstations
Factors that Affect Costs
The actual cost of PCI compliance can vary from business to business. Exact dollar amounts depend on many factors. A good PCI company will be able to provide a range of costs if you have a thorough discussion with them prior to the audit about factors including:
- Number of Transactions Processed - The number of transactions processed each year will determine the "level" of compliance required for your organization. The higher your compliance level, the more rigorous your PCI DSS requirements. For example, companies that process fewer than 6 million transactions a year, generally speaking, can fill out a Self Assessment Questionnaire to verify that they are following PCI DSS, while a larger company would need to hire a Qualified Security Assessor to attest to compliance, resulting in higher costs.
- Type of Business - Business size and type can drive compliance cost up or down. The more you come in contact with credit cards, the cost of compliance increases. Retail companies will have more contact with credit cards than B2B businesses.
- Number of Employees and Company Culture – Employees and company culture can also have an impact on compliance costs. The total number of employees who handle card processing or payment data is a significant factor in total compliance costs. Every employee who interfaces with payment card information can increase the total costs of training or require more elaborate policies and procedures.
- Hardware Environment - The location, type, and configuration of your onsite (or offsite) hardware can all impact the costs of compliance. Organizations with a high volume of hardware can anticipate higher compliance costs. This is due to a larger volume of risk-mitigation activities and purchases necessary to meet requirements.
PCI Compliance Fees
PCI compliance fees increase when organizations need a vulnerability scan, or if they must hire a Qualified Security Assessor (QSA):
- Authorized Scanning Vendors (ASV) scans: An ASV is an organization with a set of security services and tools (“ASV scan solution”) to conduct external vulnerability scanning services to validate adherence with the PCI network security requirements. Quarterly vulnerability scans of your business environment, such as for firewalls, internet, and so on, are typically required of most merchants.
- Qualified Security Assessors (QSA) service: QSA is a designation conferred by the PCI Security Standards Council to individuals that maintain specified information security certifications; that that have taken the appropriate training; and that are employees of a Qualified Security Assessor (QSA) company certified by the PCI Council. Organizations that process more than 6 milliion transactions a year are required to hire a QSA to peform annual compliance audits. Fees vary based on number of locations and complexity of networks.
PCI Noncompliance Fees
Keep in mind that the cost of compliance is always lower than the cost of noncompliance. For example, a payment processor could impose PCI noncompliance fees on merchants that fail to fill our their Self Assessment Questionnaire.
Then there are the fines. You can expect financial penalties from anywhere between $5,000 and $10,000 a month from these companies for violations of PCI compliance rules.
On top of the fines that will be passed on to your company, you may lose your relationship with your bank, the credit card companies, and any other payment processor you use. They won’t want to work with a client who isn’t PCI compliant.
PCI DSS compliance isn't simple, but it's critical for organizations who rely on credit or debit card processing as a source of revenue. In order to avoid costly financial penalties, organizations must view PCI as an ongoing effort. By budgeting for compliance on a monthly basis and seeking expert guidance to meet requirements, your organization can mitigate risks and maintain trust between the organization and its customers.