SecurityMetrics: Organizations face bill of $70,000 to become PCI compliant
In a report published by SecurityMetrics, the cost of PCI self-compliance has been estimated as $70,000/year.
Gary Glover, VP of Assessments QSA CISSP, explains that the cost of compliance is largely based on how many transactions are processed each year. Glover describes how “Businesses processing over 6 million card transactions annually must have an onsite data security audit by a QSA (Qualified Security Assessor)”. Regardless of not meeting this 6 million mark, many larger merchants still elect to undergo an audit due to the difficulties in becoming PCI compliant themselves: “Many Level 2 (1 million to 6 million transactions) and Level 3 (20,000 – 1 million eCommerce transactions) elect to get audits because they’re just too big to efficiently become PCI compliant by themselves”.
When it comes to the actual cost, a number of organization setup factors influence the overall figure including: the business type, the organization size, the security culture within the organization, the network environment, the number of dedicated PCI staff and the acquirers pre-pays. According to Glover “Large enterprises should expect to pay $70,000+ per audit”, depending on the outlined organization setup factors.
Why such a steep bill? The onsite audit alone can cost $40,000 and up. This, combined with the cost of software and hardware updates, vulnerability scans, penetration testing and training causes the overall cost to quickly skyrocket.
While it may seem daunting to businesses, Glover recommends PCI DSS as vital and ultimately better than the outcome of not having it. “Securing cardholder data is a challenge facing all businesses that process credit cards. Know that following the PCI DSS is a great place to start. Ignoring the PCI DSS, or going after it half-heartedly is a recipe for disaster. PCI DSS is the best way to start your data security, and ultimately cheaper than exposing your brand to a data breach.”