This website uses cookies to better the user experience of its visitors. Where applicable, this website uses a cookie control system, allowing users to allow or disallow the use of cookies on their computer/device on their first visit to the website. This complies with recent legislative requirements for websites to obtain explicit consent from users before leaving behind or reading files such as cookies on a user’s computer/device. To learn more click Cookie Policy.

Privacy preference center

Cookies are small files saved to a user’s computer/device hard drive that track, save, and store information about the user’s interactions and website use. They allow a website, through its server, to provide users with a tailored experience within the site. Users are advised to take necessary steps within their web browser security settings to block all cookies from this website and its external serving vendors if they wish to deny the use and saving of cookies from this website to their computer’s/device’s hard drive. To learn more click Cookie Policy.

Manage consent preferences

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
Cookies list
Name _rg_session
Provider rubygarage.org
Retention period 2 days
Type First party
Category Necessary
Description The website session cookie is set by the server to maintain the user's session state across different pages of the website. This cookie is essential for functionalities such as login persistence, ensuring a seamless and consistent user experience. The session cookie does not store personal data and is typically deleted when the browser is closed, enhancing privacy and security.
Name m
Provider m.stripe.com
Retention period 1 year 1 month
Type Third party
Category Necessary
Description The m cookie is set by Stripe and is used to help assess the risk associated with attempted transactions on the website. This cookie plays a critical role in fraud detection by identifying and analyzing patterns of behavior to distinguish between legitimate users and potentially fraudulent activity. It enhances the security of online transactions, ensuring that only authorized payments are processed while minimizing the risk of fraud.
Name __cf_bm
Provider .pipedrive.com
Retention period 1 hour
Type Third party
Category Necessary
Description The __cf_bm cookie is set by Cloudflare to support Cloudflare Bot Management. This cookie helps to identify and filter requests from bots, enhancing the security and performance of the website. By distinguishing between legitimate users and automated traffic, it ensures that the site remains protected from malicious bots and potential attacks. This functionality is crucial for maintaining the integrity and reliability of the site's operations.
Name _GRECAPTCHA
Provider .recaptcha.net
Retention period 6 months
Type Third party
Category Necessary
Description The _GRECAPTCHA cookie is set by Google reCAPTCHA to ensure that interactions with the website are from legitimate human users and not automated bots. This cookie helps protect forms, login pages, and other interactive elements from spam and abuse by analyzing user behavior. It is essential for the proper functioning of reCAPTCHA, providing a critical layer of security to maintain the integrity and reliability of the site's interactive features.
Name __cf_bm
Provider .calendly.com
Retention period 30 minutes
Type Third party
Category Necessary
Description The __cf_bm cookie is set by Cloudflare to distinguish between humans and bots. This cookie is beneficial for the website as it helps in making valid reports on the use of the website. By identifying and managing automated traffic, it ensures that analytics and performance metrics accurately reflect human user interactions, thereby enhancing site security and performance.
Name __cfruid
Provider .calendly.com
Retention period During session
Type Third party
Category Necessary
Description The __cfruid cookie is associated with websites using Cloudflare services. This cookie is used to identify trusted web traffic and enhance security. It helps Cloudflare manage and filter legitimate traffic from potentially harmful requests, thereby protecting the website from malicious activities such as DDoS attacks and ensuring reliable performance for genuine users.
Name OptanonConsent
Provider .calendly.com
Retention period 1 year
Type Third party
Category Necessary
Description The OptanonConsent cookie determines whether the visitor has accepted the cookie consent box, ensuring that the consent box will not be presented again upon re-entry to the site. This cookie helps maintain the user's consent preferences and compliance with privacy regulations by storing information about the categories of cookies the user has consented to and preventing unnecessary repetition of consent requests.
Name OptanonAlertBoxClosed
Provider .calendly.com
Retention period 1 year
Type Third party
Category Necessary
Description The OptanonAlertBoxClosed cookie is set after visitors have seen a cookie information notice and, in some cases, only when they actively close the notice. It ensures that the cookie consent message is not shown again to the user, enhancing the user experience by preventing repetitive notifications. This cookie helps manage user preferences and ensures compliance with privacy regulations by recording when the notice has been acknowledged.
Name referrer_user_id
Provider .calendly.com
Retention period 14 days
Type Third party
Category Necessary
Description The referrer_user_id cookie is set by Calendly to support the booking functionality on the website. This cookie helps track the source of referrals to the booking page, enabling Calendly to attribute bookings accurately and enhance the user experience by streamlining the scheduling process. It assists in managing user sessions and preferences during the booking workflow, ensuring efficient and reliable operation.
Name _calendly_session
Provider .calendly.com
Retention period 21 days
Type Third party
Category Necessary
Description The _calendly_session cookie is set by Calendly, a meeting scheduling tool, to enable the meeting scheduler to function within the website. This cookie facilitates the scheduling process by maintaining session information, allowing visitors to book meetings and add events to their calendars seamlessly. It ensures that the scheduling workflow operates smoothly, providing a consistent and reliable user experience.
Name _gat_UA-*
Provider rubygarage.org
Retention period 1 minute
Type First party
Category Analytics
Description The _gat_UA-* cookie is a pattern type cookie set by Google Analytics, where the pattern element in the name contains the unique identity number of the Google Analytics account or website it relates to. This cookie is a variation of the _gat cookie and is used to throttle the request rate, limiting the amount of data collected by Google Analytics on high traffic websites. It helps manage the volume of data recorded, ensuring efficient performance and accurate analytics reporting.
Name _ga
Provider rubygarage.org
Retention period 1 year 1 month 4 days
Type First party
Category Analytics
Description The _ga cookie is set by Google Analytics to calculate visitor, session, and campaign data for the site's analytics reports. It helps track how users interact with the website, providing insights into site usage and performance.
Name _ga_*
Provider rubygarage.org
Retention period 1 year 1 month 4 days
Type First party
Category Analytics
Description The _ga_* cookie is set by Google Analytics to store and count page views on the website. This cookie helps track the number of visits and interactions with the website, providing valuable data for performance and user behavior analysis. It belongs to the analytics category and plays a crucial role in generating detailed usage reports for site optimization.
Name _gid
Provider rubygarage.org
Retention period 1 day
Type First party
Category Analytics
Description The _gid cookie is set by Google Analytics to store information about how visitors use a website and to create an analytics report on the website's performance. This cookie collects data on visitor behavior, including pages visited, duration of the visit, and interactions with the website, helping site owners understand and improve user experience. It is part of the analytics category and typically expires after 24 hours.
Name _dc_gtm_UA-*
Provider rubygarage.org
Retention period 1 minute
Type First party
Category Analytics
Description The _dc_gtm_UA-* cookie is set by Google Analytics to help load the Google Analytics script tag via Google Tag Manager. This cookie facilitates the efficient loading of analytics tools, ensuring that data on user behavior and website performance is accurately collected and reported. It is categorized under analytics and assists in the seamless integration and functioning of Google Analytics on the website.

How Much Does PCI DSS Compliance Cost? 6 Aspects to Pay Attention To

  • 9045 views
  • 9 min
  • Jun 25, 2020
Yana S.

Yana S.

Copywriter

Elena K.

Elena K.

Head of Quality Assurance office

Share

PCI DSS compliance may take a significant part of your project budget. The biggest challenge is to allocate enough funds to achieve compliance and keep it. But what is the price of becoming compliant? This article provides insights into PCI DSS compliance costs and helps you estimate the cost of compliance for your business. 

Factors influencing the cost of PCI DSS compliance

The cost of PCI DSS compliance varies across companies, as it’s influenced by many factors. Let’s take a closer look at what these factors are.

What is the cost of PCI DSS compliance?
Aspects to pay attention to when estimating PCI DSS compliance costs

#1 Number of processed transactions

In regards to PCI DSS compliance, companies are classified into four levels according to the number of payments they process. Let’s look at how these levels are defined.

  • Level 1 includes companies with more than 6 million transactions per year. Businesses that have been previously found non-compliant also belong to this level. 
  • Level 2 is for companies that process between 1 and 6 million transactions per year. 
  • Level 3 consists of companies that process between 20,000 and 1 million transactions annually. 
  • Level 4 is for companies that have under 20,000 transactions per year. 

The level your company belongs to defines the set of security measures you need to go through to check your company’s environment, hardware, and general workflow for compliance. 

Businesses that belong to level 1 must be assessed by a Qualified Security Assessor (QSA). QSAs are companies that are authorized by the PCI Security Standards Council to evaluate other companies for compliance with security requirements. Before being assessed by a QSA, a level 1 company may check their compliance with the help of internal or external teams of PCI DSS experts. 

Businesses at other levels can verify their compliance themselves or hire external professionals for this purpose. However, they still must comply with all the requirements. The only difference is that the compliance of such businesses does not need to be certified by a QSA. Level 2, 3, and 4 companies still need to complete a specially designed questionnaire and perform vulnerability scanning and specific types of testing annually to ensure security demands are satisfied. 

#2 Type of business

The type of your business may also influence the price of compliance. The PCI DSS compliance costs differ for online trading companies and service providers.

Service providers like network firewall providers, hosting providers, billing account management systems, and point-of-sale system providers are indirectly involved in handling, storing, and transmitting cardholder information. Therefore, these entities must complete other types of security checks than those required of merchant companies. Thus, the price of compliance will differ for them as well. 

For example, merchant companies with less than 6 million transactions per year are not obliged to be certified by a QSA. In comparison, service providers must be evaluated by a QSA if they have more than 300,000 transactions annually. 

#3 Physical environment and hardware

The hardware you’re using in your company’s workflow, its type, its location, and its configuration affect the cost of PCI DSS compliance a lot. If your employees work remotely or use their own devices for work, this also poses additional security risks and may significantly influence the price of compliance. 

All equipment that handles card information should satisfy the demands specified in PCI DSS requirements. This equipment comprises computers, mobile devices, servers, and firewalls. Thus, the more hardware you use in your regular workflow, the higher the PCI DSS compliance costs are. 

#4 Number of employees and their security awareness

Another vital aspect that may considerably influence the price of compliance is the number of staff members involved in card data processing. Expenses connected with the number of employees may include price of additional IT security measures required to avoid security breaches. 

Having a QA team with expertise in PCI DSS requirements may help you significantly decrease compliance expenses. With the help of skilled QA specialists, you can conduct regular checks and meet compliance requirements. An internal compliance check is a poor substitute for an unbiased audit, though. Companies with in-house PCI DSS expertise often still require a fresh look and assistance from outside QA teams. However, companies with appropriate in-house knowledge have an advantage compared to companies without it. 

#5 Cardholder data environment

Even though it's more suitable to save cardholder data than asking for it for each purchase, it puts your organization at risk. A cardholder data environment (CDE) is a system that handles, stores, and transfers payment card information. It includes all the devices, service providers, people, and processes involved. 

This fact opens the door to a wide range of things that may significantly influence the cost of compliance: human-related factors, such as which third parties you cooperate with and their level of access to the CDE; software and hardware-related aspects like the design of the network you’re using, the systems involved, the type of encryption, and the level of protection against malicious software.

#6 Cost of a PCI DSS compliance audit

The overall cost of compliance depends much on the cost of a PCI DSS compliance audit. Trying to achieve PCI DSS compliance internally is cheaper but may pose daunting challenges to your business. Instead, you may hire an external team of PCI DSS experts to see if your company’s information security controls meet requirements. 

The more payment transactions you perform annually, the more resources you need to complete an audit. Before you start an audit, the company you hire to perform it should provide you with an estimate. 

How much does a PCI DSS compliance audit cost? 

There are a few aspects that influence the audit price, including the time needed to complete it and the hourly rate of the specialists you hire. 

Cost of services across the globe

A crucial aspect that influences the price of a compliance audit is the hourly rate of your specialists. The hourly rate of QA engineers that perform PCI DSS audits varies significantly in different countries. 

Based on Clutch, the hourly rate of QA engineers with PCI DSS expertise in the US and Western Europe ranges between $50 and $150. In Eastern Europe, the average hourly rate is between $25 and $49. Quality assurance engineers from India and other Asian countries can have hourly rates of less than $25.

Now let’s proceed to an estimate.

Estimated hours for a backend audit

Below, we introduce an estimate for performing a high-quality PCI DSS compliance audit for the software backend. It includes an optimistic scenario for a smooth and straightforward process and a pessimistic one that assumes issues will appear.

Checklist item Optimistic (hours) Pessimistic (hours)
The firewall can adequately protect payment card information. 12 26
Default login details are not used. 1 (per service) 2 (per service)
Stored card information is adequately protected. 6 8
Cardholder information transferred through open networks is encrypted. 6 8
All systems used are protected against malicious software, and antivirus software is regularly updated. 12 16
Systems involved in handling customer data are secure and up to date. 6 8
Access to transaction-related information is provided only on a need-to-know basis. 6 8
It’s possible to track access to system components. 6 8
Physical access to sensitive data is restricted. 6 8
Access to network resources can be traced back. 8 12
Security systems and operations are regularly tested. 20 24
All personnel are aware of the company’s security policy. 6 8
Total 95 hours 126 hours

Thus, a backend audit for your company will require between 95 and 126 hours.

Estimated hours for an audit of frontend or mobile applications

Below, we review the number of hours needed to check the front end of a web application or mobile application for compliance. Here we provide both optimistic and pessimistic scenarios as well. 

Checklist item Optimistic (hours) Pessimistic (hours)
User data is not intercepted when entered into a device. 6 8
User data is protected from being compromised while processed or stored on a device. 6 8
User data is protected from being intercepted while transmitted from a device. 6 8
Unauthorized logical device access is prevented. 6 8
Server-side controls are available to monitor and report unauthorized access. 12 16
Privilege escalation and access control breaks are prevented. 8 12
Functionality is available to remotely disable payment applications. 12 16
It’s possible to detect theft or loss. 6 8
Supporting systems meet security requirements. 6 8
The application is upgraded to prevent unintended logical access. 8 12
Payment transactions are neither authorized offline nor stored for later transmission when the application is not accessible on the host. 8 12
The application conforms to secure coding, engineering, and testing practices outlined in the Payment Application Data Security Standard (PA-DSS). 8 12
The application is kept up to date to protect it from known vulnerabilities. 12 16
The device is protected from unauthorized applications. 12 16
The device is protected from malware. 20 24
The device is protected from unauthorized attachments. 8 12
There is proper documentation that addresses the secure use of the application. 12 16
Merchant receipts are secure. 8 12
A security indicator is implemented. 12 16
Audit and logging mechanisms are implemented for user and device access. 8 12
Total 184 hours 252 hours

Performing a PCI DSS compliance audit for the frontend of an application requires between 184 and 252 hours. Accordingly, a complete check for a full-fledged application will take between 279 and 378 hours. To find out the cost of such an audit, you need to multiply those hours by the hourly rate of your team. 

Final thoughts

Getting PCI DSS compliance may take a lot of effort, time, and money. However, being compliant is much cheaper than paying for the consequences of non-compliance.

CONTENTS

FAQ

  1. There’s no one-size-fits-all price for PCI DSS compliance. The cost of compliance depends on the following factors: 

    • Number of processed transactions
    • Type of business
    • Physical environment and hardware
    • Number of employees and their security awareness
    • Cardholder data environment
    • Cost of a PCI DSS compliance audit
  2. The set of measures you need to take to prove your PCI DSS compliance depends on the level your company belongs to. For example, if you’re classified as a level 1 organization, you’re obliged to be certified by a Qualified Security Assessor. If you belong to levels 2, 3, or 4, certification is not required but you still need to complete a self-assessment questionnaire and perform vulnerability scanning and specific types of testing annually.

  3. The cost of a PCI DSS audit depends on two main factors. The first is the hourly rate of the team of experts you hire to perform the audit. The second is the number of hours required to complete the audit. 

    According to Clutch, the hourly rate of QA engineers with PCI DSS expertise ranges between $50 and $150 in the US and Western Europe, $25 and $49 in Eastern Europe, and around $25 in India and other Asian countries.

    According to the RubyGarage QA team, a full-fledged application will take between 279 and 378 hours to audit. 

    If you require a team with strong expertise in PCI DSS compliance to audit your business for a reasonable price, contact RubyGarage.

Authors:

Yana S.

Yana S.

Copywriter

Elena K.

Elena K.

Head of Quality Assurance office

Rate this article!

Nay
So-so
Not bad
Good
Wow
9 rating, average 5 out of 5

Share article with

Comments (0)

There are no comments yet

Leave a comment

Subscribe via email and know it all first!