How Much Does PCI DSS Compliance Cost? 6 Aspects to Pay Attention To
- 7734 views
- 9 min
- Jun 25, 2020
PCI DSS compliance may take a significant part of your project budget. The biggest challenge is to allocate enough funds to achieve compliance and keep it. But what is the price of becoming compliant? This article provides insights into PCI DSS compliance costs and helps you estimate the cost of compliance for your business.
Factors influencing the cost of PCI DSS compliance
The cost of PCI DSS compliance varies across companies, as it’s influenced by many factors. Let’s take a closer look at what these factors are.
#1 Number of processed transactions
In regards to PCI DSS compliance, companies are classified into four levels according to the number of payments they process. Let’s look at how these levels are defined.
- Level 1 includes companies with more than 6 million transactions per year. Businesses that have been previously found non-compliant also belong to this level.
- Level 2 is for companies that process between 1 and 6 million transactions per year.
- Level 3 consists of companies that process between 20,000 and 1 million transactions annually.
- Level 4 is for companies that have under 20,000 transactions per year.
The level your company belongs to defines the set of security measures you need to go through to check your company’s environment, hardware, and general workflow for compliance.
Businesses that belong to level 1 must be assessed by a Qualified Security Assessor (QSA). QSAs are companies that are authorized by the PCI Security Standards Council to evaluate other companies for compliance with security requirements. Before being assessed by a QSA, a level 1 company may check their compliance with the help of internal or external teams of PCI DSS experts.
Businesses at other levels can verify their compliance themselves or hire external professionals for this purpose. However, they still must comply with all the requirements. The only difference is that the compliance of such businesses does not need to be certified by a QSA. Level 2, 3, and 4 companies still need to complete a specially designed questionnaire and perform vulnerability scanning and specific types of testing annually to ensure security demands are satisfied.
#2 Type of business
The type of your business may also influence the price of compliance. The PCI DSS compliance costs differ for online trading companies and service providers.
Service providers like network firewall providers, hosting providers, billing account management systems, and point-of-sale system providers are indirectly involved in handling, storing, and transmitting cardholder information. Therefore, these entities must complete other types of security checks than those required of merchant companies. Thus, the price of compliance will differ for them as well.
For example, merchant companies with less than 6 million transactions per year are not obliged to be certified by a QSA. In comparison, service providers must be evaluated by a QSA if they have more than 300,000 transactions annually.
#3 Physical environment and hardware
The hardware you’re using in your company’s workflow, its type, its location, and its configuration affect the cost of PCI DSS compliance a lot. If your employees work remotely or use their own devices for work, this also poses additional security risks and may significantly influence the price of compliance.
All equipment that handles card information should satisfy the demands specified in PCI DSS requirements. This equipment comprises computers, mobile devices, servers, and firewalls. Thus, the more hardware you use in your regular workflow, the higher the PCI DSS compliance costs are.
#4 Number of employees and their security awareness
Another vital aspect that may considerably influence the price of compliance is the number of staff members involved in card data processing. Expenses connected with the number of employees may include price of additional IT security measures required to avoid security breaches.
Having a QA team with expertise in PCI DSS requirements may help you significantly decrease compliance expenses. With the help of skilled QA specialists, you can conduct regular checks and meet compliance requirements. An internal compliance check is a poor substitute for an unbiased audit, though. Companies with in-house PCI DSS expertise often still require a fresh look and assistance from outside QA teams. However, companies with appropriate in-house knowledge have an advantage compared to companies without it.
#5 Cardholder data environment
Even though it's more suitable to save cardholder data than asking for it for each purchase, it puts your organization at risk. A cardholder data environment (CDE) is a system that handles, stores, and transfers payment card information. It includes all the devices, service providers, people, and processes involved.
This fact opens the door to a wide range of things that may significantly influence the cost of compliance: human-related factors, such as which third parties you cooperate with and their level of access to the CDE; software and hardware-related aspects like the design of the network you’re using, the systems involved, the type of encryption, and the level of protection against malicious software.
#6 Cost of a PCI DSS compliance audit
The overall cost of compliance depends much on the cost of a PCI DSS compliance audit. Trying to achieve PCI DSS compliance internally is cheaper but may pose daunting challenges to your business. Instead, you may hire an external team of PCI DSS experts to see if your company’s information security controls meet requirements.
The more payment transactions you perform annually, the more resources you need to complete an audit. Before you start an audit, the company you hire to perform it should provide you with an estimate.
How much does a PCI DSS compliance audit cost?
There are a few aspects that influence the audit price, including the time needed to complete it and the hourly rate of the specialists you hire.
Cost of services across the globe
A crucial aspect that influences the price of a compliance audit is the hourly rate of your specialists. The hourly rate of QA engineers that perform PCI DSS audits varies significantly in different countries.
Based on Clutch, the hourly rate of QA engineers with PCI DSS expertise in the US and Western Europe ranges between $50 and $150. In Eastern Europe, the average hourly rate is between $25 and $49. Quality assurance engineers from India and other Asian countries can have hourly rates of less than $25.
Now let’s proceed to an estimate.
Estimated hours for a backend audit
Below, we introduce an estimate for performing a high-quality PCI DSS compliance audit for the software backend. It includes an optimistic scenario for a smooth and straightforward process and a pessimistic one that assumes issues will appear.
|Checklist item||Optimistic (hours)||Pessimistic (hours)|
|The firewall can adequately protect payment card information.||12||26|
|Default login details are not used.||1 (per service)||2 (per service)|
|Stored card information is adequately protected.||6||8|
|Cardholder information transferred through open networks is encrypted.||6||8|
|All systems used are protected against malicious software, and antivirus software is regularly updated.||12||16|
|Systems involved in handling customer data are secure and up to date.||6||8|
|Access to transaction-related information is provided only on a need-to-know basis.||6||8|
|It’s possible to track access to system components.||6||8|
|Physical access to sensitive data is restricted.||6||8|
|Access to network resources can be traced back.||8||12|
|Security systems and operations are regularly tested.||20||24|
|All personnel are aware of the company’s security policy.||6||8|
|Total||95 hours||126 hours|
Thus, a backend audit for your company will require between 95 and 126 hours.
Estimated hours for an audit of frontend or mobile applications
Below, we review the number of hours needed to check the front end of a web application or mobile application for compliance. Here we provide both optimistic and pessimistic scenarios as well.
|Checklist item||Optimistic (hours)||Pessimistic (hours)|
|User data is not intercepted when entered into a device.||6||8|
|User data is protected from being compromised while processed or stored on a device.||6||8|
|User data is protected from being intercepted while transmitted from a device.||6||8|
|Unauthorized logical device access is prevented.||6||8|
|Server-side controls are available to monitor and report unauthorized access.||12||16|
|Privilege escalation and access control breaks are prevented.||8||12|
|Functionality is available to remotely disable payment applications.||12||16|
|It’s possible to detect theft or loss.||6||8|
|Supporting systems meet security requirements.||6||8|
|The application is upgraded to prevent unintended logical access.||8||12|
|Payment transactions are neither authorized offline nor stored for later transmission when the application is not accessible on the host.||8||12|
|The application conforms to secure coding, engineering, and testing practices outlined in the Payment Application Data Security Standard (PA-DSS).||8||12|
|The application is kept up to date to protect it from known vulnerabilities.||12||16|
|The device is protected from unauthorized applications.||12||16|
|The device is protected from malware.||20||24|
|The device is protected from unauthorized attachments.||8||12|
|There is proper documentation that addresses the secure use of the application.||12||16|
|Merchant receipts are secure.||8||12|
|A security indicator is implemented.||12||16|
|Audit and logging mechanisms are implemented for user and device access.||8||12|
|Total||184 hours||252 hours|
Performing a PCI DSS compliance audit for the frontend of an application requires between 184 and 252 hours. Accordingly, a complete check for a full-fledged application will take between 279 and 378 hours. To find out the cost of such an audit, you need to multiply those hours by the hourly rate of your team.
Getting PCI DSS compliance may take a lot of effort, time, and money. However, being compliant is much cheaper than paying for the consequences of non-compliance.
There’s no one-size-fits-all price for PCI DSS compliance. The cost of compliance depends on the following factors:
- Number of processed transactions
- Type of business
- Physical environment and hardware
- Number of employees and their security awareness
- Cardholder data environment
- Cost of a PCI DSS compliance audit
The set of measures you need to take to prove your PCI DSS compliance depends on the level your company belongs to. For example, if you’re classified as a level 1 organization, you’re obliged to be certified by a Qualified Security Assessor. If you belong to levels 2, 3, or 4, certification is not required but you still need to complete a self-assessment questionnaire and perform vulnerability scanning and specific types of testing annually.
The cost of a PCI DSS audit depends on two main factors. The first is the hourly rate of the team of experts you hire to perform the audit. The second is the number of hours required to complete the audit.
According to Clutch, the hourly rate of QA engineers with PCI DSS expertise ranges between $50 and $150 in the US and Western Europe, $25 and $49 in Eastern Europe, and around $25 in India and other Asian countries.
According to the RubyGarage QA team, a full-fledged application will take between 279 and 378 hours to audit.
If you require a team with strong expertise in PCI DSS compliance to audit your business for a reasonable price, contact RubyGarage.