It Costs How Much to Stay PCI-Compliant?

Cost is a big reason companies—especially small- to mid-sized ones—fail to stay compliant with the 12 components of the Payment Card Industry’s Data Security Standard (PCI DSS).

Costs vary greatly, depending mostly on the size of the company in question. Larger companies will most often have higher compliance costs; however, even small companies can find it expensive to stay compliant when resources are limited. The best way for smaller companies to save costs and achieve compliance is to look to a third-party expert for guidance.

The standard recognizes four sizes of companies:

Tier 1 Enterprises

Tier 1 enterprises, of which there are roughly a few hundred in the United States, engage in more than 6 million card transactions per year and must undergo third-party assessments to ensure and confirm PCI DSS compliance.

Tier 2 Merchants

Tier 2 merchants conduct 1-6 million card transactions annually. The PCI DSS Security Council makes audits for this group voluntary, but because most are public companies, they undergo them anyway. Their costs are likely to be similar in magnitude to those of Tier 1 merchants, although fewer sites to assess will reduce the ultimate price tag by perhaps one order of magnitude. That is, it’s likely their total information security audit costs will be closer to six figures than seven.

Tier 3 and Tier 4 Merchants

Merchants classified as Tier 3 conduct between 20,000 and 1 million credit card transactions annually. However, these companies don’t have to undergo an audit. They only need to undergo the PCI’s Self-Assessment Questionnaire (SAQ). This means that the company need not bring in outside consultants or experts. Thus, the self-assessment will not add costs; it will simply divert costs of salaries or work-hours from the usual day-to-day business operations to conducting the assessment.

The same is true for Tier 4 companies, which conduct fewer than 20,000 card transactions per year. They also just need to conduct the SAQ.

Toeing the Line

The lack of a requirement for an outside audit is a seductive invitation to slack off, and some companies will do exactly that. They may do it because they still think breaches only happen to other organizations, or because they lack the expertise and mistakenly fear it will be too expensive to bring in outside help.

Even though they are not required to conduct an audit, Tier 3 and Tier 4 companies that are serious about credit card transaction security and have the expertise will divert people, resources and the necessary funds to a thorough self-assessment. These are the businesses you likely won’t hear about in the news, and you want your company to be in that group.

If a Tier 3 or Tier 4 company does not have the expertise or funds to conduct a thorough SAQ, help is not far away—nor is it necessarily costly. Monitoring services can be had for as little as $20 to $25 per month. That’s a very small investment, even for a Tier 4 company, to ensure card transactions remain safe on a daily basis. That’s especially the case for a small company, which can, if seriously breached, go out of business entirely. PCI DSS compliance need not cost that much, and going cheap on it really isn’t worth the ultimate and avoidable price.