PCI compliance can represent a significant cost for small businesses and startups. However, it's important to keep in mind that the cost of compliance is always lower than the cost of noncompliance. No business can afford the stiff financial penalties associated with failure to submit required proof of compliance, or the loss of revenue and potential lawsuits that can result from a data breach.
Modern IT professionals and business owners should start thinking of compliance as a recurring expense. Build compliance requirements into your annual budget to avoid sticker shock or having to scramble to meet the minimum. If your business anticipates an ongoing need to process cardholder payments, PCI compliance is a requirement that simply must be considered. In this blog, you'll learn how to plan for the cost of becoming PCI compliant and maintaining compliance in the years to come.
Factors that Affect the Cost of PCI-DSS Compliance
The cost of PCI compliance can vary between from business to business. The number of transactions processed per year is among the most significant variables to consider, but it's not the only one.
Your building's hardware, software, and even physical environment can present variables that can significantly drive up the cost. Join us as we review nine factors that can impact the total cost to your business of PCI compliance.
1. Number of Transactions Processed
The number of transactions processed each year will determine the "level" of compliance required for your organization. In addition to the total number of transactions, the number of eCommerce transactions you process is also used to determine your company's level.
Levels and associated requirements can vary between vendors, so it is important to determine requirements on a per-vendor basis. You may find that your level is significantly different with American Express than with Visa or MasterCard. Ultimately, the higher your compliance level, the more rigorous your requirements.
2. Business Type
Business size and type can have an impact on other factors that can drive compliance cost up or down. The cost of maintaining compliance in a small retail environment can be vastly different from the costs at a large corporation. Employees, company culture, franchise status, and physical environment can also have an impact on compliance costs.
3. Number of Employees
Each employee who processes card data can present vulnerabilities and security risk. The total number of employees who handle card processing or payment data is a significant factor in total compliance costs.
Every employee who interfaces with payment card information can increase the total costs of training or necessitate additional IT security protections. Organizations with a large volume of employees may also require more elaborate policies and procedures.
4. Senior Leadership
Organizational culture is a significant factor in information security and risk mitigation. Per Deloitte, a "culture of ethics and compliance" could be key to compliance. Ideally, your senior leadership or company owner should be fully supportive of your need for PCI-DSS compliance. Support should include the necessary budget to manage risks.
If your leadership team is not supportive of your PCI efforts, you could face cultural barriers. Employees may be reluctant to modify their behavior, due to a culture of noncompliance. Executive buy-in is critical, and non-supportive leadership could significantly increase your risk of being hit with noncompliance penalties.
5. Physical Environment
The location, type, and configuration of your onsite (or offsite) hardware can all impact the costs of compliance. Other factors related to physical environment can also have an impact. If your employees work remotely, your compliance costs could be higher. Bring-your-own-device (BYOD) workplaces may also face greater risks, particularly if employee-provided mobile devices are used to process and store card transactions.
Every piece of equipment used to process or transmit card data must be compliant with PCI DSS. This includes computers, mobile devices, servers, card machines, firewalls, and more. Typically, organizations with a high volume of hardware can anticipate higher compliance costs. This is due to a larger volume of risk-mitigation activities and purchases necessary to meet requirements.
7. In-House PCI Knowledge
If your organization's IT team includes PCI expertise, you may be able to anticipate lower compliance costs. In-house expertise could allow you to continually evaluate and meet requirements. Organizations with little internal IT talent or PCI knowledge may need the ongoing assistance of PCI consultants in order to mitigate risk.
It's important to remember that in-house PCI expertise is not a substitute for unbiased review and audit by a certified third-party professional. However, internal talent can help ensure your organization is prepared for an audit.
8. PCI Fees
Noncompliance fees can occur on a monthly basis. Companies who are subject to noncompliance fees may be responsible for monthly payments until satisfactory proof of compliance has been submitted. If your organization has been found noncompliant in the past, your interim costs could be higher due to these monthly recurring payments.
9. Qualified Security Assessments
The costs of a qualified audit depend on the level of compliance required. A small organization's audit fees will be much lower than a larger organization who processes millions of transactions on an annual basis. A qualified auditor should be able to provide a quote in advance, based on your estimated compliance-level requirements and other factors discussed in this blog.
Ancillary services provided by an auditor or organization, such as policy development and staff training, can add to this cost. While these services can increase costs significantly, they can be an important tool for organizations that lack the internal resources to appropriately mitigate risks.
How Much Does PCI Compliance Cost?
The average cost of PCI-DSS compliance can vary significantly according to the factors discussed above. While compliance level is among the most accurate predictors of compliance cost, there is significant variation between levels due to physical environment, the amount of external consultant services required, and other variables.
However, per TrustNet, the reported cost of meeting vendor requirements can range from less than $10,000 each year to several millions of dollars. Most small businesses and companies that process fewer than 20,000 transactions each year have an average cost of less than $10,000.
PCI DSS compliance isn't simple, but it's critical for organizations who rely on credit or debit card processing as a source of revenue. In order to avoid costly financial penalties, organizations must view PCI as an ongoing effort. By budgeting for compliance on a monthly basis and assisting expert guidance in identifying and meeting requirements, your team can mitigate risks.
CimTrak is a leading solution for auditing configuration standards against industry benchmarks, monitoring file integrity, and other activities critical to PCI compliance at organizations of any size. For more information on CimTrak and Cimcor's PCI compliance solutions, click here.
March 24, 2016