One of the most complicated aspects of running a merchant business is PCI compliance; especially with the impending introduction of PCI DSS v4.0. Given a merchant's current PCI setup, some of the upcoming requirements could prove quite onerous.
Not only does PCI compliance impose strict legal and technical requirements on merchants, but it can also be incredibly costly without the right compliance solution.
The cost of PCI compliance varies extremely widely from merchant to merchant, ranging from $1,000 on the low end to upwards of $50,000 annually. This cost is impacted by many factors, such as the size of a merchant’s business and their PCI compliance level.
For merchants aiming to reduce operational costs in 2023, finding the right approach to PCI compliance to increase cost efficiency is imperative.
An Overview of PCI Compliance Requirements
Implementing a PCI compliance solution is no small feat for merchants.
The PCI Data Security Standards (DSS) is a set of required practices that any merchant handling cardholder information must adhere to. These standards are set and enforced by the PCI Security Standards Council (SSC), which is made up of several major card networks (such as Visa).
To be PCI compliant, merchants must follow 12 requirements for maintaining payment security.
Additionally, merchants must determine what PCI compliance level they are classified as and follow the relevant reporting requirements for their level.
PCI compliance divides merchants into four levels:
- Level 1: Merchants at Level 1 process more than 6 million card transactions annually.
- Level 2: Merchants at Level 2 process between 1 million to 6 million card transactions annually
- Level 3: Merchants at Level 3 process between 20,000 to 1 million card transactions annually
- Level 4: Merchants at Level 4 process fewer than 20,000 card transactions annually
Level 1 merchants are required to have a third-party validation of PCI compliance, while merchants at Levels 2 to 4 can self-validate their compliance. Additionally, merchants in Levels 1 to 3 are required to report their compliance status directly to their acquiring bank.
Let’s break down the specifics of compliance validation further:
- Self-Validation of PCI Compliance: Merchants at Levels 2 to 4 can self-validate their PCI compliance via an Annual Self-Assessment Questionnaire (SAQ). These merchants are not required to undergo a third-party PCI DSS assessment or complete a Report on Compliance (ROC). However, merchants at these levels may work with a PCI SSC-approved Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) instead of performing an SAQ.
- Third-Party Validation of PCI Compliance: Merchants at Level 1 must receive third-party validation of their PCI compliance via a PCI DSS Assessment. This assessment must be performed by a PCI SSC-approved QSA or ISA and requires the completion of a Report on Compliance (ROC).
With the overarching goal to make the payments industry more secure, the PCI SSC’s objective is not to overcomplicate compliance for merchants. As such, the organization offers a variety of different PCI compliance tools and resources that merchants can leverage to assess their current status.
For example, the Data Security Essentials Evaluation Tool is an official PCI SSC tool that provides key insights into the best security practices for a specific merchant. This tool is useful for assessing the most relevant security that a merchant needs to bring their bank’s or compliance provider’s attention to.
Keeping these factors in mind, let’s now look at the potential costs for merchants according to their compliance level, implementation needs, and reporting responsibilities.
The Costs of PCI Compliance for Implementation & Validation
Pinning down exact numbers for the cost of PCI compliance is immensely difficult.
There is a high level of variance from one payment infrastructure to the next, meaning that some merchants will inevitably face higher costs than others. This can be particularly true for merchants in need of Level 1 compliance that do not have in-house or dedicated compliance teams to rely on.
In general, the costs of PCI compliance can be divided into two categories:
PCI Compliance Implementation Costs
PCI compliance implementations refer to the process of integrating the necessary tools and updating security practices to meet the 12 compliance requirements.
While PCI compliance implementations vary from merchant to merchant, we can identify five main cost factors to consider:
- Vulnerability Scanning: Vulnerability scanning is the process of regularly monitoring your computer systems, networks, and applications for any security vulnerabilities. For PCI compliance, these vulnerability scans should occur once per quarter or every 90 days. The cost of vulnerability scanning depends on the number of IP addresses being scanned, typically ranging between $100 to $200 per IP address.
- Training & Policy Development: Part of PCI compliance involves creating and maintaining a better information security policy. To ensure this policy is upheld, a merchant must provide adequate training for any staff members handling cardholder information on how to properly manage this data and keep systems secure. Policy development can range in cost from less than $1,000 to $5,000+ depending on the scope of policy changes needed, while employee training typically costs between $50 to $100 per employee.
- Penetration Testing: Penetration testing is a process designed to identify, purposefully exploit, and then address vulnerabilities within a merchant’s systems. This type of testing is technically complex, looking at vulnerabilities throughout the payment infrastructure and from both internal and external environments. Penetration testing is often one of the biggest cost burdens, ranging in price from $4,000 to $100,000 plus depending on the scope. Generally, most merchants face penetration testing costs falling around $15,000.
- Remediation: Remediation is the process of fixing the vulnerabilities and exploits identified through vulnerability scanning and penetration testing. The cost of remediation is one of the hardest to estimate, as it greatly depends on what software, hardware, and digital solutions a merchant is currently leveraging. Merchants facing remediation can expect anywhere from a few thousand to $500,000+ in total costs depending on the scope of the fixes needed.
- PCI Audits: PCI audits refer to the process of inspecting a merchant’s PCI compliance by analyzing the security software, hardware, policies, and controls in place within the merchant’s system. A PCI SSC-approved QSA is involved in this process to ensure the audit is by-the-book and addresses all necessary requirements. These audits, which can involve onsite auditing processes, can cost upwards of $30,000 to $40,000 on average.
PCI Compliance Validation Costs
As previously stated, merchants categorized between Levels 2 to 4 must complete an annual Self-Assessment Questionnaire, while Level 1 merchants must complete an annual PCI DSS Assessment.
Let’s compare the costs of these two PCI compliance validation processes:
- Self-Assessment Questionnaire: Along with the costs of any implementation requirements necessary to meet PCI compliance, merchants in Levels 2 to 4 must pay the cost of a Self-Assessment Questionnaire. These questionnaires typically cost less than $300 in total.
- PCI DSS Assessment: The PCI DSS Assessment is a much more complex process that requires a certified assessor (QSA or ISA) to evaluate all of an organization’s security policies, practices, and procedures against the relevant controls and requirements listed in the PCI DSS. While the DSS is primarily divided into 12 main requirements, there are actually more than 400 different controls involved in the security standard. As such, a full PCI DSS Assessment can be very costly for Level 1 merchants, easily costing $100,000+ depending on the relevant implementation needs.
What is the Cost of PCI Non-Compliance?
PCI non-compliance can occur for many reasons, with the most common being a failure to complete or maintain an annual Self-Assessment Questionnaire. Non-compliance fees are typically charged to merchants by vendors and generally cost around $30 per month until the issue is remedied.
However, if left unaddressed for long enough, PCI non-compliance can lead to more formal fines and penalties that can range from $5,000 to $100,000 per month in total cost.
How Advanced Vaulting Simplifies PCI Compliance for Merchants
As the world becomes rapidly more digital, merchants need more help than ever in dealing with the burden of PCI compliance. With Spreedly’s payment orchestration solution, merchants can benefit from advanced vaulting features that take the pain out of compliance.
Spreedly maintains a PCI Level 1 card vault, significantly reducing the compliance responsibility and scope for our merchants. While merchants using Spreedly must still obtain the proper PCI certifications and validation, Spreedly’s PCI Level 1 compliance handles the necessary collection, processing, and storage of cardholder information.
Get in touch with the Spreedly team today to begin reducing your compliance burden