We often receive inquiries from potential customers who are looking for an independent credit card vault and are in the process of weighing up whether to use a third party service like Spreedly or build their own solution. Given the importance of securely storing customer credit card data and the consequences of getting it wrong, the build-vs-buy choice represents a significant decision for any organization irrespective of size.
Like with most important strategic decisions, cost and time-to-implement play an important part in the decision-making process so we thought it would be helpful to break down what is involved in building a PCI-compliant credit card vault.
Human and Physical Resources
For many organizations the most significant costs in developing their own credit card vault relate to additional staffing and hardware requirements. To ensure the project doesn't become a distraction to your core business, you'll probably need at least one full-time employee to cover compliance, security, and the additional hardware maintenance required to maintain your own vault.
For companies with an existing compliance and security team, it may be possible to reallocate personnel to cover the additional workload. However or smaller organizations the need to hire at least one additional employee is likely unavoidable. The larger and more complex your needs, the more personnel you will require. The additional staffing cost will depend on the market, but you can expect to spend at least an additional $70-100k a year on personnel costs.
Then there's the additional¬†hardware you will likely need to support your new credit card vault. For a start you will need dedicated firewall, database, application, and utility servers together with all of the additional switches and hardware necessary to maintain your secure vault (including failover systems). You'll then also need to pay hosting fees for all the necessary hardware.
Total cost = $60-70k initial set-up with annual maintenance and upgrade costs of $40-60k. Want geographic redundancy? Double the cost.
Of course you can always elect to lease the necessary equipment, in which case you will be able to eliminate the bulk of the upfront purchase cost but as a consequence pay a higher annual fee of between $80-100k.
Perhaps the greatest unknown when it comes to storing credit card data is the PCI compliance gauntlet. Elsewhere we've covered the process of becoming Level 1 compliant extensively and Spreedly's own PCI compliance, and engaging with and working with a Qualified Security Assessor (QSA) is both a time and resource-intensive process that has the potential to create a huge distraction within an organization.
QSA's quite rightfully take their responsibilities seriously and won't sign off on a Report on Compliance (ROC) until they're 100% satisfied that a company's systems are fully-compliant. There's no doubt that the initial certification process is the most time-consuming and expensive step in the certification process, but every Level 1 PCI-compliant organization is required to undergo an annual re-evaluation by a QSA to confirm ongoing compliance.
QSA rates will vary and some estimates put the cost at $225k+ per year for many organizations, but in our experience smaller organizations can expect to pay between $35k-100k a year.
An often ignored aspect of maintaining a credit card vault is the extra insurance you will need to carry to cover your organization in the event of a data breach. Given the recent high profile Target and Neiman Marcus data breaches, credit card vaults are viewed as high risk prospects for insurance companies, which translates to them being expensive to insure.
The total cost will depend on the number of cards you plan to vault, the amount of coverage you require and your existing insurance relationship, but for a basic policy (e.g. $1-2 million coverage) it's not unheard of to pay over $50k a year. That will cover you for any fines issued by the card networks, security upgrades and your notification obligations to affected card holders. These costs can quickly escalate for large scale breaches so insurance is a "must have".
It is also important to consider is how technically prepared your organization is to handle credit card vaulting. Probably the most significant factor to consider is what your code base looks like and whether you can easily isolate card storage/processing from it.
If you built your system with the idea of one day hosting your own PCI-compliant credit card vault and payment processing environment, then great, you've already overcome one of the largest technical hurdles.
If, on the other hand, you didn't originally factor in the possibility of hosting your own vault then the process will be far more complicated, time intensive and perhaps most importantly - expensive. If you're fortunate and fall in the first bucket, then you can expect to spend 2-4 months updating your code and developing the technical framework to support your vault, but if your code requires a serious overhaul it could take anywhere from 6-12 months before you're ready to even engage a QSA.
Time to Market
There's no hiding the fact that building a PCI-compliant credit card vault takes time - and a lot of it! Depending on your level of readiness you're realistically looking at a minimum of 6 months if all goes smoothly to 12+ months if your QSA uncovers any issues that need to be rectified before they can certify your compliance.
All up, the average organization can expect to pay ~$200-340k to build an independent credit card vault with a 6-12 month timeframe, and annual maintenance costs within the same ballpark. Of course, the actual costs for each organization will differ based on their unique circumstances and geography, but hopefully this gives a rough estimate of the costs involved in building your own PCI compliant credit card vault.