There is much more to being PCI compliant than just getting a PCI SAQ filled or going through a quarterly vulnerability scan successfully. There is a lot of work and resources required by the business to go through to make sure the customer credit card data is secured.
A lot of businesses get confused when it comes to setting up a budget for PCI compliance. Commonly the budget kept is too small that it becomes really difficult for IT departments and third parties to provide upgrading to the equipment and to meet the latest security standards; such actions makes the security at the risk of getting breached.
Dependence of Cost of PCI Compliance
The cost of PCI compliance totally depends on the number of transactions made per year. There are two types of businesses one that process more than 6 million MasterCard or Visa transactions each year. Then there are businesses that make less than 6 million MasterCard or Visa transactions per year.
Variables that affect the cost of PCI compliance
The cost you are giving for your PCI audit totally depends on the setup of your organization. Below are some factors that affect the overall PCI compliance cost.
Type of Business:
Whether you are a service provider, shop, or a franchise each would have different amount of cardholder data, environment structure, and sets of requirements.
Size of Organization:
Normally the bigger the organization the more possible weaknesses it has in its system; including an extra number of computers, cardholder data, departments, processes, programs, and staff members. Having an extra number of departments means extra protection and extra security which definitely ends up in more cost.
Environment of Organization:
The mobile devices, brand of computers, firewall kinds, backend servers, etc everything can put an effect on the PCI cost.
Dedicated PCI Staff of Organization:
Even with the presence of highly dedicated team, organizations commonly need consulting or help from outsiders to assist them in meeting PCI requirements.
A monthly non compliance fee may be charged by your acquiring bank for not being PCI compliant. This usually varies from bank to bank and might go away if you give a proof of being PCI Compliant.
Pre pay acquirers:
Acquiring banks check with a PCI DSS vendor and pay for PCI Compliance of their merchant; but it happens rarely.
Cost of PCI Compliance
A small entity’s cost of PCI DSS compliance should start from $300 per year depending mostly on the environment. There are various costs that are considered.
· Self-Assessment Questionnaire $50 to $200
· Vulnerability scanning per IP address $100-$150
· Training and policy making per employee $70
· Remediation (software and hardware upgrades/updates etc.) varies according to the relation of entity with compliance and security around $100 to $10,000.
A large entity is required to get PCI audit, which could cost from $70,000 per audit.
· Onsite audit more than $40,000
· Penetration testing more than $5,000
· Vulnerability scans more than $800
· Training and policy making more than $5,000
· Remediation (software and hardware upgrades/updates etc.) differs on the basis of the relation of entity with the compliance and security and can be around $10,000 to $500,000.