The Real Costs of PCI Compliance

PCI-DSS is the set of standards all participants in the online payment process must adhere to. Failure to comply with its strictures can lead to higher costs, business-threatening data breaches, and even the loss of the ability to take credit card payments. Staying in full compliance, however, is costly, both in terms of actual cash outlay and in terms of human resource deployment. Any program that can reduce the amount of a system that is within PCI-DSS scope promises a significant return on investment, and merchants should examine both the direct and indirect costs to understand their real financial commitment.

The Direct Costs of PCI Compliance

In order to make the application of the PCI standard economically viable for a broad range of organizations, the requirements are tiered, based on the volume of deals a merchant completes annually. These are:

• PCI Level 1: Businesses processing over 6 million transactions per year
• PCI Level 2: Businesses processing 1 million to 6 million transactions per year
• PCI Level 3: Businesses processing 20,000 to 1 million transactions per year
• PCI Level 4: Businesses processing less than 20,000 transactions per year

The costs of maintaining a fully PCI-compliant environment increase as merchants grow and work their way through the levels. At Level 4, for instance, a merchant needs to simply fill out Self Assessment Questionnaires (SAQ), run penetration tests internally, and file a self-approved Attestation of Compliance (AOC) form. By contrast, those at Level 1 must also bring in outside auditors, who will check and stress-test every element of the PCI compliance program. And, of course, the more checking is required, the higher the likelihood that problems will be uncovered and need to be addressed in order to maintain status with the other participants in the payment process (PSPs, card networks, acquiring banks, etc.).

Merchants should prepare, then, to budget for direct costs including:

• Logging activity: depending on the level of logging already required for business need, costs to implement logging sufficient to meet Requirement 10 could run an organization $10,000/month, as well as the personnel costs of reviewing and maintaining the the logs
• Vulnerability scans: these scans, as outlined in PCI DSS Requirement 5, should be run once every quarter at a cost of $100 to $200 per IP address.
• Regular and frequent penetration tests: simple organizations may see costs around $20,000 per year, but larger enterprises will pay significantly more, at an upwards of $100,000 or more
• Remediation and system needs: building a fully redundant environment could literally double the cost of systems. Likewise, should a vulnerability be found, remediation of the issue could cost an organization an upwards of $100,000 or more, depending on the resources required. System and remediation costs are the most variable and may be unknowable upfront.
• Payment to outside auditors for testing and certifications: auditors can run an organization around $40,000, and will also file AOCs and ROCs with the PCI council, included in this fee

In total, the direct costs of achieving PCI compliance could range from $70,000 a year on the low end to $500,000+ yearly for larger enterprises with complicated systems. 

Indirect Costs of PCI Compliance

While the direct costs of PCI compliance can be significant, the indirect costs can be insidiously high. For instance, the need to keep all equipment that is connected to the payment system separated from systems that are outside of PCI scope can mean not only buying more hardware (or provisioning more space on a cloud provider), it can also add to the administrative burden on the IT and DevOps teams, forcing merchants to increase their operations headcount. Similarly, frequent checks and penetration tests can complicate IT schedules and task lists, taking resources and attention away from other, non-PCI-related activities.

And when a breach occurs despite a merchant’s efforts to remain PCI compliant (as the news confirms happens from time to time to even the largest organizations), the costs can skyrocket. Beyond the reputational damage wrought by the breach - which must be combatted through PR and advertising efforts - the impact on future fees and related costs charged by other participants in the payment process can be massive.

After a breach, it is not at all unusual for merchants to see their:

• Fees increase by 50 to 100 basis points
• Chargeback fees increase as much as four-fold
• Payment service providers demand a 10% to 20% 30-day holdback on all funds

Limiting the costs of PCI Compliance

Any organization that is in the business of taking electronic payments will necessarily find itself in the crosshairs of PCI-DSS: it is, after all, not just a tricky set of standards, but also a genuine guidebook to protecting consumers’ personal information. That said, that are a number of ways that merchants can limit their systems’ PCI scope, the most prominent of which are full-service payment service providers (PSPs) and third-party tokenization platforms.

Full-Service PSPs

A full-service PSP will take care of collecting, storing, and making available consumer cardholder information without it ever being exposed to the merchant in plain text (they will instead received an unencryptable token to be used for future transactions). When the full-service PSP takes all ownership of the cardholder data, both in motion and at rest, the merchant avoids the requirement to meet most PCI-DSS rules, because they simply don’t have the data to protect. However, they are now entirely beholden to the full-service PSP: because the data is not under the merchant’s control, they cannot, for instance, sign up with another PSP and have the consumer cardholder data transmitted there - instead they must limit themselves to their single PSP’s services and whatever fees have been agreed.

Third-Party Tokenization Platforms

A third-party tokenization platform performs the security-level services of the full-service PSP: it collects and stores cardholder information, and provides an unencryptable token to the merchant. Unlike the full-service PSP, however, a third-party tokenization platform enables the merchant to transmit cardholder data to any PSP, or PSPs, of their choice. In this way, merchants can offload their PCI compliance responsibilities, while still retaining the ability to optimize their payment processing costs by distributing transactions across competing PSPs.

For example, merchants that partner with Basis Theory significantly reduce their costs of PCI compliance. While a company may still have personnel costs and may want to keep penetration tests and scans in-house, the rest of the requirements could be covered under the PCI scope of Basis Theory. Therefore, that company’s yearly cost of compliance could go from $100,000+ per year to only $40,000 a year (or less).

PCI Compliance Cost Optimization is Real

Failing to comply with PCI-DSS can be extremely damaging to an organization, either through fines and accelerated fees owing to a failure to comply, or through the very real impacts of data breaches in improperly protected payment systems. That doesn’t mean, however, that the direct and indirect costs of maintaining a fully Level 1-compliant environment can’t be reduced: letting a partner shoulder the burden of staying in compliance releases cash and time investments to other organizational requirements. That said, ensuring that the partner cannot hold the organization's stored cardholder data hostage to ensure continued business relations is fundamental to a long-term workable plan.