Actual Costs of PCI Compliance
Measuring the cost of PCI compliance starts by knowing how many credit card transactions are being processed each year. The requirements are tiered, based on the volume a merchant completes annually.
Those tiers are:
- PCI Level 1: Businesses processing over 6 million transactions per year.
- PCI Level 2: Businesses processing 1 million to 6 million transactions per year.
- PCI Level 3: Businesses processing 20,000 to 1 million transactions per year.
- PCI Level 4: Businesses processing less than 20,000 transactions per year.
The costs of maintaining a fully PCI-compliant environment increase as merchants grow and work their way through the levels. At Level 4, for instance, a merchant needs to fill out Self Assessment Questionnaires (SAQ), run penetration tests internally, and file a self-approved Attestation of Compliance (AOC) form. Those costs are minimal.
By contrast, a PCI Level 1 merchant must bring in outside auditors, who will check and stress-test every element of the PCI compliance program. And, of course, the more checking required, the higher the likelihood that problems will be uncovered and need to be addressed in order to maintain status with the other participants in the payment process (PSPs, card networks, acquiring banks, etc.)
Generally, these are the costs of PCI compliance a merchant should prepare the budget for:
- Logging Activity: depending on the level of logging already required for business need, costs to implement logging sufficient to meet Requirement 10 could run an organization $10,000/month, as well as the personnel costs of reviewing and maintaining the the logs
- Vulnerability Scans: these scans, as outlined in PCI DSS Requirement 5, should be run once every quarter at a cost of $100 to $200 per IP address.
- Regular and Frequent Penetration Tests: smaller organizations may see costs around $20,000 per year, but larger enterprises will pay upwards of $100,000 or more
- Remediation and System Needs: building a fully redundant environment could literally double the cost of systems. Likewise, should a vulnerability be found, remediation of the issue could cost an organization upwards of $100,000 or more, depending on the resources required. System and remediation costs are the most variable and may be unknowable upfront.
- Payments to Outside Auditors for Testing and Certifications: auditors can run an organization around $40,000, and will also file AOCs and ROCs with the PCI council, included in this fee
In total, the direct costs of achieving PCI compliance could range from $70,000 a year on the low end to $500,000+ yearly for larger enterprises with complicated systems.
Indirect Costs of PCI Compliance
While the direct costs of PCI compliance can be significant, the indirect costs can be insidiously high.
For instance, the need to keep all equipment that is connected to the payment system separated from systems that are outside of PCI scope can mean not only buying more hardware (or provisioning more space on a cloud provider), it can also add to the administrative burden on the IT and DevOps teams, forcing merchants to increase their operations headcount. Similarly, frequent checks and penetration tests can complicate IT schedules and task lists, taking resources and attention away from other non-PCI-related activities.
And when a breach occurs despite a merchant’s efforts to remain PCI compliant (as the news confirms happens from time to time to even the largest organizations), the costs can skyrocket. Beyond the reputational damage wrought by the breach, the impact on future fees and related costs charged by other participants in the payment process can be massive.
After a breach, it is not at all unusual for merchants to see their:
- Fees increase by 50 to 100 basis points.
- Chargeback fees increase as much as four-fold.
- Payment service providers demand as much as a 20%, 30-day holdback on all funds.
Cost of Non-Compliance
The penalties for a merchant who is not in PCI compliance are severe, impacting both the financial stability of a company, along with the brand reputation.
Here are some potential consequences:
- Fines from Card Brands: Non-compliance fines can range from $5,000 to 100,000, depending on level and volume of transactions processed.
- Increased Transaction Fees: Acquiring banks may impose higher transaction fees, making day-to-day operations more costly.
- Liability for Fraud and Data Breaches: Non-compliant merchants can be held liable for fraud or data breaches that occur, leading to costs associated with investigations, customer notifications, credit monitoring, and compensation for impacted customers.
- Loss of Merchant Account: Severe cases could lead to an acquiring bank terminating the merchant’s ability to process card payments. This effectively shuts down the ability to operate if card payments are essential to sales.
- Mandatory Remediation Costs: Implementing specific security measures or undergoing regular compliance audits could be required for non-compliant merchants.
Limiting the Costs of PCI Compliance
Any organization that is in the business of taking electronic payments will necessarily find itself in the crosshairs of PCI-DSS: it is, after all, not just a tricky set of standards, but a genuine guidebook to protecting consumers’ personal information.
That said, that are a number of ways that merchants can limit their systems’ PCI scope, whether that be through use of an internal checklist, a full-service payment service provider (PSP) or, token orchestration platform.
Full-Service PSPs
A full-service PSP will take care of collecting, storing, and making available consumer cardholder information without it ever being exposed to the merchant in plain text (they will instead receive an unencryptable token to be used for future transactions).
When the full-service PSP takes all ownership of the cardholder data, both in motion and at rest, the merchant avoids the requirement to meet most PCI-DSS rules, because they simply don’t have the data to protect. However, they are now entirely beholden to the full-service PSP: because the data is not under the merchant’s control, they cannot, for instance, sign up with another PSP and have the consumer cardholder data transmitted there - instead they must limit themselves to their single PSP’s services and whatever fees have been agreed.
Token Orchestration Platforms
A token orchestration—or third-party tokenization perform—provides the security-level services of the full-service PSP: it collects and stores cardholder information, and provides an unencryptable token to the merchant.
Unlike the full-service PSP, however, a tokenization platform enables the merchant to transmit cardholder data to any PSP, or PSPs, of their choice. In this way, merchants can offload their PCI compliance responsibilities, while still retaining the ability to optimize their payment processing costs by distributing transactions across competing PSPs.
For example, merchants that partner with Basis Theory significantly reduce their costs of PCI compliance. While a company may still have personnel costs and may want to keep penetration tests and scans in-house, the rest of the requirements could be covered under the PCI scope of Basis Theory.
Therefore, that company’s yearly cost of compliance could go from $100,000+ per year to $40,000 a year (or less).
That doesn’t mean, however, that the direct and indirect costs of maintaining a fully Level 1-compliant environment can’t be reduced: letting a partner shoulder the burden of staying in compliance releases cash and time investments to other organizational requirements.
That said, ensuring that the partner cannot hold the organization's stored cardholder data hostage to ensure continued business relations is fundamental to a long-term workable plan.
Estimate the cost savings of vaulting payments with Basis Theory.
