The True Cost of PCI Compliance: Where Can Small Businesses Save?

June 1, 2020
TCO-pci-compliance-2

So, you’re a small business owner with a startup that needs to demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Regardless of your business type, if your organization needs to become PCI compliant, that means you plan on operating on cardholder data and you have a responsibility to protect that sensitive credit card information.

What’s PCI compliance going to cost your business?

With 12 complex requirements, PCI compliance isn’t a quick or cheap certification to obtain. In fact, depending on the size and nature of your business, fulfilling PCI DSS requirements can be enormously costly and unexpectedly time-consuming. And even after achieving your initial certification, you could easily be spending at least $100,000 per year in maintenance costs.

There are many variables that go into developing and maintaining a PCI-compliant cardholder data environment (CDE), and it’s difficult for early-stage companies to gauge how much they should expect to spend or how many engineers they might need to hire.

For small business owners, PCI compliance costs may seem cost-prohibitive. But it doesn’t have to be.

We’ve laid out the different costs and requirements necessary to achieve PCI compliance - so you don’t need to do any time-intensive research yourself.

The benefit of PCI compliance is more than avoiding non-compliance fees

Even though the PCI Security Standards Council – which is made up of debit and credit card brands that include Visa, MasterCard, Discover, JCB International and American Express - requires it, PCI compliance is much more than simply fulfilling enough requirements to score a certificate.

For starters, the PCI compliance cost and requirements are obstacles that can prevent your business from even getting off the ground in the first place because they are mandatory.

Startups and small business owners aren’t using PCI DSS to stand out from their competitors – they’re using it to gain entry into the market.
But small businesses shouldn’t think of PCI compliance as a simple box to check off, because carefully following PCI standards comes with two key benefits:

First, putting in place the information security and access control policies required by PCI DSS helps prevent data breaches involving credit cards and cardholder information – the exact thing that the PCI Security Standards Council was seeking to stop in the first place. Businesses that suffer a breach are liable to pay PCI non-compliance fees, which can easily shut down a small operation.

Second, the PCI compliance certification your business ends up receiving demonstrates to your future end customers that your security posture values their cardholder data and customer credit cards.It also shows that your company has high standards when it comes to protecting their personal information.

But, for businesses who don’t know where to start, what options do they have when it comes to reducing the PCI compliance cost?

The Cost of PCI DSS Certification

When it comes to PCI DSS compliance and certification, there are generally three paths that an early-stage business can take to acquire their certificate – each requiring a different level of muscle, expertise and cash.

Let’s go in order of effort required.

The highest cost of PCI compliance: the do-it-yourself approach

The first, and perhaps most obvious, route is the do-it-yourself (DIY) option. By only relying on your own team members to design, test, commit to regular self assessments, pay PCI compliance fees, and regularly maintain a secure environment, you will pay for each step involved (we will go through detailed prices in the next section). Your business will also retain all the liability of keeping your systems secure in case of a data breach or other cybersecurity incident. The amount that you pay will be dependent on the level of certification you are applying for, which is determined based on the number of transactions your business processes a year.

Adding the cost of PCI DSS compliance third parties to the DIY method

Startups sometimes confront their PCI compliance endeavor with the DIY method for some parts of the journey while contracting vendors to take care of other parts of the journey – often ones that require more specific expertise or would further prolong the process.

Lower the cost of PCI compliance with an end-to-end solution

For companies that want to offload their PCI compliance burden completely and outsource all their PCI data protection, they can work with a qualified security partner that does their PCI data collection, transfer and storage for them – putting them completely out of scope of PCI DSS requirements.

This also shifts the liability for data breaches from the organization to the partner, thus reducing the risk related to working with sensitive data.

You can think of this third approach like Amazon Web Services (AWS). When startups and smaller organizations need a cloud computing system, they don’t build their own from the ground up – they use AWS. In exchange for a subscription fee, Amazon does all the work for them, including ongoing maintenance and support per year, so businesses can focus on what’s important.

Similar to AWS, an all-in-one data security solution can do all the hard work for a startup, including managing the protection of your customers’ payment card data at every turn so you never have to worry about it. And, just like with AWS, there is always someone watching over your database to act if anything should suddenly happen.

**It’s important to note that the PCI compliance certification earned through all three of these paths is the exact same.

What is the average cost of PCI compliance?

In order for a business to make the best decision on which path to take for PCI DSS compliance, it’s helpful to know everything that goes into fulfilling the many compliance requirements.

From a bird’s eye view, the DIY PCI compliance process requires a QSA auditor, engineers to remediate issues found in your audit, designing and testing business controls, performing a second audit, and ongoing maintenance. The cost of a PCI compliance audit alone ranges from $15,000-$40,000.

The ultimate cost of PCI compliance depends heavily on the level of compliance you are applying for and the number of card transactions you process. PCI compliance has four levels of compliance for merchants and two for service providers, and all of them depend on your number of card processing transactions.The general cost for PCI DSS certification is listed from Verifi below:

  • Level 1 certification - $550,000 - $1,000,000 with an annual maintenance cost of $250,000.
  • Level 2 certification - $260,000 - $500,000 with an PCI cost of $100,000.
  • Level 3 certification - $75,000 - $90,000 with an annual maintenance cost of PCI - $35,000.
  • Level 4 - $75,000 - $90,000 with an annual PCI cost of $35,000.

What about if you want to bring in a vendor or two to provide professional services that help with part of the process, like a payment processor for payment card processing?

Well, the average cost per day of software implementation professional services is $2,500. Combine however many days this option would take with the other DIY steps you do without any vendor’s assistance, the price tag can balloon. Especially since you’ll be keeping them on the payroll per year.

The DIY approach involves weeks, even months, of work to achieve the initial PCI compliance certification, and the work doesn’t end there.

PCI compliance audits demonstrate your adherence to the requirements at a specific point in time, based on how your systems look at that moment. Any modification or addition of new features immediately invalidates your PCI compliance certificate, because it means that the CDE as it now stands hasn’t been audited in its current state.

If your company adds or changes features or connectivity often, it will be on a non-stop hamster wheel of constantly needing to follow-up with revalidations and a new self assessment questionnaire that you are still PCI compliant after putting yourself back in scope of PCI DSS again and again – costing more and more money.

And even if you don’t make any changes, you’ll still need to shell out the resources and cash for maintenance. So you’ll also need to calculate your vendor and DIY costs per year.

When a startup chooses to go with an all-in-one solution for their PCI data security, which requires none of the DIY effort listed above, they don’t have to worry about revalidating their certification to remain PCI compliant because their third-party solution will ensure they are always current.

Keep in mind that your end compliance costs will be determined by which PCI certification level you require. For merchants there are 4 levels and service providers have 2. These levels are based on the number of transactions that run through your business per year.

The safest (and most cost-effective) path to PCI compliance

With an all-in-one, AWS-like solution that takes care of all your PCI information security on your behalf, you can essentially “set it and forget it” – and leave your compliance worries in the hands of a trusted data security partner like Very Good Security.

VGS provides its users with an “always current” data privacy solution that ensures you are constantly up to date on your PCI compliance validation, as it handles all your company’s collection, transfer and storage of sensitive user data on your behalf.

Our innovative data aliasing technology allows businesses to operate on their sensitive cardholder or credit card data just like they normally would, while not taking on the liability of actually possessing that data and paying the PCI compliance fees. VGS Zero Data solutions take your PCI DSS compliance worries off your plate completely, including enabling you to skip every step from the self assessment questionnaire to ongoing maintenance, so you can spend your time and resources continuing to grow your core business.

Not only does it enable businesses to focus on new development, the cost of implementing VGS is considerably less than what a startup would typically pay for DIY or vendor-assisted PCI compliance. In addition, the liability in case of a cyber attack or data breach shifts to VGS, leaving you off the hook for those expensive PCI non-compliance fees.

Want to skip the confusion and lofty ongoing costs of the DIY method and quickly become PCI compliant?

Stefan Slattery Stefan Slattery

Growth Marketing Lead, Platform & Compliance

Share

You Might also be interested in...

Costs of PCI Non-Compliance: The Ice Cream Saga (Part 1)

Costs of PCI Non-Compliance: The Ice Cream Saga (Part 1)

Philip Andrew Sjogren July 15, 2021

pci-dss-featured-image

PCI DSS and What It Means for You

Stefan Slattery January 24, 2022

3 fintechs

How Three Fintechs Got to Market Fast by Offloading PCI

Stefan Slattery March 11, 2021