Can you believe this April will mark one year since the release of PCI DSS v4.0 standards? To celebrate its upcoming birthday, we’re breaking down one of the most commonly asked questions about compliance.
Exactly how hard is PCI compliance to achieve? Usually it’s bad practice to answer a question with another question. In this case, it’s impossible to discuss the challenges of compliance without first asking: why is PCI compliance important?
Starting at the top, PCI compliance is mandatory. Meeting this set of compliance requirements wouldn’t be so laborious if handling credit card data properly wasn’t so critical. PCI DSS requirements ensure that organizations who deal with credit card information maintain a secure Cardholder Data Environment (CDE) that helps prevent credit card fraud and data breaches.
The financial impact of a security incident can reverberate for years. Data breaches cost US businesses an average of $9.44M in 2022. However, recovering customer trust, market value and reputation may take even longer. In essence, the responsibility of protecting cardholder data is what makes PCI compliance so important.
Global relevancy also gives PCI compliance much of its importance. PCI DSS compliance applies to any business of any size that collects, stores or transfers card data. You might be reading this blog because you’re getting ready to launch a payments product or add a feature to an existing application. You wondered: “Do I need PCI compliance for this?” Yes, you do!
Now that you know, your next question is probably: “How much does PCI compliance cost?” The required assessment fees and engineering resources are a major reason why obtaining your PCI compliance certification is so painful. Companies that process even a low volume of transactions can be shocked at the cost of PCI compliance.
For example, let’s look at PCI Level 4, the least-demanding level of compliance. This applies to merchants that process less than 20,000 e-commerce transactions annually. PCI Level 4 can cost $125K-$140K in certification fees and $35,000 in maintenance every year.
That’s nothing compared to the PCI Level 1 category. A merchant that processes more than 6M annual credit card transactions can be expected to fork over $800K-$1.25M in certification fees and $250K in maintenance every year. PCI Level 1 isn’t exclusively reserved for merchants that process 6M+ transactions. But it is a common prerequisite for doing business with potential customers and partners or issuing financial products. It will likely come up during Vendor Security Questionnaires/Assessments.
The certification fees typically go to hiring a Qualified Security Assessor (QSA) auditor, remediating issues found in the audit, designing and testing security controls and performing ongoing maintenance. The price tags listed above don’t include any additional professional services or your own OpEx for development hours. Depending on how efficiently your engineers resolve issues and implement the necessary controls, the cost of PCI compliance can balloon significantly.
The second factor that explains the difficulty of PCI compliance is the time commitment. To earn PCI 4.0 certification, organizations must implement the 18 PCI DSS requirements (12 for PCI DSS 3.2.1). Among other things, these requirements demand that a brand perform the following steps:
- Build and maintain a secure network
- Protect cardholder data (CHD)
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
These might sound simple at definition, but completing each requirement is a multi-step process. The requirements include complicated tasks such as installing firewalls and protecting cardholder data through tokenization or encryption.
Obtaining PCI Level 1 or Level 2 typically takes merchants around nine months to a year to achieve on their own. Merchants that need PCI Level 3 or 4 can expect to spend a few months working towards compliance.
But the job isn’t necessarily done once the certificate is in hand. Brands must perform a new PCI audit whenever they add or modify a feature in their CDE. That’s because PCI DSS is a point-in-time audit. If it affects any part of the application that touches sensitive data, something as simple as deploying new code or signing a pull request may require a re-audit.
The short answer to the question “how hard is PCI Compliance”? Because of the costs involved, complexity of the requirements and time commitment, achieving PCI compliance can be very hard. But that’s only if you do it yourself. If you use a Data Security as a Service (DSaaS) platform like Very Good Security, you can make PCI compliance a walk in the park.
VGS uses data tokenization to redact and replace sensitive data. This removes cardholder data from the scope of PCI regulations and relieves the liability of data security. Companies can still own and use PCI data without ever storing it in their systems.
The VGS platform reduces PCI compliance time and cost by as much as 75%. Customers can achieve PCI Level 1 compliance in as few as 21 days, and achieve Level 2-4 upon integration with VGS. Check out our PCI compliance speed hall of fame below. And when you’re ready to make securing payments data easy, book a demo.
- TransferGo: PCI DSS Level 1 compliant in 35 days, saved 90% of engineering resources in ongoing maintenance
- Zilch: Upgraded from PCI Level 3 to PCI Level 1 compliance 3x faster
- EedenBull: PCI Level 1 and SOC 2 compliant in <4 months. No additional headcount and at 50% of the time and cost quoted by auditors
- Unit: PCI compliant in <2 months, and Visa DPS certified in <4 months, 50% faster than standard Visa DPS deployments
- Even: PCI compliant 5x faster and at 10x less staff