Cost of PCI DSS Compliance

Frequent question which has been asked a lot about PCI DSS "is their any fixed cost to becoming PCI compliant? short answer is No! Variance of cost depends majorly on how many transactions need to be process as well as transmission and storage methods,

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. An independent body created by Visa, MasterCard, American Express, Discover, and JCB, the PCI Security Standards Council (PCI SSC) administers and manages the PCI DSS. The PCI Security Standards Council (PCI SSC) handles the development and adoption of these standards, although card brands mandate them.  

The cost of PCI DSS compliance can vary widely from one company to the next. For small businesses, PCI DSS compliance can cost around $500 annually, while large enterprises can expect to pay a minimum of $20,000

Level Of PCI DSS

The Size of organization depends on the number of transaction which it handles annually There are four PCI compliance levels

• Level 1:  Mainly encompasses organization that process over 6 million card transactions annually, or organization who's card account data has been breached also services provider whose handling more than 300000 credit card transaction.
• Level 2: Organization that process 1 to 6 million transactions annually or service provider handling less than 300000 transaction annually
• Level 3: Organization that process 20,000 to 1 million transactions annually.
• Level 4: Merchants that process fewer than 20,000 transactions annually.

What is PCI SAQ

Self-Assessment Questionnaire (SAQ) is designed as a self-validation tool to assess security for cardholder data. their are 9 different level of SAQ that apply depending upon you level of compliance, organization have to select their applicable SAQ and submit AOC, each SAQ varies from 22 questions to over 329

Security-Focused Principles 

If data security has always been a priority and part of an organization’s culture, then the cost of PCI will be lower. With a security-focused culture, the stakeholders recognize the importance of compliance and are willing to invest in a secure environment for PCI-DSS. However, if an organization does not have a security-focused culture, it will be challenging to convince decision makers to invest as heavily. This becomes costly in the long run as the organization will face the â€˜cost of non-compliance.’  So in short more security awareness lesser compliance cost

Cost of non-compliance

The Size of the non-compliance fee that the PCI DSS Council imposes on a company depends on two factors. The first is the company’s size, which is determined by the number of transactions it processes per year. Fourth-level companies usually don’t face fines, while first-level companies face the greatest financial responsibility for non-compliance.

The second factor that influences the sum of a fine is the period of non-compliance with the standard. Companies that haven’t been compliant for a month pay less than those that have been non-compliant for seven months, for instance. Fines are imposed monthly until a company meets the standard. There are also monthly PCI non-compliance fines that can be deemed as a loss in the long run. PCI non-compliant organizations can also be barred from handling transactions and cardholder’s data and can lead to a shutdown if it affects an organization’s business model.

PCI DSS Compliance is assessed at minimum once a year, organizations need to pass the quarterly or annual vulnerability scans performed by a PCI SSC Approved Scanning Vendor, At Alcumus Isoqar we are PCI QSA (Qualified security Assesor) and approved scanning Vendor for PCI ASV and Vulnerability, for consultancy on PCI DSS please feel free to be in touch.

Shahid@isoqarindia.com

+91-9768603520

.