The cost of becoming PCI DSS Compliant depends on a number of factors including your business type, number of transactions processed annually, existing IT infrastructure, and current credit/debit card processing and storage practices. Gartner estimates that during 2007, the nation's largest merchants, classified as Level 1 (processing in excess of 6 million transactions of a single card type per year), will spend $125,000 assessing the scope of required PCI-related work and another $568,000 to meet the requirements.
As an example, Robin Sidel and Pui-Wing Tam of the WSJ recently reported that Guitar Center, a national retailer of 210 stores, recently spent nearly $500,000 to become compliant. Gartner also concluded that Level 2 merchants, those processing between 1 and 6 million annual transactions, will spend $105,000 to determine scope and another $267,000 for compliance. Level 3 merchants, processing between 20,000 and 1,000,000 e-commerce transactions, are expected to spend $44,000 assessing and $81,000 for compliance. The costs associated with Level 4 merchants, those doing less than 20,000 ecommerce transactions or up to 1,000,000 non-ecommerce transactions, varies widely.
Only Level 1 merchants are required to have an on-site audit. Levels 2, 3 and 4 need to fill out the Self Assessment Questionnaire and sign up for a quarterly scan to check vulnerabilities on all outward-facing IP addresses. A rough estimate for the scans is $150 to $2,500 per IP address per year.
Other costs may include software and hardware upgrades if information is stored in house. Gartner estimates that a company with 100,000 credit cards on file will pay $6 dollars in encryption costs per card. Alternatively, merchants can use technologies such as tokenization where the data storage is remote, which typically have per transaction fees instead of upfront costs. All of these estimates exclude the cost of labor and the opportunity cost of pursuing other profit-making endeavors.
Smaller restaurants and retailers that only have a single terminal or POS system are still required to become compliant. Both need to fill out the Self Assessment Questionnaire, but the compliance process is usually much less involved. Merchants that are using POS systems to process credit cards need to make sure they are not improperly storing prohibited card data and need to verify that their vendor is PABP compliant (soon to become PA DSS). To verify that your POS system is not storing prohibited information and is compliant, see this updated list was published in November 2007. Some merchants such as Brad Friedlander, a restaurant owner in Cleveland with two stores, paid $50,000 on technology upgrades to become compliant. Any merchant that accepts, stores, or processes credit card information is required to already be compliant.
The Card Associations have determined specific dates about when merchants need to validate compliance. Level 1 merchants were required to validate compliance by 9/30/07. Level 2 are expected to validate compliance by 12/31/07. Level 3 and 4 validation deadlines will come, but at this point they have been left up to the merchant's specific acquirer to be determined. Not only is becoming compliant not optional, but Card Associations have threatened larger merchants with the imposition of monthly fines until compliance is obtained. They've also threatened to increase the cost of interchange, which would increase these merchants' processing costs. But perhaps most importantly, the Card Associations will levy fines and penalties if a merchant is not PCI Compliant at the time of breach. The fines can be devastating to merchants. I've written about two breaches, both of which had significant consequences. One merchant is large, the other is small.
In addition, merchants face remediation and discovery costs can be just as costly, if not more so, than the fines. For a cumulative number, Gartner estimates that the cost of a data security breach can range from $90 to $305 per customer record. Some merchants are frustrated about the PCI requirements, while others see them as basic security requirements that should already be in place. A common misconception is that compliance equals security, but a number of recent breaches have proven that not to be the case. Other related posts: PCI DSS Compliance basics for credit card security PCI DSS Compliance and the cost of a credit card breach Braintree solutions: The Smart Approach to PCI DSS Compliance