Last updated at Wed, 30 Aug 2017 00:13:10 GMT

Starting this newsletter with two famous songs in mind: "Money" by Pink Floyd and "Money for nothing" by Dire Straits.

If I ask you to give me the most common PCI keywords that come to mind, you will most probably answer:  Security, Credit Card, Compliance and…Cost.

MONEY is definitely a key argument both for the PCI supporters and the PCI critics. The former emphasize the cost for the organization in case of a breach while the latter underline the associated cost of implementation and maintenance. In both cases, PCI requires us to open our wallet.

The cost of PCI implementation

Implementing PCI is certainly not free even for a smallest of the merchants. The cost of implementation encompasses the following parts:

A. Initial scope and gap analysis: This includes the scope determination and documentation, the gap analysis against the bible, and the remediation action and cost plans.

B. Becoming compliant: This includes the cost associated to:

  • Acquisition and implementation of technology - network segregation, servers, firewalls, routers, tokenization technology (optional), Web application firewalls (optional), Central log management, patch management, file integrity, encryption technology, access management, anti-virus technology.
  • The cleaning, sanitization of the environment: Identification, cleaning, masking of PAN.
  • The secure operations: Audit log review, incident management, key management, patch management, user management, following up with the communities
  • Specific periodic activities: external scanning (ASV's), internal scanning, penetration testing, patching, wireless detection, code-review (optional), security awareness sessions, trainings
  • The alignment of policy, procedures and standards with the PCI requirements
  • Physically securing the premises according to the standard
  • The support structure: project management, communication & reporting
  • Compliance validation: On-site audit/self-assessment.

C. Maintenance cost – Recurring annual cost to remain PCI compliant: Quarterly scans, annual penetration test, annual on-site audits or self-assessment, continuous monitoring of logs and alerts, vulnerability managements, risk assessment, PCI program management & reporting, review of policy, and standards and procedures.

How large expense is depends on a number of factors; The business type, number of transactions processed annually, existing IT infrastructure, and credit/debit card processing and storage practices. The following table provide an indication of these expenses for each merchant level.

Level Initial scope Becoming compliant Maintenance
Level1 $250,000 $550,000 $250,000
Level 2 $125,000 $260,000 $100,000
Level 3 & 4 $50,000 $81,000 $35,000

source: payplum!pci-costs/c1ed1

The cost of a breach

Direct cost

Here are the direct costs generally associated with a breach:

  • Forensics cost. Once an organization subjected to PCI compliance is even suspected of a breach, a team of PCI-DSS certified forensics security examiners swoops in to review and inspect its business practices. This cost could be somewhere between $8,000 and $20,000 for a Level 4 merchant.
  • Non-Compliance Fines. The Card Brands are very subjective about these fines that could range between $5,000 to $100,000 (or more). For the record the payment brands fine the acquiring bank that most likely passes this fine on downstream till it eventually hits the breached organization.  Additionally monthly fines could be applied until full compliance is achieved.
  • Card replacement cost: This is the cost associated to the replacement of all compromised cards. This cost is estimated between Between $3 to $25 per card.

Jeremy King, European director of the PCI Security Standards Council defended the standard, claiming that the average cost per record of cardholder data lost in the UK is £79  ($126) per record. [From PCI DSS: is the cure worse than the disease? | ITworld].  For the record: Gartner estimates that the cost of a data security breach can range from $90 to $305 per record.

Indirect cost

The bill is lengthened with the following indirect costs:

  • Productivity loss. During the forensic investigation that can take anywhere from a few days to several weeks, depending on the complexity of the systems the business could be brought to an absolute  standstill while the examiners comb through your policies, records, computer and phone systems, and employees—and eat away at your productivity, sales, and profits.
  • Closure of business from fines and/or loss of ability to process cards.
  • Revenue loss: Loss of sales from customers who realize you're not compliant.
  • Compliance Cost: All breached organizations are required to deal with non-compliance issues within a specific timeframe. See above the implementation costs.
  • Business disruption.  While dealing with the non-compliance issue, staff is not working on specific business tasks.
  • On-site Audit. All breached organization are subjected to yearly on-site audit.

Fines, penalties and other settlement costs represent the least costly consequences of compliance failure - The True Cost of Compliance | Benchmark Study of Multinational Organizations | Ponemon Institute | January 2011.

Compliance is Cheaper Than Non-Compliance - On average, non-compliance cost is 2.65 times the cost of compliance  - The True Cost of Compliance | Benchmark Study of Multinational Organizations | Ponemon Institute | January 2011.

Additional resources

Free Cost breach calculator - Beta from Netvigilance

The True Cost of Compliance: A Benchmark Study of Multinational Organizations


What's your field experience with these costs?

Did you read our previous newsletter: PCI 30 Seconds Newsletter #31 - PCI DSS Crypto-framework