The cost of a company's compliance with PCI DSS is not an answer that can be given in one word as it depends on many parameters that we will analyze later. A large portion of companies are guided by people, mainly in the IT field, into a wrong image of what PCI DSS certification is, and therefore into a wrong image of the cost. Thus, many believe that simply performing ASV Scans and completing the SAQ means that the company automatically complies with the standard.
Compliance with the PCI DSS standard requires full compliance with all of the specifications arising from the SAQ that the business is required to meet.
Direct PCI DSS costs
- Certification level: with Level 1 being the most expensive, which requires, among other things, an onsite audit by a QSA.
- Certification type: with the most expensive version being type D, which requires approximately 330 PCI Controls and a great deal of effort from the business and the auditor to complete.
- Infrastructure size The size of the in-scope infrastructure affects the cost due to the increase in complexity of the environment.
- Public IPs The number of public facing systems affects the cost of ASV Scans.
- Locations The number of locations that process credit card transactions.
PCI DSS indirect costs
- Security Policy: The standard explicitly requires the existence of a complete security policy that must be implemented and have a complete history. This means that the company must either draft it itself (internal cost) or assign it to a specialized company to prepare it.
- Risk Assessment: Accordingly, an annual Risk Assessment is required, which the company must either implement internally or outsource to an external partner.
- Penetration test: Some types of certification require penetration testing,
- Hosting environment: Another part that can create new costs is the hosting part of online stores and online businesses in general. Compliance with the PCI DSS standard, as we said, requires harmonization with all the specifications that non-certified PCI DSS Datacenters or PCI Compliant hosting providers cannot cover. This implies the need to transfer services to more reliable - certified providers but at the same time more expensive.
Cost optimization & Proper sizing
How can I reduce the cost and time of PCI DSS certification?
A specialized PCI DSS certification company like Innotech can help you reduce both the cost of your certification and the time it will take to complete the process through specialized services that focus on the correct segmentation of the PCI environment.
