Tuesday, February 17, 2009

The Cost of PCI Compliance - Element Payment Services Blog





In a great informational post provided by the PCI DSS Compliance Blog, published by Element Payment Services they talk about the cost of PCI compliance. 

I had the pleasure of working with Sean Kramer,  the founder and CEO of Element Payment Services, when he was with Concord EFS.  We jointly provided an innovative payments package/solution for U.S. FoodService members.  I am happy to see (but not surprised by) the growth enjoyed by Element.  It couldn't happen to a nicer guy!  Congrats to Sean and his team, including Roy Bricker who previously worked at Pay By Touch.

Here's their post: 

PCI DSS Compliance Blog: Cost of PCI Compliance
Cost of PCI Compliance

'What does it cost be PCI compliant?’ is a common question by business owners and software providers facing compliance requirements. Several estimates have been generated by industry leaders on PCI compliance costs.

For Merchants (Complying with PCI DSS)

IT security firms Solidcore Systems, Emagined Security and Fortrex Technologies have identified three main categories of PCI compliance costs:

• Upgrading payment systems and security infrastructure,
• Verifying compliance (assessments), and
• Sustaining compliance.

New components that might have to be installed to upgrade payment systems and security infrastructureWorld image include additional firewalls, upgraded anti-virus and anti-spyware software, secure wireless systems, data encryption technologies and file-integrity monitoring software.

Compliance assessments include the PCI Self-Assessment Questionnaire (PCI SAQ) for Level 2, 3 and 4 merchants and an on-site audit for Level 1 merchants.

In 2008, IT research giant Gartner reported that merchant spending to protect cardholder data and become PCI compliant increased nearly fivefold during the previous 18 months. Among the Level 1 retailers Gartner surveyed, an average of $2.7 million was spent to become PCI compliant, excluding the costs of PCI assessment services. That number compares with an average of $568,000 reported by Level 1 merchants in a fall 2006 Gartner survey. Level 1 merchants spent an average of $237,000 on PCI security assessments.

Level 2 merchants reported spending $1.1 million on PCI compliance (compared to $267,000 in fall 2006) and an average of $135,000 on assessment. Level 3 merchants, those processing between 20,000 and one million transactions per year, spent an average of $155,000, excluding security assessment. Gartner did not discuss Level 4 merchants in the report.

For Software Developers (Complying with PA-DSS)

To achieve PA-DSS compliance, software providers must undergo the lengthy and costly process of validating their application. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA) and the development time and expense to bring the application into compliance. These PA-DSS certification costs can range from tens to hundreds of thousands of dollars.

Additionally, software providers are required to pay $1,250 annually per software application to have their solution listed as a validated PA-DSS-compliant solution.

To visit the PCI DSS Compliance Blog click here.  Element Payment Services site is located at: www.elementps.com








Reblog this post [with Zemanta]

Disqus for ePayment News