Cost of PCI Compliance
The investment to become compliant varies significantly from one merchant or service provider to another. There are two elements to this equation; firstly the investment in meeting the compliance requirements themselves and secondly the investment in assessing and validating compliance. Some merchants and service providers are not required to use a QSA to validate compliance. In practice numerous merchants and service providers engage a QSA to mitigate their risks. A QSA, like TrustNet, is however best positioned to interpret the data security standard, clarify how it applies to our client's environment, and make recommendations on how to meet the requirements efficiently and effectively. This is somewhat analogous to doing a tax return; you COULD do it yourself or have a tax professional do it for you. The difference is a professional will help you achieve your goals more efficiently, greatly reduce the risk of non-compliance and save you money over the long term.
The scope of a PCI DSS Assessment depends on a number of factors including the type of business, number of transactions processed each year, payment card processing and storage practices and of course the current existing IT infrastructure within your organization. Many businesses have faced significant penalties because they did not properly protect their customers' sensitive payment card information, leaving holes in their computer network systems which made them vulnerable to hackers. The investment in being compliant significantly outweighs the cost of doing nothing.
The assessment costs indicated do not necessarily reflect TrustNet's assessment rates. Every client has their own unique characteristics and costs vary based on numerous factors.
The following information was sourced from Gartner.com, CSOmagazine.com, and Ponemon Institute.