The PCI DSS (Payment Card Industry Data Security Standard) is a standard that was created by major card brands to standardize the requirements for securing cardholder information. Every organization that handles cardholder data must be PCI Compliant. While the PCI DSS is not a law and is not enforced by the government, PCI Compliance is strongly enforced by payment networks and the PCI Security Standards Council (PCI SSC).
PCI compliance has many hidden costs as companies work to bring systems into compliance and compliance throughout the year. This blog will outline these hidden costs of compliance and then introduce a strategy many businesses use to reduce or erase these costs for their businesses.
Cost 1: Obtaining and maintaining PCI compliance
Every system that interacts with credit card data must meet rigorous security requirements. Putting these security requirements into place and updating them takes significant time for your security and compliance teams. Potential costs in this category include:
-
Tools (e.g., firewalls, VPNs, anti-virus software, monitoring and logging systems) are needed to bring payment data into compliance. Since payment data needs to be more rigorously protected than other internal data, additional tools may be needed outside of regular security costs.
-
Implementing new policies and procedures creates additional work, which comes at a cost to the company as they pay employees to do this work. The additional security lift of obtaining and maintaining PCI compliance may even require the company to hire additional employees or contractors, which can quickly increase the cost of compliance.
The cost of PCI compliance jumps with every tool, contractor, or new hire needed to manage the security of your sensitive payment data. Securing sensitive data, and maintaining compliance, requires constant upkeep. In our experience, the cost of building and maintaining a PCI-compliant system can cost small to medium sized businesses hundreds of thousands of dollars a year, with this number even higher for larger organizations.
Cost 2: The Compliance Audit
After maintaining PCI compliance throughout the year, companies are subject to an annual PCI Compliance Audit. This audit exists to examine a company’s compliance to ensure they meet all the requirements of the PCI DSS. This audit can take companies weeks or months to complete as they must verify that they meet all the requirements. For context on the complexity of this audit, the PCI DSS 4.0 standard has 360 pages to outline all of the requirements in depth.
The cost of a compliance audit varies from company to company based on the size of the company, the potential issues they may have to rectify and whether they hire professionals, like QSAs, to help them with their audit. Nonetheless, the audit itself creates a significant amount of work for employees, taking their attention away from tasks that build the company and focusing their attention on compliance. After the audit, a company may need to devote a significant amount of time to perform the “remediation efforts” required by their auditor. This can cause an audit for a small to medium business to cost over $100,000 when factoring in auditor fees, staff time devoted to the audit preparation and time spent on follow-up activities. For larger companies, the cost could be three to four times this amount.
Cost 3: Compliance issues
An additional cost associated with PCI compliance is when a company falls out of compliance. If compliance is not met, a company may have to pay fines based on the scope of the issue. If compliance is not maintained throughout the year, companies also risk a data breach and all the costs associated with it. We’ll look at these costs in a bit more detail, starting with fines for noncompliance.
Cost of noncompliance fines
Fines from payment processors can cause a huge financial burden for companies that are not compliant with PCI DSS. Fines will vary based on the business size and the scope of the breach. Penalties usually range from $5,000 to $100,000 a month until the issue is fixed, and a company attains compliance. Monthly fines increase based on the size of the company and the time that the company has spent out of compliance.
All of these fines exist even if your company’s noncompliance does not end in a data breach. However, noncompliance creates security issues that are easily exploited by hackers looking to steal cardholder data. Since noncompliance can heighten the risk of a data breach, we’ll look at that next.
Cost of a data breach
Noncompliance increases the likelihood of a data breach, especially if your company is not compliant for a long period of time. If your company suffers a data breach while noncompliant, your company will be responsible for compensation costs alongside other potential fines. Compensation costs can include:
-
Free customer credit card monitoring
-
Identity theft insurance
-
Service fee reimbursements
-
Card replacements (which can range from $3-$5 per customer)
In the case of a data breach, your company will have to juggle both the cost of the breach and the decreased revenue from scared or unsatisfied customers. Customer trust cannot be resecured easily once it has been broken. No matter how well your company responds to a data breach, some customers may never return. In addition to the compensation costs and lost revenue, you may also have to pay legal fees if customers take legal action because of a data breach due to a lack of PCI Compliance.
How to reduce your PCI compliance costs
If you’re tallying up all of your PCI compliance costs or worrying about the potential cost of a security breach and wondering if there’s a better way to secure payment data and maintain PCI compliance, there’s good news. PCI compliance can be simplified with third-party tokenization.
Third-party tokenization allows you to own your payment data, while storing it outside of your internal systems. When payment data is stored outside of your internal system, you transfer most of the compliance to the third-party tokenization provider.
To demonstrate how this works, let’s look at a real-world example of a business that utilizes third-party tokenization with TokenEx.
The Oklahoma Turnpike Authority (OTA) decided to use tokenization to secure their payment data and reduce the time and effort spent verifying their PCI compliance each year. By storing cardholder data with TokenEx instead of within their internal systems, their compliance burden was transferred almost completely to TokenEx.
Todd Harry, Business Development Manager for the OTA, explained, “Annually doing audits [on our own] takes so much more time and so much more money. It’s a lot easier to go to TokenEx and say, ‘Let me see a copy of your self-assessment that says you guys are compliant, and I’ll pass that off to my auditor.’”
OTA’s previous PCI audits would take over a month, with eight or nine people working on the project. This year, their PCI audit took 50% less time for 80% fewer people as only one person was needed for the two weeks it took to complete the audit. The rest of the team was free to focus on other projects to propel OTA’s business forward instead of auditing an existing system.
PCI compliance can be a lengthy and expensive process. However, many companies can dramatically reduce the scope of their PCI audit and easily attain compliance with third-party tokenization. Check out TokenEx to see how you can secure your cardholder data, reduce your compliance burden and cut many of the hidden costs of PCI compliance.