Most companies that process payments via credit cards must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). Achieving compliance can incur high costs—as can failing to comply. So, what is the PCI compliance fee structure? This depends on all the other costs associated with PCI DSS compliance, noncompliance, and everything in between.
What is the PCI Compliance Fee Structure?
To answer the question—what is a PCI fee—you need to consider the services offered by a PCI DSS compliance partner. That’s because the financial toll on businesses is less about any singular fee and more about how much does PCI compliance cost as a comprehensive solution.
Monthly and yearly PCI cost estimates will vary according to the following factors:
- Costs associated with implementing all required PCI DSS controls
- Costs associated with assessing and verifying all required controls
- Potential fees and other indirect costs of PCI DSS noncompliance
PCI DSS Control Implementation Compliance Costs
When managed security service providers (MSSPs) calculate PCI compliance fees, one of the most significant factors determining price is how much work needs to be done to build the necessary controls for meeting the Requirements.
The PCI DSS v3.2.1 (2018) comprises 12 core Requirements, distributed across six Goals, including:
- PCI DSS Goal 1: Maintain Security Across Networks and Systems
- Requirement 1: Install and update firewalls to establish a secure perimeter.
- Requirement 2: Replace vendor-supplied defaults for security parameters.
- PCI DSS Goal 2: Protect All Cardholder Data Stored and Processed
- Requirement 3: Safeguard all cardholder data stored in company servers.
- Requirement 4: Encrypt cardholder data prior to open network transmission.
- PCI DSS Goal 3: Establish a Vulnerability Management Program
- Requirement 5: Maintain updates on all anti-virus programs and protections.
- Requirement 6: Ensure security across developed systems and applications.
- PCI DSS Goal 4: Implement Strict Access Control Management
- Requirement 7: Restrict all cardholder data access by business need to know.
- Requirement 8: Identify access to cardholder data with secure authentication.
- Requirement 9: Restrict physical and proximal access to cardholder data.
- PCI DSS Goal 5: Monitor Network Security at Regular Intervals
- Requirement 10: Monitor all sensitive network and cardholder data access.
- Requirement 11: Assess security processes at frequent, regular intervals.
- PCI DSS Goal 6: Distribute a Formal Information Security Policy
- Requirement 12: Formalize and distribute security processes to all personnel.
Each Requirement breaks down further into individual controls and Testing Procedures to gauge them. The more security infrastructure needs to be built, the higher your PCI cost is likely to be.
PCI DSS Compliance Verification Reporting Fees
Another element determining what quoted PCI compliance fee companies receive is the specific reporting needed to verify compliance. PCI Levels vary depending on the yearly transaction volume a company processes across its channels.
Per Visa’s PCI DSS compliance guide, the Levels are:
- Level 1 – Merchants that process over six million transactions annually work with a Qualified Security Assessor (QSA) to file both a comprehensive Report on Compliance (ROC) and a detailed Attestation of Compliance (AOC) each year.
- Level 2 – Merchants that process between one and six million transactions annually across all channels file a Self Assessment Questionnaire (SAQ) and AOC each year.
- Level 3 – Merchants that process between 20 thousand and one million e-commerce transactions annually (irrespective of other channels) file a SAQ and AOC each year.
- Level 4 – Merchants that process fewer than 20 thousand e-commerce transactions or up to one million total transactions across all other channels file just the SAQ each year.
Companies at Level 4 can expect the lowest fees as they do not technically need to work with a QSA for PCI compliance. Costs scale up at Levels 3, 2, and 1 and max out for filing a full ROC. A Report on Compliance is an intensive analysis that proves security over time rather than a snapshot of existing controls, as with the AOC.
PCI DSS Penalties and Costs of Noncompliance
The last factor that drives up a company’s overall PCI costs is the collective fees and penalties resulting from failure to comply. Founding Members of the Security Standards Council (SSC) like Visa or Mastercard can impose penalties, which range in severity based on level and duration of noncompliance:
- Fines of $5 to $10 thousand per month for the first three months of noncompliance
- Fines of $25 to $50 thousand per month for months four through six of noncompliance
- Fines of $50K to $100 thousand per month for seven or more months of noncompliance
If an actual data breach does occur, companies can also expect fines for each individual whose cardholder data is leaked, ranging from $50 to $90 per client. Plus, there are indirect costs associated with noncompliance, such as reputational damage or placement on a Terminated Merchant File (TMF) like Mastercard’s MATCH.
Achieve PCI DSS Compliance At Lower Costs
When answering, what is the PCI compliance fee structure, it typically depends upon cost factors related to implementation and reporting. PCI compliance costs also increase following noncompliance.
Companies seeking to minimize these costs should work with a dedicated PCI compliance partner, such as RSI Security. We’re a full-suite QSA that will help with all elements of PCI compliance, minimizing compliance and avoiding noncompliance fees.
Contact RSI Security today to get started!