The short answer is no, there aren't any published benchmarks specific to PCI DSS. There has been some survey work done (most recently by Nemertes Research) to try to pinpoint how much organizations are spending on compliance. They interviewed about 100 companies and drew the conclusion that most don't necessarily break out compliance as a budget item anymore. Nor are companies specific about what they spend for PCI versus Sarbanes-Oxley, HIPAA or GLBA.
I remember when I was with a private company that was considering a public offering, and we budgeted about 8-10% of revenue for compliance costs. Of course, that will scale way back for large companies, which shouldn't spend more than 1%. But like all other numbers and benchmarks, it depends a lot on how the numbers are counted.
Yet I would be negligent in not mentioning that I believe trying to budget specifically for compliance is a fool's errand. The reality is that the focus should be on protecting data and building a manageable and documented security program. If that's done well, regulations like PCI and HIPAA will be a walk in the park.
Compliance is not something that's bought; it's a process. It never ends, and it needs to stay in lock step with the changes happening in a dynamic business. Understanding direct costs will probably require additional headcount to pull proper reports and document the program. It also may require investment in some software tools to mine through all the data that is generated by systems, networks and applications.
So I'm not a big fan of budgeting for compliance. But if you already have a line item in your budget for "compliance" expenditures, then try to figure out what's really needed for security and pay for it using the compliance money.
For more information:
This was first published in December 2007