Ask the Expert

Are there any references that discuss the cost of PCI DSS compliance?

Are there any published benchmarks on how much enterprises are spending (per size, customer count, etc.) or should expect to spend in order to comply with the Payment Card Industry (PCI) Data Security Standard?

    Requires Free Membership to View

The short answer is no, there aren't any published benchmarks specific to PCI DSS. There has been some survey work done (most recently by Nemertes Research) to try to pinpoint how much organizations are spending on compliance. They interviewed about 100 companies and drew the conclusion that most don't necessarily break out compliance as a budget item anymore. Nor are companies specific about what they spend for PCI versus Sarbanes-Oxley, HIPAA or GLBA.

I remember when I was with a private company that was considering a public offering, and we budgeted about 8-10% of revenue for compliance costs. Of course, that will scale way back for large companies, which shouldn't spend more than 1%. But like all other numbers and benchmarks, it depends a lot on how the numbers are counted.

Yet I would be negligent in not mentioning that I believe trying to budget specifically for compliance is a fool's errand. The reality is that the focus should be on protecting data and building a manageable and documented security program. If that's done well, regulations like PCI and HIPAA will be a walk in the park.

Compliance is not something that's bought; it's a process. It never ends, and it needs to stay in lock step with the changes happening in a dynamic business. Understanding direct costs will probably require additional headcount to pull proper reports and document the program. It also may require investment in some software tools to mine through all the data that is generated by systems, networks and applications.

So I'm not a big fan of budgeting for compliance. But if you already have a line item in your budget for "compliance" expenditures, then try to figure out what's really needed for security and pay for it using the compliance money.

For more information:

  • Learn why many corporations are underestimating the costs associated with PCI DSS compliance.
  • A Ponemon Institute study indicates the costs associated with data breaches have increased, and they will continue to skyrocket unless companies do more.
  • This was first published in December 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: