The short answer is no, there aren't any published benchmarks specific to PCI DSS. There has been some survey work done (most recently by Nemertes Research) to try to pinpoint how much organizations are spending on compliance. They interviewed about 100 companies and drew the conclusion that most don't necessarily break out compliance as a budget item anymore. Nor are companies specific about what they spend for PCI versus Sarbanes-Oxley, HIPAA or GLBA.
I remember when I was with a private company that was considering a public offering, and we budgeted about 8-10% of revenue for compliance costs. Of course, that will scale way back for large companies, which shouldn't spend more than 1%. But like all other numbers and benchmarks, it depends a lot on how the numbers are counted.
Yet I would be negligent in not mentioning that I believe trying to budget specifically for compliance is a fool's errand. The reality is that the focus should be on protecting data and building a manageable and documented security program. If that's done well, regulations like PCI and HIPAA will be a walk in the park.
Compliance is not something that's bought; it's a process. It never ends, and it needs to stay in lock step with the changes happening in a dynamic business. Understanding direct costs will probably require additional headcount to pull proper reports and document the program. It also may require investment in some software tools to mine through all the data that is generated by systems, networks and applications.
So I'm not a big fan of budgeting for compliance. But if you already have a line item in your budget for "compliance" expenditures, then try to figure out what's really needed for security and pay for it using the compliance money.
For more information:
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Rothman
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ... Continue Reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.