Problem solve Get help with specific problems with your technologies, process and projects.

Are there any references that discuss the cost of PCI DSS compliance?

Security expert Mike Rothman discusses the expenses related to complying with PCI DSS.

Are there any published benchmarks on how much enterprises are spending (per size, customer count, etc.) or should expect to spend in order to comply with the Payment Card Industry (PCI) Data Security Standard?

The short answer is no, there aren't any published benchmarks specific to PCI DSS. There has been some survey work done (most recently by Nemertes Research) to try to pinpoint how much organizations are spending on compliance. They interviewed about 100 companies and drew the conclusion that most don't necessarily break out compliance as a budget item anymore. Nor are companies specific about what they spend for PCI versus Sarbanes-Oxley, HIPAA or GLBA.

I remember when I was with a private company that was considering a public offering, and we budgeted about 8-10% of revenue for compliance costs. Of course, that will scale way back for large companies, which shouldn't spend more than 1%. But like all other numbers and benchmarks, it depends a lot on how the numbers are counted.

Yet I would be negligent in not mentioning that I believe trying to budget specifically for compliance is a fool's errand. The reality is that the focus should be on protecting data and building a manageable and documented security program. If that's done well, regulations like PCI and HIPAA will be a walk in the park.

Compliance is not something that's bought; it's a process. It never ends, and it needs to stay in lock step with the changes happening in a dynamic business. Understanding direct costs will probably require additional headcount to pull proper reports and document the program. It also may require investment in some software tools to mine through all the data that is generated by systems, networks and applications.

So I'm not a big fan of budgeting for compliance. But if you already have a line item in your budget for "compliance" expenditures, then try to figure out what's really needed for security and pay for it using the compliance money.

For more information:

  • Learn why many corporations are underestimating the costs associated with PCI DSS compliance.
  • A Ponemon Institute study indicates the costs associated with data breaches have increased, and they will continue to skyrocket unless companies do more.
  • This was last published in December 2007

    Dig Deeper on PCI Data Security Standard

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.