This article is an introduction to the latest PCI DSS compliance standards process in 2021, as well as an explanation of PCI DSS levels of compliance and their required costs.
PCI DSS Standards
The Payment Card Industry Data Standards (referred to as PCI DSS), is a global industry standard set up by the major international credit card organisations pertaining to the security of cardholder information that flows through their networks. All organisations, whether Merchants or Service Providers, that accept payments or Store, Process and Transmit card data from the major international card organisations must adopt the PCI DSS and protect cardholder information in accordance with the Security Standards.
The PCI DSS is created and managed by the PCI SSC (Payment Industry Security Standards Council and her members consist of VISA Inc., MasterCard, JCB, American Express and Discover.
PCI DSS Compliance Levels
The way to obtain the PCI DSS compliance status is usually via a PCI DSS Assessment. Both Merchants and Service Providers have different levels, which can be seen below (using the regulations provided by VISA)
- Merchant Levels
Level | Required Security Certification/Scans | Required Personal/Items |
---|---|---|
1 Over 6M transactions per year | On-site PCI DSS audit every year and ASV Network Scan every quarter | Qualified Security Assessor Internal Audit Report Authorized Scanning Vendor |
2 Over 1M transactions per year | Complete Self Assessment Questionnaire (SAQ) each year and ASV Network Scan every quarter | Merchant Approved Scan Vendor |
3 Over 200K transactions per year | Complete Self Assessment Questionnaire (SAQ) each year and ASV Network Scan every quarter | Merchant Approved Scan Vendor |
4 Less than 20K transactions per year | Complete Self Assessment Questionnaire (SAQ) each year and ASV Network Scan every quarter | Merchant Approved Scan Vendor |
- Service Provider Levels
Level | Required Certification/Scans | Required Personal/Items |
---|---|---|
1 Over 300,000 transactions a year | Onsite PCI DSS audit every year and ASV network scan every quarter | Qualified Security Assessor Internal Audit Report Authorized Scanning Vendor |
2 Below 300,000 transactions a year | Complete Self Assessment Questionnaire D (SAQ D) every year and perform ASV network scan every quarter | Merchant Approved Scan Vendor |
When a Merchant or Service Provider is deemed as Level 1, they are required to obtain the services of a QSA (Qualified Security Assessor), which is an approved PCI DSS auditor. The QSA has to perform an on-site audit for the organization and provide a report after the review.
Merchants Level 2-4 or Service Providers Level 2 must fill up a PCI DSS SAQ (Self-Assessment Questionnaire), which can also be assisted by a QSA.
In order to determine the level and you are required to obtain, and the type of SAQ you are required to use, please contact your acquirer.
PCI DSS Audit Process
In general, the PCI DSS audit can be divided into the following phases below:
The initial preparation and consultation phase may take up to 3-5 months, depending on the readiness of the organization that is undergoing the review and the complexity of their systems and their processes.
PCI DSS related costs during and after the review
- Systems Related Costs
As PCI DSS will require strong security protection to be implemented such as “One Primary Function Per Server” (Req. 2.2.1), the Web Server, Application Server and DB Server will have to be isolated from each other, if they were put in the same location previously. Similarly, there may be greater hosting equipment requirements (Virtual Servers can be used)
Additionally, PCI DSS requires the establishment of security service components such as DNS Server, NTP Server, FIM Server (File Integrity Management), Log Server etc. therefore the organization may have to obtain more equipment than in the past in order to meet compliance requirements.
PCI DSS related costs during and after the review
- Systems Related Costs
As PCI DSS will require strong security protection to be implemented such as “One Primary Function Per Server” (Req. 2.2.1), the Web Server, Application Server and DB Server will have to be isolated from each other, if they were put in the same location previously. Similarly, there may be greater hosting equipment requirements (Virtual Servers can be used)
Additionally, PCI DSS requires the establishment of security service components such as DNS Server, NTP Server, FIM Server (File Integrity Management), Log Server etc. therefore the organization may have to obtain more equipment than in the past in order to meet compliance requirements.
2. Security Equipment Costs
Additional security equipment may need to be purchased (i.e. Firewalls, IPS, IDS, WAF)
3. Data Encryption Costs
PCI DSS requires card data encryption. Organisations will typically use HSM (Hardware Secure Module) hardware encryption to ensure the security of the cardholder data stored.
4. Training Costs
PCI DSS requires employees to undergo Awareness Training, Secure Coding Training, and IRP (Incident Response Plan) drills. In addition, to perform Vulnerability Scans and Penetration Tests, your staff may also have to undergo sufficient technical training to operate these tools.
5. Technical Audit Costs
PCI DSS mandates a number of technical audits, including:
- Card Number Scanning
- Code Review
- Internal Vulnerability Scan
- ASV, External Vulnerability Scan
- Internal Penetration Test
- External Penetration Test
- Wireless Scan
There may be some additional costs here.
6. Other Costs
If your organization is designated as a Service Provider, you will be required to register yourself, such as at VISA’s VISA Registry or MasterCard’s Service Provider Registration
Let us provide an example of a small-to-medium sized Service Provider, who is undergoing the PCI DSS compliance process for the first time. These are the estimated additional expenses:
Section | Expected Extra Costs | Remarks |
---|---|---|
Systems | 5-6 more servers, one-time expenditure of US$15,000 | |
Security Equipment | More WAF, IPS and other systems required, one-time expenditure of US$15,000-20,000 | Assuming Intermediate WAF |
Data Encryption Equipment | Spend up to US$30,000 in HSM costs | HSM prices vary greatly, software encryption methods can also be used |
Training | Training costs up to US$2,500 a year | Can conduct training internally |
Technical Audits | Based on the needs of the servers and number of applications may cost between US$30,000-90,000 annually | |
Others | Registration fees to the card organisations are about US$3,000-5,000 per year |
PCI DSS Compliance Fees
In addition to the possible costs above, the PCI DSS Compliance fees and the time required by a QSA to complete the audit depend on the following factors as well.
- System Complexity: The number of hosts, the type of OS used by the system, the number of components installed on the system, whether there are multiple OSs used at the same time, whether there are multiple security configurations.
- Security Devices and Network Segments: How many security devices there are, such as Firewalls, IPS, IDS, WAF, Switches, Routers, SIEM, DRP etc. These security devices must be set up and updated with proper access controls and logs. We must also check and ensure that the records are kept, and the higher the number, the more complicated the network segment will be, which will increase the time required to audit.
- The number of connected acquirers and service providers: The more acquirers there are, the more complicated the data-flows of the system.
- Retention and encryption of database and card data: The more diverse the card data flows and the more diverse the types of card data storage, the more requirements there are for encryption and security protections, which leads to more items for auditing.
- Number of operation units: The number of stores, number of server rooms used, and the number of offices will also increase the number of days required for review. Bank, telecommunications companies etc. will have a large number of storefronts and offices, which will lead to longer auditing periods required. Backup server rooms that store card data will also be included in the scope of review.
The costs of a PCI DSS audit will also differ by geography, as the PCI SSC has different annual costs for each region. The costs of a QSA is also different in each region. For example, a small-to-medium sized Service Provider in Southeast Asia will require around 3-5 days of on-site assessment and require about a week for the preparation of the report. Excluding transportation costs, a first-time PCI DSS certification may cost between 15,000 USD to 25,000 USD. Of course, the actual price must be estimated based on the variables mentioned above to determine the amount of time required for the audit.
Vincent Huang
- IT Security Management, Payment Card Industry Security, Data Center Security and Cloud Security
- Professional certification: DSS QSA, PCI 3DS Assessor, PIN Security QPA, CISSP, CEH, NSPA, ISMS LA, ITSM LA, Certified CSA STAR Auditor, Europrise Technical Expert
Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.
- PCI certification: securevectors.com
- SecuCollab collaborating service: secucollab.com
- SecuCompliance management program: www.secucompliance.com
You might also like
*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.