subject: What Does It Cost To Become PCI Compliant? Part 2 by:Bryan Johnson [print this page] This part 2 of a two part series about cost of PCI Compliance. This month we will take a look at look at the cost of software and hardware upgrades.
Software and hardware upgrades may be necessary if you store secure credit card data in house. Gartner estimates that a company with 100,000 credit cards on file will pay $6 dollars in encryption costs per card. Alternatively, merchants can use technologies such as tokenization where the data storage is remote, which typically have per transaction fees instead of upfront costs. All of these estimates exclude the cost of labor and the opportunity cost of pursuing other profit-making endeavors.
Smaller restaurants and retailers that only have a single terminal or POS system are still required to become compliant. In order to learn how to become PCI compliant they need to fill out the Self Assessment Questionnaire, but the compliance process is usually much less involved. Merchants that are using POS systems to process credit cards need to make sure they are not improperly storing prohibited card data and need to verify that their vendor is PABP compliant (soon to become PA DSS). To verify that your POS system is not storing prohibited information and is compliant, see the updated list published in November 2007. Some merchants such as Brad Friedlander, a restaurant owner in Cleveland with two stores, paid $50,000 on technology upgrades to become compliant. Any merchant that accepts, stores, or processes credit card information is required to already be compliant.
The Card Associations have determined specific dates about when merchants need to validate compliance. Level 1 merchants were required to validate compliance by 9/30/07. Level 2 are expected to validate PCI Compliance by 12/31/07. Level 3 and 4 validation deadlines will come, but at this point they have been left up to the merchant's specific acquirer to be determined. Not only is becoming compliant not optional, but Card Associations have threatened larger merchants with the imposition of monthly fines until compliance is obtained. They've also threatened to increase the cost of interchange, which would increase these merchants' processing costs. But perhaps most importantly, the Card Associations will levy fines and penalties if a merchant is not PCI Compliant at the time of breach. The fines can be devastating to merchants. I've written about two breaches, both of which had significant consequences. One merchant is large, the other is small.
In addition, merchants face remediation and discovery costs can be just as costly, if not more so, than the fines. For a cumulative number, Gartner estimates that the cost of a data security breach can range from $90 to $305 per customer record. Some merchants are frustrated about the PCI requirements, while others see them as basic security requirements that should already be in place. A common misconception is that compliance equals security, but a number of recent breaches have proven that not to be the case.
About the author
Bryan Johnson is the author of this article on store secure credit card data. Find more information relating to how to become PCI compliant and PCI Compliance here.
welcome to Insurances.net (https://www.insurances.net)
