We address some of the most frequently asked questions about a Qualified Security...
Every organisation aiming to achieve PCI DSS compliance has an area of common concern; what will be the total actual cost of the whole process of achieving and then further maintaining compliance on a regular basis? Estimating the exact cost of PCI DSS Assessment and Certification is not an easy task as it requires a complete understanding of the scope of work and all the variables involved in the process. Other than that, the cost of compliance also varies from merchant to merchant and depends heavily upon the nature of the business, annual processed transactions, IT infrastructure, and card storage and processing methods deployed within the organisation.
Creating a Checklist before Calculating Cost is the Key to Correct Cost Estimation
As an organisation seeking the costs associated with achieving PCI DSS compliance, consider the following checklist before you begin:
- Develop a detailed understanding of the flow of storing, processing and transmitting cardholder data. Cardholder data scanning tools can help determine which areas specifically contain the data and which processes are involved in cardholder data transactions throughout the organisation.
- Update your network diagram to ensure that none of the cardholder data flow areas go unidentified. A complete network diagram must include all firewalls, switches, routers, intrusion detection systems, server, laptops, desktops and all other endpoints.
- Create a complete list of all data flows in your organisation. Here you need to make sure that none of the flow areas are left out and that all organisational assets are put into consideration. This will allow you to identify your organization’s Cardholder Data Environment (CDE).
- Document a list of all your organisational assets. It must include all the systems, databases, applications and files in your network along with details of each asset.
- Develop a list of all the personnel who are directly or indirectly involved in dealing with the cardholder data. These individuals must be identified at all levels of cardholder data flow i.e. during storing, processing or transmitting the cardholder data.
- Create a list of all third parties that are concerned with the cardholder data environment. These include, but are not limited to, your transaction processors, web hosting providers, POS maintenance vendors, Managed Security Service Providers, etc.
- Ensure that you have developed a comprehensive information security policy that encircles all the security aspects of the organization such as access control policy, password control policy, surveillance system audit policy, document security, incident response policy, system and network security and outsourcing policy, to name a few. The information security policy must be communicated, understood and regulated at all levels of the organisation.
The above checklist will serve as a guide to help you determine the costs associated with PCI DSS compliance. If you feel that you are unable to meet the above requirements, get help from a Qualified Security Assessor (QSA) who is specially trained to perform PCI DSS compliance assessments.
Creating a List of all Cost Incurring Activities
Now that you have marked off all the points in the checklist, you need to create a list of all the activities that incur costs associated with PCI compliance. These can be direct cost-incurring internal activities or external activities directly or indirectly taking part in the cardholder data transactions.
1. Defining the Scope of Cardholder Data Environment (CDE)
This is the first and most important step as without defining the correct scope, achieving PCI DSS compliance is not possible. It would not be wrong to say that as much easy as it may sound, defining scope is the most difficult task for even the smallest of organisations. Scoping of CDE can be done both internally and externally. If you decide on doing it internally, you will need to assign this job to someone who has detailed understanding and expertise in cardholder data flow process. Using the documented data flow and developed network diagrams as described above in the checklist, you can determine the extent of the CDE of the organisation. If you are not sure about being able to define the entire scope of CDE, you can also hire an external Qualified Security Assessor or QSA, who has the skills and expertise to interview your staff and map out the cardholder data flow to define the scope. Even if you do it internally, you will still need to hire a QSA to have a final validation that all the data flows have been accounted for. The costs associated with QSA need to be considered as well.
2. Assessing the CDE for Vulnerabilities
Again, you can choose to perform the assessment internally or with the help of a QSA. To achieve the desired results, it is recommended to seek help from a QSA so that you can get professional gap analysis or the in-scope and out-of-scope activities and also about the vulnerabilities within the system. Assessment of CDE is required to identify all loopholes and vulnerabilities in your data flow process that can pose threat to the security of your cardholder data such as vulnerabilities in computer systems, servers, storage points, etc. Merchants (Level 2,3,4) and service providers (Level 2) do not require submitting a Report on Compliance (ROC) can perform internal assessment through a Self Assessment Questionnaire (SAQ). SAQ is a validation tool and the type of questionnaire used varies from organisation to organisation and again you can use a QSA to assist with completing the Self-Assessment Questionnaire accurately.
3. Remediating the Vulnerabilities
In simple terms, remediation means to fix the vulnerabilities. Costs incurred on remediation vary extensively from organisation to organisation and depend upon different remediation paths taken by each. It also depends upon the extent of remediation required for each. At each step of remediation, you will bear the associated costs such as during network scanning with the help of software tools, on-site assessments or self assessment process, classification and ranking of vulnerabilities in order of priority, application of patches and changes to insecure process, etc.
4. Performing Assessment prior to Certification
Before you submit report for PCI DSS certification, you have to carry out an in-depth assessment. You can do that by investing in Internal Security Assessor (ISA) program of PCI Security Standards Council and let eligible employees get the ISA training to further perform internal assessments within the organisation. Likewise, you can also hire an external QSA to perform the assessment and present a report on whether you are ready for certification or not.
5. Acquiring the Certification
Finally, you are one step away from getting PCI DSS certification. Here also, you can either get the help of ISA or QSA, depending upon your organisational preferences. Whichever way you choose, costs will be incurred either way.
6. Maintaining the PCI Compliance
Most of the times the maintenance of PCI DSS compliance is overlooked by organisations once certification is achieved. This can increase the yearly costs in the long run as it would require the whole process to be undergone every time compliance is desired. It is important to consider the maintenance as a key stage and undergo proper planning and budgeting for this activity. As they say, compliance is not a one-time process, it is an ongoing process which should never stop.
Cost Estimation for Assessment and Certification Stages of the PCI DSS Compliance
Though remediation costs vary essentially from one organisation to another because of the difference in remediation paths of each, assessment and certification costs can be estimated to an approximate figure. For compliance with PCI DSS, payment card brands such as MasterCard and Visa have defined two types of organisations i.e. merchants and service providers. Merchants are entities that accept payment cards of any one of the five payment card brands of PCI SSC (Master Card, Visa, JCB, Discover and American Express) as a payment for goods and services. Service providers are companies that provide services that can have an impact on cardholder data security. Merchants are further broken down into 4 levels whereas service providers are broken down into 2 levels.Merchants Levels
- Level 1 Merchant is someone who processes over 6 million transactions per annum
- Level 2 Merchant is someone who processes from 1 to 6 million transactions per annum
- Level 3 Merchant is someone who processes from 20,000 to 1 million transactions per annum
- Level 4 Merchant is someone who processes under 20,000 transactions per annum
Service Provider Levels
- Level 1 Service Provider is someone who processes over 300,000 transactions per annum
- Level 2 Service Provider is someone who processes under 300,000 transactions per annum
For an organisation with a small IT setup and requiring PCI DSS compliance, estimated costs of Assessment and Certification phases for merchants and service providers can be summarised as under:
|Level 1||$22,000 to $50,000||$25,000 to $75,000|
|Level 2||$15,000 to $40,000||$15,000 to $50,000|
|Level 3||$10,000 to $30,000||n/a|
|Level 4||$5,000 to $10,000||n/a|
These estimated range of costs are only derived out of years of experiences and are based on past trends and analysis. For accurate cost estimation, it is best for you to take help from a Payment Card Industry Data Security Standards Qualified Security Assessor (PCI DSS QSA) who can carry out the complete cost estimation process from the start, customised to your organisational functions and needs.