Can anyone point me to data showing the average cost of REMAINING PCI DSS compliant? Any figures would be useful be they general across all merchant levels or broken down by merchant level.

I am not aware of any such statistics having been published on this yet.

I would assume that it will be either this year or next year that we should see such statistics given that the majority of organizations probably got to compliance in the last 9 to 12 months.

I am not aware of any such statistics having been published on this yet.

I would assume that it will be either this year or next year that we should see such statistics given that the majority of organizations probably got to compliance in the last 9 to 12 months.


This will definitely be interesting to see. I'd also be interested to see what kind of stats there are for companies who have been fined, why, and for what/how much. Of course... not sure lots of companies would be willing to publish that side of things ;)

I would guess that the 'costs' will be out of line just as they were with the early statistical analyses that came out of the first years of Sarbanes Oxley. We're still in the learning period, so the costs will reflect the learning curve. In addition, the PCI DSS is still being interpreted and clarified, so that will also have an effect.

As with SOX, I would expect that it will be at least three to four years before we have reliable numbers.