Hello,

I am new to this forum, and I am hoping that someone here can point me in the right direction on this.

I am wondering if anyone knows of a resource that I could use to begin wrapping my mind around the estimated costs for PCI compliance. I have found several "high-level" estimates that indicate that companies are spending between $125K-700K on PCI compliance.

I am looking to get a more detailed breakdown so that I can begin to come up with prelimary estimates for the costs that my organization would be facing.

Thanks,

Neteng33

Your question cannot be answered from anything but a high level for a average environment.

To get the best rough estimate, you can contact any QSA with significant experience in your industry and they can surely help you with estimates for performing a gap analysis or assisting you in implementing solutions to repair your gaps.

If you want to post more details on your industry, size of your environment, and a rough idea of the gaps (e.g. do you already have IDS, firewalls, FIM, etc where they should be or not), I'm sure someone can give you a good guess too.

There are two major ways to solve PCI compliance. You can use a QSA or QPASC and they will help you do it yourself, or you can talk to a service provider and they can help do it for you.

If you would like to reach out to me, I'd be glad to point you in the right direction.

816-222-1271

Joshua

I am trying to get this all figured out too. I don't know which certification my company needs and what my customers need on site either. I have been given conflicting information regarding the entire process. The only thing that seems constant is that each company I talk to knows what I need and wants to me fill out an application so I can send them a big check so they can get started. :rolleyes:

Our Firm has a scoping document that you can fill out and return to me and then we can evaluate your answers and come up with a price. Contact me through the Forum and give me your email address and I will send you the scoping document.

Much like a meterology course for aircrews I once attended, the answer is most often, "It depends". There are some very sharp people on this forum (some of whom I have met) and speaking to them personally can never be a bad thing (especially when there is no cost up front).

To help understand the compliance process from a merchant's perspective, I can give you a chronography of my experience as a program manager on the merchant side.

In our case, we're a level 1 merchant processing about 1M transactions per day. We originally heard about PCI (It was the CISP program at the time) from an Acquiring bank who told us in June of 2004 that there was some Visa thing we had to be compliant with in August, but it shouldn't be a big deal.

I was brought in as the project manager and we did our own pre-audit under the old CISP guidelines, and for the most part we were dead-spot-on in our opinions.

We then selected a QSA from the list and while we did not intend to choose the "cheapest guy in the phone book", at the time the Big 4 were still flirting with these validations and were 5x as expensive as the simple QSAC's. Also, the big auditing firms would only sign an attestation they had followed the audit guidelines, not that they had located vulnerabilities, etc. We chose a firm which as since become a major player in the field.

Our QSA arrived and promptly educated us on the fact that the CISP program was being converted to something called PCI, and we'd be audited under those rules. Needless to say we did not pass that initial audit. We came up with a project plan and submitted it to our Acquirer (we were still so far ahead of our sector they were thrilled we even knew what was going on) and began 12 months of remediation.

We did things such as:
Configuration of all POS devices
Tons of policy changes & implementations of new rules
Logging, logging, and some more logging
Encryption of a million daily transactions on a mainframe
The long, painful fight with Enterprise IT organizations who didn't understand the compliance risk. In our first meeting I was literally told, "Tell Visa to kiss our butts, they don't dictate how we do business". Several risk analysis presentations to executives later, we were back on track (understand this is a major paradigm shift for many centralized organizations, especially if you try to use segmentation)
Automated fuel dispensers and stand-alone terminals are still a work in progress, due to the sector vendors getting such a late start with PCI, but they are progresssing at an impressive pace.

We had another audit the following December and passed. We passed another the next December under PCI 1.1, and this past December under 1.1. We're currently adjusting for PCI 1.2 for our next audit.

All told, we spent about $800K that first year, mostly on POS upgrades, the encrytion product for our mainframe, and labor to encrypt historical data. We also saw the writing on the wall and some of that cost is for encrypting non-PCI scoped cards such as our proprietary cards and our fleet fuel cards. It's just easier to manage.

We saved money by using segmentation to control the scope of the audit, and by changing our work processes to comply with the program (something I learned rolling our SAP). For example, instead of spending $100K for a robust system to provide 2-factor authentication for 12 mainframe programmers (the only employees who access the card data segments remotely), we changed the topology and authentications so that no one touches that area remotely.

The most important thing one can do is to not only understand the "letter of the law", but also the intent of the SSC when it implemented a particular requirement. Take that information and make a smart, informed decision that still make sense in that the business numbers support it. A totally secure network is worthless if your company went bankrupt building it.

There are some people on this forum who are very, very close to the source material or PCI and their opinions are extremely valuable in terms of context.