PCI Security: Time and Costs to Reach Compliance

PCI Security: Time and Costs to Reach Compliance

In 2017, Target completed a multi-state settlement for $18.5 million stemming from a massive 2013 data breach that exposed customer credit card data (over 40 million records) and contact information (over 70 million records). Target's security was called into question, but it was actually an issue with its outside services: an HVAC supplier was noncompliant with the Payment Card Industry Data Security Standard (PCI DSS). This incident highlights the importance of PCI compliance, both internally and in association with your service providers, such as your Payment Processor.

PCI compliance is becoming an even more pertinent topic of conversation in the evolving compliance climate. The wide-ranging General Data Protection Regulation (GDPR) from the European Union went into effect on May 25, 2018. PCI DSS is also going through updates, with a new version having been released on February 1. Additionally, on June 30, new rules go into effect that will broadly impact e-commerce companies.

The time and cost of a PCI-compliant information technology setup will differ. However, this article will suggest estimates for both based on the 2018 requirements so you can maintain compliance moving forward.

Costs for a PCI-Compliant System

The cost of PCI compliance ranges greatly. Estimates for the comprehensive PCI compliance of merchants and service providers are as follows for companies with relatively smaller IT environments, per 2015 figures:

Security Level Merchant Costs Service Provider Costs
Level 1 $22,000 - $50,000 $22,000 - $75,000
Level 2 $15,000 - $40,000 $15,000 - $50,000
Level 3 $10,000 - $30,000 N/A
Level 4 $5,000 - $10,000 N/A

For large enterprises, the expenses are much greater. Even back in 2007, Guitar Center spent nearly $500,000 to establish its PCI compliance, suggesting that the total ticket for some large enterprises is now in the millions.

Time Needed to Adopt PCI-Compliant Systems

The time needed to establish compliance with this payment card standard will vary based on numerous factors. Beyond the size and complexity of your business’s computing setup, you will also be fundamentally impacted by the amount of work necessary to get your systems prepared, which will depend on whether you set them up on-premises or with a PCI hosting provider.

The broadness of the requirements is evident in the official PCI DSS 3.2.1 document. A smaller organization can reasonably expect compliance to be achieved in 90 days, or within 30 days if the project is highly prioritized. In larger organizations, it may take longer. An organization of any size could significantly trim its timeline by working with a PCI hosting service and by tapping into the expertise of its other payment partners.

How Is PCI Compliance Changing?

While the requirements of the PCI DSS 3.2.1 (a very slight revision of 3.2, as discussed below) are too extensive to discuss here, the latest changes to the standard are worth noting. These 2018 updates to the PCI standard are offered by Laura K. Gray of the PCI Security Standards Council:

  1. PCI DSS 3.2 requirements went into effect on February 1

  2. PCI DSS 3.2 mandated the following for all entities that handle credit card account holder data:

    • Requirement 6.4.6 – Adjust your management procedures so that management verifies the implementation of all new PCI DSS rules following a major update.
    • Requirement 8.3.1 – When logging into an administrative account through non-console means, multi-factor authentication (MFA) should be used.

    Along with the two above requirements, service providers must additionally do the following:

    • Requirement 3.5.1 – Keep written details of your cryptographic design on file.
    • Requirements 10.8, 10.8.1 – Identify the problem and act when major security controls malfunction.
    • Requirement 11.3.4.1 – At intervals of no more than six months, use penetration tests to assess segmentation controls.
    • Requirement 12.4.1 – Create a program that is dedicated to PCI DSS compliance.
    • Requirements 12.11, 12.11.1 – At a minimum of once each quarter, conduct assessments to determine whether your security procedures and policies are consistently applied.
  3. TLS is replacing SSL on June 30

  4. Encryption has evolved as weaknesses have been discovered in earlier technologies and protocols. To this end, transport layer security (TLS) version 1.2 or higher is now necessary. It is no longer sufficient to use either earlier versions of TLS or secure sockets layer (SSL) certificates.

    There is actually an exception to this rule, however. For point-of-sale (POS) and point-of-interaction (POI) terminals, if there are no known weaknesses related to the devices or the termination points to which they lead, it is still PCI compliant to use SSL or early TLS with those machines.

    Here’s what you need to do by June 30 to ensure compliance with the SSL to TLS transition:

    • Verify that the server for your website remains capable of maintaining PCI compliance. For instance, Windows Server 2008 is incapable of working with TLS 1.2 or even 1.1. If you do use Microsoft products, it is necessary to upgrade to Windows Server 2012.
    • Be certain that your systems cannot default to either TLS 1.0 or SSL. It is important to check this aspect of potential fallback carefully as it is a common problem.
    • Let your customers and partners know what is happening. People may not be able to get your site to load on their devices after June 30 if their operating systems are outdated. Be clear that they may need to upgrade to a new operating system in order to reach your site, and that the reason for this change is that you are improving security to stay aligned with new payment standards.
  5. There were no new rules within PCI DSS v3.2.1

  6. The language was simply changed to include new stipulations, such as the February 1 deadline to achieve compliance with the 3.2 stipulations.

PCI Compliance for Secure Online Business

Adhering to the parameters of the Payment Card Industry Data Security Standard is critical to avoiding fines from Card Associations and can also help with security, as indicated by the Target hack. If you are not currently PCI compliant, the easiest way to get compliant is by partnering with a PCI Level 1 provider, which will help ensure your payment systems are up to date. Additionally, partnering with a proactive provider can help you maintain compliance as new updates occur.

Looking for a PCI Level 1 provider?

LEARN ABOUT PAYJUNCTION'S APPROACH TO SECURITY

What questions do you have about PCI DSS? We’d love to help explain this concept in the comments section below.

About the Author

Adnan Raja is the vice president of marketing at Atlantic.net, a market-leading cloud hosting, managed hosting, dedicated hosting and HIPAA-compliant hosting provider. Atlantic.net has multiple ways to contact CSP vendors before you spend one dollar. For a free consultation, simply contact Atlantic.net via its toll-free phone number, live chat, email service or contact form.

About PayJunction Contributor

PayJunction welcomes writers in the merchant services, cloud, security and mobile spaces to contribute to its blog!

Comments