Big Merchants Pay $225,000 on Average for PCI Audits, Study Says

Getting an annual assessment to determine their compliance with the Payment Card Industry data-security standard costs big merchants an average of $225,000, but some pay $500,000 or more and others much less, according to a new research report by Ponemon Institute LLC. The report also says that only about 2% of card-accepting merchants fail their Payment Card Industry data-security standard (PCI) audits, but more than 40% might fail if they weren't allowed to use “compensating controls” that often are effectively temporary fixes. Traverse City, Mich.-based Ponemon Institute, which specializes in security and privacy issues, obtained its data in January by obtaining usable responses from 155 so-called qualified security assessors. QSAs are the companies and people certified by the PCI Security Standards Council to perform the official PCI audits required by the payment card networks. On average, the respondents had participated in eight PCI audits over the preceding 12 months, and 59% of their audits involved Level 1 merchants, those that submit more than 6 million Visa or MasterCard transactions annually. Another 28% of their audits involved Tier 1 service providers, or processors handling more than 300,000 transactions a year. According to the respondents, the average cost of an annual on-site PCI inspection by a QSA for a Level 1 merchant was $225,000. Ten percent paid more than $500,000 while 15% paid less than $100,000. Level 2 merchants, those generating 1 million to 6 million Visa or MasterCard transactions annually, paid about half the Level 1 average for their audits. Larry Ponemon, chairman and founder of the Ponemon Institute, tells Digital Transactions News that the January study was the first time his organization had looked into pricing so he doesn't have trend data. The report says there could be downward pressure on audit costs depending on the extent to which the card networks allow merchants' internal staffs to do PCI audits. In addition, Ponemon says that while one of his earlier studies gave some indication that QSA quality can vary widely, a low-cost audit doesn't necessarily mean low quality. Assessors from small or single-person QSA companies can be just as knowledgeable and professional as those from large companies, which have more expenses, he says. “It didn't seem like it was a quality differential,” he says. “I'm going to attribute it to the overhead factor.” Meanwhile, although the survey found that only a small fraction of merchants actually fail their PCI audits, the QSAs reported that 41% of audited businesses would fail if they didn't use so-called compensating controls. Such controls are alternatives intended to accomplish the same goal set out in the PCI rulebook, but sometimes in an unofficial way. An example Ponemon points out is the PCI requirement that stored data be encrypted. Rather than pay for expensive encrypting technology, some card-accepting merchants institute very stringent controls on which employees have access to the device where the card are stored. “In reality a compensating control can be just as valid as the control itself,” says Ponemon. The PCI standards permit compensating controls, but the report points out that such controls “may be only temporary fixes and might be eliminated by future changes to the PCI DSS.” Most the compensating controls Ponemon found involved access to data, including technology and governance issues. “It costs a lot of moola, and a change in business practices, to conform to access governance,” says Ponemon. Ponemon presented the report at last week's big RSA Conference in San Francisco and plans to present another version of it at an upcoming security conference in the United Kingdom. France-based Thales SA, a security-technology and defense firm, sponsored the research. Thales sold its Thales e-Transactions point-of-sale terminal business unit to Hypercom Corp. in 2008.