I’ve written a few posts about PCI security.  I get quite a few questions about the cost of building and managing a PCI environment.  In a nutshell, it is expensive.  Below, I’ll outline the expenses that I am familiar with as it relates to my experience, but you should note that there are more expensive versions because there are plenty of places that you might be required to spend significantly more to satisfy the folks that you are doing business with and exactly what you are doing with credit card information.

I suppose the first thing worth pointing out is that are initial or one time costs and then ongoing costs.  Just to state a few things that are probably obvious, the initial costs are all the things you must do or buy to get from where ever you are today with the security program that you have in place to the point that an auditor is signing your PCI AOC (Attestation of Certification).  I could argue that in some cases, it might be less expensive to start from scratch then to transition from an existing infrastructure.  I’ve worked at many startups and I make significant investments in security, workflow and documentation that I suspect are unusual for startups and therefore I believe my starting point was significantly further along than your average scrappy startup.  In any case, here is a description of our costs:

1. We spent about 6 Full-Time-Equivalent (FTE) months modifying our existing 65 page Word document of Information Security Policies and Standards while porting it to a wiki so that it was more consistent with our workflows and documentation tools, not to mention that it enable us to simplify PCI requirements such as audit-able document/change control and integration with other important tools such as ticketing systems, logging systems, etc.
2. We spent about 6 FTE months enhancing and modifying our existing HR, Engineering and System Operations workflows to meet requirements.  This included additional documentation to support the Information Security Policies and Standards.  Examples of these modifications include increases to insurance types and amounts, employee background checks, security training for 100% of the employees, fully-documented engineering workflows, review/approval workflows for modifying any 3rd party software components to our platform, monitoring security alerts, secure access key rotations, business continuity planning, etc..
3. We spent about 2 FTE months building a security training program for both every employee as well as more elaborate training for our technical team including online training pertaining to secure programming and QA practices.
4. We spent about 3 FTE months modifying and enhancing our technical infrastructure and automation tooling to accomodate PCI requires such as vulnerability scanning, code reviews, etc…
5. We spent about 6 months revisiting or deploying new technology throughout our cloud based platform.  This includes deploying egress firewalls, redistributing application components to ensure that each server had a single role, deploying an isolated/secure software repository within our PCI environment, OS hardening (removing all components, accounts that are not actually used by our platform), deploy various intrusion detection, logging, monitoring and alerting solutions.
6. We spent about 4 FTE months scanning for vulnerabilities and external penetration testing which revealed mostly false positives but a few issues that then cost us a full engineering cycle (12 folks) working for 4 weeks to clean up.
7. We spent about 4 FTE months building out a real business continuity plan and actually testing every type of failure and recovery that we could identify.
8. Then we invited the auditor in for the audit.  The initial audit took was about 2 FTE month of work spread out over 4 calendar months for two reasons.  First time audit meant that we needed to establish a shared understanding of terminology, environment, compliance issued, etc… Plus, even after all the above work with the help of a security consulting firm, the auditor discovered issues that they were not comfortable with so we spent time revisiting documentation, workflows and technology tools.
9. We increased our cloud fees by 25%, primarily because we needed to buy additional instances to separate server roles – you can’t have a single command and control server for all your utility, admin stuff.
10. Finally, we spent $250K on the following services and products – security consulting expertise, PCI auditor, security scanning services, computer based training, code review software and intrusion detection/file monitoring software and anti-virus software.

That was we spent to get our first certification.  In summary, it was approximately 36 FTE months of work, let’s say at a fully loaded cost of $150K per year = $450K total labor.  It was $250K/year of software and service cost and another $50K/year of increased cloud fees.  In total, approximately $750K of cost to get us to the starting line in year one.

In addition, I estimate that it takes us 1 FTE to run our security program – support audits, run/manage vulnerability scans, manage customer/partner security interface, manage training program for all employees, manage a security management workflow, monitor alerts and address issues, etc…  PCI also easily adds at least a 25% drag on our entire technology organization – secure code reviews, vulnerability scanning, training, change control, secure builds and transfers, etc…  So for us, this is approximately $450K of ongoing labor cost and the same $300K/year of software, services and cloud fees.

Basically, $750K to get PCI compliant and $750K/year in ongoing cost.  Pretty expensive for a startup.