Cut Your PCI DSS Cost In Half

by Josh Biggs in Finance on 10th March 2021

You may already know that the PCI DSS cost for most businesses is astronomical and cost-prohibitive. For such an essential component to modern business, shouldn’t it be more affordable and easy to obtain? 

At Very Good Security (VGS), we know that business owners shouldn’t also have to become data security experts. And in order to become fully PCI DSS compliant, businesses really do need to have a seasoned data security professional on the payroll if they decide to keep their security measures in-house.

Third-party vendors can help merchants mitigate some of the PCI DSS costs, but these merchants typically take on none of the risks involved. Basically, if you do suffer a data breach, you are likely to remain liable. 

So for many business owners who are trying to juggle security and growing their business, PCI DSS compliance is a headache. It’s a long and expensive process, especially if you do it all yourself. 

But PCI DSS is mandatory and you can’t ignore it. And staying compliant can save you from a data breach – which in comparison, is far more expensive. 

Why Non-Compliance Will Kill Your Business: Hidden Costs of a Data Breach

We know that data breaches are expensive. IBM sets the average worldwide cost at $3.86 million for a single incident. But that cost varies depending on the size, geography, and industry of your business, as well as the severity of the breach. 

Those are the upfront expenses. And they are great for a headline because they are clearcut. However, there are an array of hidden costs.

About one-third of consumers will completely abandon a brand in case of a data breach. You will need to funnel money into your marketing to distance yourself from the breach – once you’ve taken responsibility and improve your security posture, of course. 

But that’s at all. A cyberattack threatens more than your consumer relationships. In the eyes of your vendors, shareholders, partners, and even potential employees, your business is now a liability. Attracting talent and investment will become harder, and it’s likely you may lose out on key deals and other opportunities for growth. 

Many businesses have had to shut their doors due to cyberattacks, including Code Spaces, FlexiSpy, Medstar Health, MyBizHomepage, Nirvanix, and Telefonica. Furthermore, the  US National Cyber Security Alliance found in a recent study that 60% can’t sustain their business six months after a cyberattack.

In other words, a data breach is a long-term expense. One you can’t afford. 

Still, you may be cautious about investing in PCI DSS security measures. It’s a big investment and can take a considerable amount of resources. To get a better idea of what it takes to become compliant, we need to look at what factors go into determining PCI DSS cost.

What Goes into Your PCI DSS Cost

There’s no way around it: PCI DSS is expensive. There are four levels, with Level 1 being the most costly and requiring the most paperwork. Even if you’re a Level 4 merchant, you’re likely to spend at least $50,000 to get started and $35,000 for annual maintenance. To add insult to injury, it often takes more than six months to become fully compliant, which delays product launches and company innovation. 

The incredible amount of work and time it takes to become PCI DSS compliant is one of the reasons many companies ignore compliance requirements or seek to find compliant ways to remove themselves from PCI scope.

Why is it so expensive? There’s a lot of items that go into the PCI DSS cost. Some of these include:

  • Hardware and software
  • Third-party vendor networks
  • Quality assessments and audits
  • Current PCI policies and training programs 
  • Data security engineer salaries
  • Number of annual transactions

Basically, you need to think about cardholder data, which systems it passes through, who has access to it, and how secure each step of that process is. And it’s often a more extensive network that you might first imagine, which is what most businesses figure out as they begin mapping their systems. 

So to reduce your overall costs, you need to find ways to reduce your PCI DSS scope. Most third-party vendors can help with parts of that process. 

But what if you wanted to bypass it altogether?

That’s not impossible. 

An Affordable Alternative 

There’s an additional stressor in creating your own PCI DSS compliant system. And that’s the fact that no matter how tight your security is, your company is ultimately responsible in case of a breach if you touch the data.

But what if you could use cardholder data without touching it?

At VGS, we offer just that. Through a tokenization process called data aliasing, a proxy intercepts cardholder data before it ever reaches your systems. Instead of getting raw, sensitive data, your company holds a meaningless token that cannot be reverse-engineered. But it allows you to process and use data as it if were the original article. 

The sensitive data is stored in a secure vault, safe from even accidental internal leaks.

As a result, your company is taken out of PCI DSS scope. This means its possible to become compliant, in many cases, within seven business days. And it cuts the costs by at least 50%.

With what you save in money, resources, and productivity, you can focus on what matters most – scaling your business. 

Categories: Finance