Cost of PCI Compliance Calculator

TokenEx was founded by a former QSA to reduce the cost and complexity of PCI compliance. Our thorough understanding of the evaluation process, as well as our close working relationships with QSACs, have enabled us to leverage industry expertise to create this Cost of PCI Compliance Calculator. In building it, we spent hours with our QSA partners, reviewing their detailed scoping documents and ensuring each step in the process was covered.

1 Cardholder Data Environment
2 Technical Environment
3 Processes and Business Units
4 PCI DSS Controls
5 Risk Exposure
Results

All inputs must be filled before proceeding to results.

Step 1 of 5

Cardholder Data Environment

What does this mean?

The areas where your computer systems and associated components that are storing cardholder data are located.

What does this mean?

The physical retail locations where you’re ingesting cardholder data via PIN pads, card readers, and other point-of-sale devices.

What does this mean?

The areas where customer-service and support-desk agents collect cardholder data via the phone, IVR, DTMF, or other channels.

What does this mean?

Any other area within your organization’s network—devices for collecting payments in the field, external hard drives, etc.—where cardholder data is stored, processed, or transmitted.

What does this mean?

Any servers in your environment that are storing, transmitting or processing cardholder data.

What does this mean?

Any routers, firewalls, switches, load balancers, etc., in your network that transmit cardholder data (whether encrypted or not) or are used to protect the CDE.

What does this mean?

Any ecommerce, backend, finance, or other applications that touch cardholder data.

What does this mean?

The number of any additional databases or other environments in which you’re storing cardholder data.

What does this mean?

Any other system components not previously identified that interact with cardholder data.

What does this mean?

Any systems or components not previously identified that are connected to your CDE or could potentially affect the security of your CDE or the CHD within.

What does this mean?

Any business processes that are involved in the processing, storage, or transmission of sensitive cardholder data.

What does this mean?

Any departments or divisions of your organization that are responsible for interacting with or maintaining the systems that process, store, or transmit cardholder data.

What does this mean?

Any employees responsible for overseeing the security and/or compliance of the people, processes, and technology involved in the processing, storage, and transmission of cardholder data.

What does this mean?

The technical controls that will need to be evaluated as part of your PCI assessment.

What does this mean?

Any other nontechnical controls that will need to be evaluated as part of your PCI assessment.

What does this mean?

This is an estimate of the percentage of applicable controls that are implemented/managed in a centralized manner.

What does this mean?

All stored customer records containing sensitive PCI or PII

What does this mean?

All stored employee records containing sensitive PCI or PII

SME Cost Per Hour

What does this mean?

The hourly rate for contracting a qualified security assessor to review your environment and validate compliance. (Industry average: $200)

What does this mean?

The hourly rate for employees to maintain internal operations related to processing, storing, and transmitting cardholder data. (Industry average: $90)

What does this mean?

The hourly rate for employees to manage compliance activities related to processing, storing, and transmitting cardholder data. (Industry average: $100)

All inputs must be filled before proceeding to results.

Why it matters

Your cardholder data environment is the primary area of evaluation of the PCI DSS. It represents the systems and controls related to the processing, storage, and transmission of cardholder data. By minimizing the scope of this environment, you can reduce risk and mitigate the cost and complexity of a PCI assessment.

Your Estimated Cost of PCI Compliance

With this tool, you can gain a better understanding of the areas within your organization where you’re likely incurring the greatest expense. Once these areas are identified, you can use TokenEx to remove cardholder data from your environment and drastically reduce your risk and PCI scope, resulting in significant cost savings.


Scroll down to see your full results.

Calculate again

0

One-Time Costs

0

Recurring Annual Costs

0

Cost of Data Breach

One-Time Costs

These cost categories represent estimated expenses related to the initial assessment that won’t be included in future PCI audits.

0

One Time

Readiness Assessment Costs

The costs associated with performing a readiness assessment prior to a PCI audit in order to identify and rectify easily addressable issues.

0

One Time

Implementing Controls

The costs associated with implementing or remediating the noncompliant controls identified during the readiness assessment.

Recurring Costs

These cost categories represent your estimated annual, recurring expenses associated with each assessment.

0

Recurring

QSA Audit Costs

Yearly cost of contracting a qualified security assessor to evaluate your environment for PCI compliance.

0

Recurring

Internal Costs for Yearly Assessments

Yearly cost of devoting internal resources to facilitating PCI assessments.

0

Recurring

Maintenance - Operational Costs

Yearly cost of maintaining the systems and operations necessary for PCI compliance.

0

Recurring

Internal PCI Program Management Costs

Yearly cost of managing internal policies and programs to ensure employees operate in compliance with the PCI DSS.

Additional Costs

These cost categories represent miscellaneous expenses that vary depending on the results of your annual assessment.

Ancillary Services Costs

Additional costs will be incurred from validation services such as ASV scanning, penetration testing, etc.

Security Technology Costs

Additional costs will be incurred from remedial technologies such as FIM, IDS/IPS, SIEM, SOC, etc.

0

One Time

Estimated Cost of a Data Breach

Based on your number of sensitive records stored, how much it could cost to recover in the event of a breach

Ready to learn about how TokenEx can save your company money without sacrificing security or flexibility?