A Deeper Dive into the Cost of PCI Compliance
A few days back we wrote about some expert views on the industry cost of PCI compliance. We've had several interesting discussions in email from folks reacting to the $2 billion number that my expert friends at dinner came up with. One of those, long-time friend and former colleague, Walt Conway, sent along his own "very rough cut estimate" of the PCI compliance costs. Walt's been consulting with colleges and universities on PCI for the last couple of years - and I asked him if we could share his thinking here.
Here's Walt's thinking on the industry cost of PCI compliance:
First, there are about 326 Level 1, 700 L2, and 2,400 L3 merchants per Visa, plus about 10-ish million L4 merchants in the US.
Let's start with L1. Costs for remediation/encryption/QSAs/scanning/firewalls/etc. can easily get to $1+ million, and a lot of L1 merchants have many networks and locations. I figure easily 2-3 million for a L1, so that gets us about $700 mil-$1 billion.
L2 and L3 will vary, but just say half as much so that give us another (3,100 * 1 mil) $3+ billion. We now are around $4 billion easily (and I think I am being very conservative).
If L4 merchants spend even $500 to complete a simple SAQ A, and if only half of them do it, we add another $1.5 billion.
All of this is very, VERY back of the envelope but I think the [dinner experts' estimate of] $2 billion could be quite low.
Add Walt's numbers up and you get $5.2-5.5 billion. Reactions?
By the way, Walt's got an active blog on the subject of PCI as well.
Add your comment... (note that all comments are reviewed before they're published)