PCI DSS BLACK BOX Testing and Certification.
To whom does the PCI DSS apply?
The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
Where can I find the PCI Data Security Standard (PCI DSS)?
The current PCI DSS documents can be found on the PCI Security Standards Council website. https://www.pcisecuritystandards.org/document_library
What are the PCI compliance ‘levels’ and how are they determined?
All merchants falls into one of the four merchant levels based on Visa transaction volume over a 12-month period. The Transaction volumes are based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must be considerd the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.
Merchant levels as defined by Visa as shown in Annex 1:
PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI DSS) BLACK BOX and Frontend Web Application Testing and certification are conducted by our ISO/IEC 27001 approved partners.
PCI COMPLIANCE LEVEL l AND ll CERTIFICATION approved by Infragard.
NOTE: ALL TESTS AND CERTIFICATIONS ARE IN COMPLIANCE OF ISO/IEC 27001 AND PCI DSS REQUIREMENT 3: PROTECT STORED CARDHOLDER DATA WITH SUB-BODY CODE 3.2 (3.2.1, 3.2.2, 3.2.3) OF THE PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI DSS), AS ENDORSED BY VISA, MASTERCARD, AMERICAN EXPRESS, DISCOVER AND JCB PAYMENT BRANDS.
CERTIFICATIONS COMPLY WITH: CEH (ECC65322351948), CWSP (CWNP251209), CBSP (Ox7486c2a 7c619afea476db7f7 e1fb99176ecfbd8c6241ed011f9 1f59ebb2bc501), CYBERPOL (980320857), ISO/IEC 27001
|1||Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.|
|2||Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.|
|3||Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.|
|4||Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.|
The cost of PCI compliance depends heavily on the level of compliance you are applying for and the number of card transactions you process. PCI compliance has four levels of compliance for merchants both online and offline, and two for service providers, and all of them depend on your number of card processing transactions per year. The general cost for PCI DSS certification is listed from Verify below:
Estimated costs for certification and Black Box Testing based on global demands:
- Level 1 Certification – $550,000 up to $1,000,000 with an annual maintenance cost of $250,000.
- Level 2 Certification – $260,000 up to $500,000 with an PCI cost of $100,000.
- Level 3 Certification – $75,000 up to $90,000 with an annual maintenance cost of PCI – $35,000.
- Level 4 Certification – $75,000 up to $90,000 with an annual PCI cost of $35,000.
For startups and SME’s we have a special package starting at $12,000 and $5800 for basic Black Box certification on frontend.
If you’re a small business, PCI DSS compliance should cost from $2500 per year (depending on your environment).
- Vulnerability scanning: around $800 – $1200
- Black Box Pen Test and Certification – $2500
- PCI Training and Certification includes exam valid for 1 year $99 per employee
- Policy development: around $1800 per policy with min requirements
- Remediation (software and hardware updates, etc.) varies widely based on how much work is needed to achieve compliance and security: anywhere from $1500 to $10,000.
If you’re a very large enterprise and need a PCI DSS assessment, expect to pay $75,000+ in total costs (depending on your environment).
- On-site audit: around $45,000
- Vulnerability scans: around $1,800
- Penetration testing: around $15,000
- Training and policy development: around $5,000
- Remediation (software and hardware updates, etc.) varies greatly based on how much work is needed to achieve compliance and security: anywhere from $15,000 to $500,000
NOTE: ALL TESTS AND CERTIFICATIONS ARE IN COMPLIANCE OF ISO/IEC 27001 AND PCI DSS REQUIREMENT 3: PROTECT STORED CARDHOLDER DATA WITH SUB-BODY CODE 3.2 (3.2.1, 3.2.2, 3.2.3) OF THE PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI DSS), AS ENDORSED BY VISA, MASTERCARD, AMERICAN EXPRESS, DISCOVER AND JCB PAYMENT BRANDS