The cost of becoming PCI Compliant depends on a number of factors including your business type, number of transactions processed annually, existing IT infrastructure, and current credit/debit card processing and storage practices. Gartner estimates that during 2007, the nation's largest merchants, classified as Level 1 (processing in excess of 6 million transactions of a single card type per year), will spend $125,000 assessing the scope of required PCI-related work and another $568,000 to meet the requirements. This part 1 of a two part series about PCI Compliance.

As an example, Robin Sidel and Pui-Wing Tam of the WSJ recently reported that Guitar Center, a national retailer of 210 stores, recently spent nearly $500,000 on PCI Compliance. Gartner also concluded that Level 2 merchants, those processing between 1 and 6 million annual transactions, will spend $105,000 to determine scope and another $267,000 for compliance. Level 3 merchants, processing between 20,000 and 1,000,000 e-commerce transactions, are expected to spend $44,000 assessing and $81,000 for compliance. The costs associated with Level 4 merchants, those doing less than 20,000 ecommerce transactions or up to 1,000,000 non-ecommerce transactions, varies widely.

Only Level 1 merchants are required to have an on-site audit. Levels 2, 3 and 4 need to fill out the Self Assessment Questionnaire and sign up for a quarterly scan to check vulnerabilities on all outward-facing IP addresses. A rough estimate for the scans is $150 to $2,500 per IP address per year. Merchants who accept multiple currencies may incur additional costs from global payment solutions.

Next month we look at other costs, including software and hardware upgrades.