Over the past couple of months, the team has been busy working on PCI-DSS related projects. Since 2010, we’ve been in touch with Control Case International, an international QSA based in Virgina, USA, that has its center of excellence in Mumbai, India to serve the ME and Asia Regions.
Back in 2010, nobody really cared too much about PCI-DSS. We’ve heard it bandied around our clients, and after researching on it, decided as a company to move forward with it as one of our core services. The first thing we did was to clarify our agreement with Control Case. While remaining independent of their audit, reports and opinion, we also want to know how they work so that we can assist our customers better in our project management services. Things like submission of evidences format, scheduling, expectation setting and budgeting were just as critical as the actual audit performed by the QSA. We then trained and shadowed Control Case on assignments, eventually building up the technical skill base for consultancy and advisory work.
PCI-DSS isn’t rocket science. Neither is it a stroll in the park. But with proper planning, understanding and project management, you will be able to navigate PCI-DSS without breaking the bank.
Invariably, one of the first things our potential clients ask us is: How much will it cost?
While there is no simple answer, most will skirt the subject and says that it depends. And they are right. It really depends. However, the ballpark figure, from our perspective should still make economic sense. The first thing really is to figure out what is in scope and try to get only the necessary items in scope: cardholder data environment (CDE). The simplest suggestion is to move any function not related to card processing out of scope: either through plunking it into another network segment or moving it out altogether. Once done, you should be able to elicit some sort of price estimation from your QSA or consulting provider.
The rule we try to impose is to keep the gap assessment and certification below RM50K. This is a tall order, but quite possible, especially if the scope has been narrowed down to firewall->DMZ->App Server/Database server concept, without too complicated a CDE. But you shouldn’t be looking over 100K for gap and certification. Of course this applies to generally payment service providers, not banks. For banks, you’re probably looking out at forking RM100 – RM200K for gap and certification. Recurring fees are also applicable, so remember to ask as well…each year, there is a review, how much would that be? There should also be supplementary services like pentest, ASV scans etc. It generally should be the same or slightly less than first year compliance.
The reason why I write this post is that I’ve seen fees bandied around for service providers to the excess of RM120 – RM160K and for banks RM400 – RM500K. Now, I know things are varied, but some of these are just ridiculously high, after knowing the scope. And this is not including the remediation and implementation portion! The implementation portion is variable of course, depending on how much involvement we’re looking at. For instance we just completed a policies and procedures project between 30 – 35K for roughly one month, starting from scratch for a medium service provider. Your mileage may vary in implementation, but again, if you have in house expertise, then do it, else, look for consultants…and make sure the consultants include training and workshops to pass down their capability to you!
The short of the matter is, shop around and get quotes. Get references as well, and make sure they have local partners to help out and assist during the remediation period…you will need it. Oh, also, if you get external providers to help, keep in mind the with holding tax involved. That’s why we’ve evolved PKF to be the PCI-DSS advisory of choice from gap to certification for Malaysia payment service providers looking for a cost effective and quality PCI-DSS services. While we do work with Control Case in a lot of our projects, there are many times we have worked with other QSAs or ControlCase worked with other advisory, making us truly independent.
Drop us an email at email@example.com and we can work out a PCI-DSS package for you that won’t break your bank!