How Much Will a PCI SSLC Assessment Cost?
Perhaps not the first person one would think to reference on a subject such as this, pop star Fergie had this to say: “For me, it's not about price. It's about necessity, quality, and usefulness.”
Regardless of what you may think—or not think—about her work in music, she does have a point. As humans, we don’t spend money unless there’s something in it for us. And when it comes to compliance, well—the stakes are ratcheted up much, much higher because it’s your organization’s security and reputation at stake.
But that doesn’t mean that the numbers themselves don’t hold any weight whatsoever. If you’re going to purchase compliance services, they do need to fit into your budget while also serving your specific needs and those of your customers.
In payment card security, there are a lot of different directions you could choose to go—in both standard and vendor. To help with that, we’re going to clarify one standard—the PCI SSLC—and one vendor’s prices—ours.
We’ve been providing services in this sector for years now, with almost 150 PCI projects completed in just the last 12 months. But we understand that costs are an important part of selecting your vendor, and how transparency can ease your decision-making.
While there is not a single number that we can give to everyone since all environments are different, in this article, you’ll learn our approximate price ranges for assessments against this particular standard, as well as different factors that can drive those baseline prices up.
What is the PCI SSLC?
First, let’s define what we’re putting a price on here.
The PCI SSLC, or Secure Software Lifecycle, is one of two new standards under the PCI Software Security Framework (PCI SSF). While the other—PCI Secure Software Standard (SSS)—focuses on payment applications themselves, the SSLC will evaluate your overall software development lifecycle (SDLC) process to ensure said payment application was developed under a validated secure software lifecycle.
This is a departure in that this is a brand new standard—to this point, there has not been a separate assessment for the payment SDLC process.
And while there are many benefits to this kind of initiative, as with most new things on the horizon, many factors will play into whether or not this kind of compliance is right for you.
One of those primary factors is likely how much it will cost you to go through.
PCI SSLC Assessment Pricing
So let’s get into that, as promised.
First, please note that the prices and factors we will provide are only general ranges. There’s never a “one size fits all” for all assessments and all situations, but we’re going to do what we can to paint the best picture for you.
We should also disclose that Schellman charges based on estimated assessor weeks required to perform the projects; therefore, if the assessment runs significantly over schedule, additional costs—aside from those factors mentioned below—may be incurred.
Onto the numbers.
PCI SSLC Readiness Assessment
Estimated Baseline Price Range: Around $25k – $37k
Though with other standards, organizations may choose to bypass a readiness assessment, we recommend one for every first-time PCI SSF assessment.
Why?
Under the PCI SSF’s predecessor—the PA-DSS—the requirements were prescriptive. But those for the PCI SSF standards—including PCI SSLC—are not, and that can make for a major challenge to organizations.
In fact, these new SSF standards are an evaluation of software security and not a singular set of security controls against a payment application, rendering them incredibly different than anything the industry has ever seen before.
In our experience thus far with it, we’ve found that the full assessment goes a lot smoother if you engage us to perform a readiness assessment. Though it will cost you, as we said, and these details of your environment will also further affect your final price:
Factors That Can Affect Your PCI SSLC Readiness Assessment Price |
---|
Number of SDLC processes that we are assessing |
Complexity of processes |
Size of scope |
Number of dedicated assessor weeks |
Number of evidence items successfully submitted during the readiness. |
PCI SSLC (Full Assessment)
Estimated Baseline Price: Minimum $20k (though most begin at around $30k+)
Once you have finished the readiness assessment, corrected any findings, and implemented each of the assessor’s recommendations, you’ll start thinking about moving forward to the full assessment.
Though you can expect your initial number to be in the $30k range, the following particulars can drive further fluctuation in your final price:
Factors That Can Affect Your PCI SSLC Assessment Price |
---|
Completion of readiness assessment |
Whether or not you have previously completed a PA-DSS assessment |
Implementation of Control Objectives |
Remediation and criticality of findings (if applicable) |
Dedicated assessor weeks required to perform the project |
Number of operating systems |
Complexity of user interfaces |
Embedded modules |
Deployment options |
Moving Forward with a PCI SSLC Assessment
Obviously, there’s a lot that needs to be understood about your organization before a true price can be settled. For that reason, our experts may request a scoping call so that we can better understand your company and processes and thereby facilitate a less confusing assessment process.
With that being said, our goal in this article was to provide a transparent starting point on our prices for PCI SSLC assessments. Now, you know what to expect from us on cost and can set clearer expectations before engaging in further discussions.
If you are interested in hearing more from us about our methodology and approach to PCI SSLC assessments, please reach out to us. Our team would love to speak with you and address any questions or concerns you may have regarding this type of assessment—including those on price.
About JOE O'DONNELL
Joe O'Donnell is a Senior Manager with Schellman mainly dedicated to the PCI and PCI specialty service lines. Prior to joining Schellman in 2015, Joe worked at in industry within the Enterprise Risk Management consulting practice. He managed IT Reviews in support of the financial audit but helped with various engagements including but not limited to: SOC reports, penetration testing and vulnerability scanning, SOX, HIPAA, and bank audits. Before focusing his career on IT auditing services, Joe worked as an Enterprise Operations Computing Analyst where he gained experience in IT systems analysis and data center operations.