PayTechTalk by Damien Fleuriot CISO

✅ PCI DSS 4.0

19 July 2023 in Blog,PayTechTalk

by Damien Fleuriot

Share This Story, Choose Your Platform!

Everyone in the online payment industry has heard of the Payment Card Industry Data Security Standard, or PCI DSS for short.

As a standard, it is not mandatory by law.

It is, however, often used as a contractual requirement with your Acquirers, Banks and Merchants to set the bar for each other’s security obligations.

NORBr leveraged Google Cloud Platform’s infrastructure and teamed with CNPP QSAs to successfully renew our PCI DSS certification under the new 4.0 version.

PCI DSS version 4.0 landed in 2022 and will become mandatory for assessments after 31/03/2024 which is less than a year away.

This is a significant update with a major impact to your GRC programs.

Learn more about how NORBr’s PCI DSS 4.0’s infrastructure can help you offload time and monetary investments.


PCI-DSS 4.0 Implementation Timeline

PCI-DSS 4.0 Implementation Timeline

Barbaric Acronyms

This article uses a lot of acronyms, find their definitions in the Lexicon at the end of this article.



Originally derived from the ISO 27k standard, the PCI DSS includes requirements pertaining to your organization’s governance, such as how you handle IAM, mandatory MFA, or data retention.

Under PCI DSS 4.0, you’re now encouraged to adhere to the NIST’s new SP 800-63 revision 3 for example (which is a welcome change, actually).

Are you ready to transition your systems to a more Zero-Trust oriented posture ?



The new approach in PCI DSS 4.0 is that you’re required to have Controls that meet Control Objectives.

As such, Risk Analysis needs to be performed to ensure that Controls you implement are in line with your attack surface and identified threats and risk events.

Performing a full NIST SP 800-30 Risk Assessment is no small task.

Offload your PCI DSS processing to NORBr and reduce your attack surface accordingly.



While it’s always a good idea to improve your organization’s security posture, PCI DSS compliance comes at a significant cost to you, and distracts you from performing your core business missions.

We’ve assembled a conservative breakdown of yearly PCI DSS compliance costs below, for your perusal.


Network Security (WAF, IDS/IPS)

Cloudflare’s offer starts at $200 per month, with a huge jump to $5000/month for their enterprise subscription.

They both get you a solid WAF, DDoS mitigation and reputable authoritative DNS servers.

You also get TLS 1.3 and end-to-end encryption to your backend servers should you so choose.

You could also go the hard route and purchase, configure and maintain your own WAFs and IPSes but you’re looking at a higher overall total cost of ownership.

Total: $2k to $50k a year.


Endpoint Security (NGAV, EDR, XDR)

A good NGAV/EDR product will set you back about $200 per endpoint, more if you’re looking for reactive XDR from your vendor.

For a mix of 50 workstations and servers, you’re looking at a $10k yearly expense.

Note that for this price point you’ve not secured your mobile devices, nor enrolled them in UEM solutions.

Total: $10k a year.


Scanning and Pentesting

Your ASV scans are going to cost anywhere from $3k to $5k a year.

You’re looking at an additional $5k for Internal Scans.

Finally, your mandatory, twice-a-year Pentesting will clock anywhere between $20k to $80k.

Overall, scanning and pentesting are going to cost you from …

Total: $30k to $100k per annum.



Having your SAQ countersigned by a QSA will cost you between $10k to $40k.

If you’re a Service Provider or certify at level 1, you’re looking at a ROC + AOC, at roughly $15k to $200k depending on size and assessment scope.

Total: $10k to $200k



Now we’ve handled material, third party and service provider costs, we need to look at your staffing requirements.

You’re going to need a CiSO, that’s anywhere from $140k to $300k+ depending on profile and experience, and you’ll be lucky to land one given the ongoing shortage.

You want Security Operations staff, to implement your governance policies, implement procedures, perform PCI DSS timed processes, and respond to incidents and emergencies.

We’re not talking a full CERT/CSIRT/SOC here, but you’re still looking at 2 junior and 1 senior Security Operations personnel, again with the ongoing shortage.

These costs do not include any state or government taxes on salaries, overtime costs, recruitment costs or training costs.

Obviously these staff won’t handle PCI DSS exclusively and will be able to provide value to your organization in other areas, however expect them to spend a significant amount of time on PCI DSS compliance.

CiSO : $140k to $300k in salaries

Security Operators : $200k in salaries

Total: $340k to $500k before any other costs


Key Takeaways

While critical to your business, PCI DSS compliance is a significant  investment in terms of time, money, and personnel, especially for older information systems, multiple connected projects, and larger organizations. Conservative cost estimates, including a dedicated security team range from $400,000 to over half a million dollars. And that’s not even considering expenses for SIEM, XDR, UEM, CERT/CSIRT, GDPR/CCPA compliance, or ISO 27k / SOC2 Type 2.

Discover NORBr Infra, our 100% white-label payment gateway. Whether you’re a bank, PayFac, or PSP, we have the perfect solution for you. NORBr Infra is certified PCI-DSS v4.0, which means that from the very first minute of use, you can proudly declare your compliance and stop worrying about it.


PCI DSS Compliance is a risk on its own, choose to offload it to NORBr now.



AOC : Attestation Of Compliance

ASV : Approved Scanning Vendor

CCPA : California Consumer Privacy Act

CERT : Computer Emergency Response Team

CiSO : Chief information Security Officer

CSIRT : Computer Security Incident Response Team

EDR : Endpoint Detection and Response

GDPR : General Data Protection Regulation

GRC : Governance, Risk and Compliance

IAM : Identity and Access Management

IDS : Intrusion Detection System

IPS : Intrusion Prevention System

MFA : Multi-Factor Authentication

NGAV : Next-Generation Antivirus

QSA : Qualified Security Assessor

ROC : Report On Compliance

SAQ : Self Assessment Questionnaire

SIEM : Security Information and Event Management

SOC : Security Operations Center

UEM : Unified Endpoint Management

WAF : Web Application Firewall

XDR : Extended Detection and Response

Share This Story, Choose Your Platform!