How much does PCI DSS compliance cost?

PCI DSS compliance costs vary significantly by merchant level. Level 4 small merchants typically spend $1,000–$5,000/year for a SAQ and basic scanning. Level 3 merchants spend $5,000–$20,000. Level 2 merchants spend $10,000–$50,000. Level 1 merchants requiring a full QSA assessment can spend $50,000–$500,000+ per year.

What are the fines for PCI non-compliance?

Card brands (Visa, Mastercard) can fine acquiring banks $5,000–$100,000 per month for merchants that are non-compliant. These fines are typically passed on to the merchant. If a data breach occurs while non-compliant, the merchant can also be held liable for all fraudulent charges and investigation costs.

What is the difference between PCI SAQ and QSA assessment?

A Self-Assessment Questionnaire (SAQ) is a self-reported validation tool for smaller merchants. A Qualified Security Assessor (QSA) assessment is a formal audit conducted by a PCI-certified third party, required for Level 1 merchants (processing over 6 million transactions/year) and some Level 2 merchants.

PCI DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard, released in March 2022. It includes 12 core requirements covering network security, cardholder data protection, vulnerability management, access control, monitoring, and information security policies. Version 3.2.1 was retired in March 2024.

Free Tool

PCI Compliance Cost Calculator

Answer four questions to get a personalised PCI compliance cost estimate. This calculator covers assessment fees, vulnerability scanning, penetration testing, remediation, ongoing monitoring, and security training. No email address required. Results are instant.

Your PCI Profile

PCI Merchant Level

<20k e-commerce or <1M other

Current Status

Cardholder Data Environments

Number of systems storing/transmitting card data

E-commerce

SAQ Type

QSA Assessment Required

Employees Handling Card Data

Used to estimate training costs

First-Year Compliance Cost

$8k–$39k

All setup, assessment, and remediation costs

Annual Recurring Cost

$5k–$20k

Ongoing assessment, scanning, training, tools

Cost Breakdown

QSA / SAQ Assessment$700–$3k

ASV Scanning (quarterly)$800–$3k

Penetration Testing$2k–$8k

Remediation / Gap Fixes$3k–$15k

Policy Development$500–$3k

Security Training$750–$3k

Tools & Technology$500–$5k

Non-Compliance Fine (annual)

$60k–$1.2M

$5k–$100k/month from Visa/Mastercard via your acquirer

Breach Liability (without PCI)

$50k–$500k

Full fraud liability + forensics + fines if non-compliant at breach

Compliance Cost vs Risk Ratio

Compliance costs 3% of non-compliance exposure, almost always worth it

Timeline to Compliance

5–16 weeks

From kickoff to first passing assessment

Your first-year compliance exposure: $8k–$39k

We'll review your environment, identify compliance gaps, and give you a prioritised remediation roadmap.

Get a Free PCI Exposure Teardown →

Or email Oliver directly → [email protected]

How This Calculator Works

The calculator uses four inputs to generate a personalised cost estimate. Each input narrows the estimate by determining which PCI DSS requirements and assessment types apply to your business.

Transaction Volume

Determines your merchant level (1 through 4). Level 1 merchants require a full QSA assessment. Level 4 merchants can self-assess. The level sets the baseline cost range.

Payment Method

Determines your SAQ type (A through D). This is the single biggest cost variable. SAQ A (22 controls) costs 90% less than SAQ D (251 controls). Your payment integration directly determines which SAQ applies.

Security Posture

Adjusts remediation cost estimates. Organisations with existing firewalls, MFA, patching, and training face lower remediation costs than those starting from scratch. This typically reduces Year 1 costs by 30 to 50 percent.

Assessment Approach

Determines the assessment component cost. DIY ($50 to $500), consultant-assisted ($1,000 to $20,000), compliance platform ($10,000 to $25,000), or full QSA ($25,000 to $200,000). The right choice depends on your level and SAQ type.

Quick Reference: Cost by Merchant Level

If you want a quick estimate without using the calculator, here are the typical annual compliance costs by merchant level. These assume average security posture and consultant-assisted or platform-based assessment for Levels 1 through 3.

Level 4

$1,000 - $10,000

/year ongoing

Fewer than 20,000 e-commerce or 1 million total transactions/year

Level 3

$5,000 - $25,000

/year ongoing

20,000 to 1 million e-commerce transactions/year

Level 2

$30,000 - $150,000

/year ongoing

1 million to 6 million transactions/year

Level 1

$50,000 - $500,000+

/year ongoing

Over 6 million transactions/year

Frequently Asked Questions

How accurate is this PCI compliance cost calculator?

This calculator provides estimated cost ranges based on your merchant level, SAQ type, assessment approach, and current security posture. The ranges are compiled from QSA firm guidance, vendor pricing data, and industry surveys as of 2026. Actual costs depend on your specific environment complexity, remediation needs, vendor selection, and geographic location. Use the estimates for budget planning and executive presentations.

What factors affect PCI compliance cost the most?

The three biggest cost factors are: (1) Your SAQ type, which is determined by how you accept payments. SAQ A (22 controls) costs 90% less than SAQ D (251 controls). (2) Your merchant level, which determines whether you need a self-assessment or full QSA audit. (3) Your current security posture, which determines remediation costs. Organisations starting from a strong security baseline face minimal remediation.

Why does the calculator show Year 1 and Year 2+ costs separately?

Year 1 costs are always higher because they include initial gap assessment, first-time remediation (often the largest single cost), new security tool deployment, and the first formal assessment. Year 2 and ongoing costs cover renewal assessments, ongoing monitoring, and incremental improvements only. The typical reduction from Year 1 to Year 2+ is 50 to 70 percent.

What is the non-compliance fine exposure shown in the results?

The fine exposure shows the monthly penalties card brands (Visa, Mastercard) can levy against non-compliant merchants through their acquiring bank. These fines start at $5,000 to $10,000 per month and escalate to $50,000 to $100,000 per month. This figure provides context: for most merchants, a single month of non-compliance fines costs more than a full year of compliance.

Cost by Merchant Level Assessment Costs Detailed How to Reduce Costs