By industry
The standard is the same across sectors. The cost is not. A Stripe-powered e-commerce store and a chain restaurant face very different scope, SAQ types, and tooling spend. Here is what each industry actually pays.
Updated April 2026
| Industry | Typical level | Common SAQ | Annual cost |
|---|---|---|---|
| Retail (Brick & Mortar) | Level 3-4 | SAQ B-IP, C, or P2PE | $1,000 - $15,000 |
| E-commerce | Level 3-4 | SAQ A or A-EP | $2,000 - $25,000 |
| Restaurant & Hospitality | Level 4 | SAQ B-IP or P2PE | $1,000 - $8,000 |
| Healthcare | Level 4 | SAQ C or D | $5,000 - $50,000 |
| SaaS & Subscription Billing | Level 2-3 | SAQ D (Service Provider) | $10,000 - $50,000 |
| Call Centre | Level 2-4 | SAQ C-VT or D | $5,000 - $30,000 |
Sector
$1,000 - $15,000
per year
Where the money goes
POS terminal security, wifi network segregation, multi-location consistency, seasonal staff training, POS device tampering inspection.
Recommended approach
Implement P2PE terminals to minimise scope. Segment wifi from payment network. Standardise configurations across locations.
Sector
$2,000 - $25,000
per year
Where the money goes
Payment page script security (Req 6.4.3), JavaScript monitoring, third-party code on checkout pages, SAQ A vs A-EP determination.
Recommended approach
Use hosted payment pages (Stripe Checkout, PayPal) for SAQ A. If custom checkout, implement script monitoring and CSP headers.
Sector
$1,000 - $8,000
per year
Where the money goes
Tip adjustment and pre-auth flows, card-present terminals in high-traffic areas, hotel booking systems storing card data, staff turnover.
Recommended approach
Use P2PE terminals for tableside payment. Avoid storing card data for reservations. Train staff on POS device inspection.
Sector
$5,000 - $50,000
per year
Where the money goes
PCI + HIPAA overlap, patient payment portals, legacy systems in clinical environments, network segmentation complexity.
Recommended approach
Bundle PCI with HIPAA compliance programme. Segment payment systems from clinical network. Use tokenization for patient payment portals.
Sector
$10,000 - $50,000
per year
Where the money goes
Recurring card-on-file storage, service provider obligations, multi-tenant environments, API security, higher scope than merchants.
Recommended approach
Tokenize all stored card data via payment gateway. Implement strong API authentication. Consider SOC 2 + PCI combined assessment.
Sector
$5,000 - $30,000
per year
Where the money goes
DTMF masking for phone payments, call recording with card data, agent access controls, clean desk policy, screen capture prevention.
Recommended approach
Implement DTMF masking to descope call recordings. Use virtual terminals with auto-clearing. Deploy agent-level access controls.
Our partner network includes QSAs and ISAs across all merchant levels. Costs vary by scope and QSA fees are quoted independently. We do not endorse a specific firm.
Yes. Every business that accepts, stores, processes, or transmits card data must comply with PCI DSS, regardless of size. The bar is lower for small merchants (typically SAQ A or SAQ B-IP) but it is not zero. A Level 4 SAQ A merchant on Stripe Checkout can complete attestation in under an hour for $300 to $1,000.
Continue reading