PCI DSS compliance ranges from free to $50,000+/year depending on your merchant level. Here is what each level costs, what non-compliance actually triggers, and how to minimize your scope and spend.
The PCI Security Standards Council defines four merchant levels based on annual card transaction volume. Your level determines which validation requirements apply and how much compliance costs.
| Level | Annual Transactions | Validation Required |
|---|---|---|
| Level 1 | Over 6 million | Annual on-site audit by QSA + quarterly network scan by ASV |
| Level 2 | 1-6 million | Annual SAQ + quarterly ASV scan |
| Level 3 | 20,000-1 million (e-commerce) | Annual SAQ + quarterly ASV scan |
| Level 4 | Under 20,000 (e-commerce) or under 1 million (card-present) | Annual SAQ recommended; ASV scan if applicable |
The critical detail most guides skip: Visa and Mastercard set different thresholds. Visa counts all channels together for card-present merchants, while Mastercard uses separate e-commerce thresholds. A business doing 900,000 in-store transactions and 25,000 online transactions is Level 4 for Visa (under 1 million total card-present) but Level 3 for Mastercard (over 20,000 e-commerce). Your acquirer typically applies the stricter classification.
| Cost Component | Level 4 | Level 3 | Level 2 | Level 1 |
|---|---|---|---|---|
| SAQ completion | $0-$50/yr | $0-$200/yr | $200-$500/yr | N/A (QSA audit) |
| QSA on-site audit | Not required | Not required | Not required | $15,000-$50,000/yr |
| ASV vulnerability scan | $0-$200/yr | $100-$300/yr | $100-$300/yr | $100-$300/yr |
| Penetration testing | Not required | Not required | Recommended | $5,000-$30,000/yr |
| Internal security training | Minimal | $0-$500 | $500-$2,000 | $2,000-$10,000 |
| Typical total | $0-$250/yr | $200-$1,000/yr | $800-$3,000/yr | $22,000-$90,000+/yr |
Level 4 is where 99% of small businesses fall. If you process fewer than 20,000 e-commerce transactions or fewer than 1 million card-present transactions per year, your actual compliance cost should be near zero — especially if you use a hosted checkout or payment terminal that keeps card data off your systems.
There are nine SAQ types (A, A-EP, B, B-IP, C-VT, C, D for merchants, D for service providers, P2PE). SAQ A is 22 questions. SAQ D is 329 questions. A small retailer using a standalone payment terminal qualifies for SAQ B (41 questions). An e-commerce merchant using Stripe Checkout or Square Online qualifies for SAQ A (22 questions). A merchant running their own payment form on their server faces SAQ D — and often needs professional help at $1,000-$5,000 to complete it properly.
Card brand fines for PCI non-compliance: $5,000-$100,000 per month. These fines are imposed by Visa and Mastercard on your acquiring bank, who passes them through to you. In practice, most small businesses never see fines at this level unless a data breach exposes the non-compliance. The more immediate and common penalty is the monthly non-compliance fee on your processing statement.
$15-$40/month in PCI non-compliance fees — billed every month until you complete your SAQ. This is the penalty most small businesses actually experience. It shows up on your processing statement as "PCI Non-Compliance Fee," "PCI Non-Validation Fee," or sometimes just "Regulatory Fee." Over a year, that is $180-$480 — for a form that takes 15-20 minutes to fill out. Many merchants pay this fee for years without noticing it buried among other line items on their statement. Use our statement decoder to identify these charges.
Traditional processors have a financial incentive to make SAQ completion confusing. The non-compliance fee is pure profit — they collect it every month you delay. Some processors bundle the SAQ into a "PCI compliance program" costing $100-$200/year that merely provides the form you could complete for free through the PCI SSC website.
Average data breach cost for a small business: $120,000-$200,000 (Verizon Data Breach Investigations Report). This includes forensic investigation ($20,000-$50,000 for a PFI — PCI Forensic Investigator), card reissuance costs passed through by card brands ($3-$10 per compromised card), regulatory fines, notification costs, and legal fees. Being PCI non-compliant at the time of a breach eliminates most defenses and dramatically increases liability.
60% of small businesses that experience a data breach close within 6 months. The breach itself is survivable — it is the cascade of costs (forensic investigation, fines, lost customer trust, increased processing rates, potential lawsuits) that becomes terminal. For a business processing $30,000/month, the $0-$250/year cost of Level 4 PCI compliance is insurance against a potentially business-ending event.
PCI scope means the systems, networks, and processes that touch cardholder data. Smaller scope = simpler SAQ = lower cost. Three approaches eliminate most of your scope.
Replace card numbers with tokens before they reach your system. When a customer enters their card on Stripe Elements or Square's Web Payments SDK, the card number goes directly to the processor's servers — your server only receives a token. You never store, process, or transmit actual card data. This qualifies you for SAQ A, the simplest questionnaire. Tokenization is free with most modern processors and is the single most effective scope-reduction technique.
Redirect customers to the processor's checkout page. Stripe Checkout, PayPal Hosted Buttons, and Square Online Checkout all work this way — the customer leaves your site, enters payment details on the processor's domain, and returns after payment. Your site never handles card data at all. This is the zero-effort path to SAQ A compliance. The trade-off is less control over checkout design, but for most small businesses that trade-off is worth eliminating PCI complexity entirely.
For card-present businesses, PCI-validated P2PE terminals encrypt card data at the point of interaction. The encrypted data passes through your network but cannot be decrypted by your systems — only the processor can decrypt it. This qualifies you for SAQ P2PE (33 questions, very straightforward). Most modern terminals from Verifone, Ingenico, and PAX support P2PE when used with a compatible processor. Ask your processor specifically whether your terminal is on the PCI SSC's validated P2PE solutions list — many terminals support encryption but are not PCI-validated P2PE, which is a different (and less scope-reducing) category.
Practical takeaway: If you accept cards online, use tokenization or hosted checkout and file SAQ A. If you accept cards in person, use a P2PE terminal and file SAQ B-IP or SAQ P2PE. Either path keeps your annual PCI compliance cost under $200 and your questionnaire under 40 questions. See our savings calculator to find processors that include these features at no extra cost.
This is one of the least-discussed cost differences between processors. Some include PCI compliance as part of their standard service. Others charge $5-$15/month on top of processing fees — adding $60-$180/year that many merchants do not factor into their total cost comparison.
When comparing processors, add the annual PCI fee to the processing cost. A traditional processor quoting 0.25% + $0.08 interchange-plus but charging $10/month for PCI compliance adds $120/year to your effective cost — which narrows the gap against flat-rate processors that include PCI for free.
If you use a hosted checkout (Stripe Checkout, Square, PayPal buttons), your SAQ is SAQ A — 22 yes/no questions that take 15 minutes. The form is available free from the PCI Security Standards Council website or through your processor's compliance portal. Yet a cottage industry of "PCI compliance programs" charges $100-$200/year to provide that same form with a slightly nicer interface and a certificate PDF.
Here is the math that makes the PCI compliance fee profitable for processors: a processor with 50,000 Level 4 merchants charging $10/month in PCI non-compliance fees collects $6 million/year from merchants who have not filled out a 15-minute form. Even after 30% complete their SAQ (switching to a $5-$8/month "PCI compliance" fee instead), the remaining 35,000 non-compliant merchants generate $4.2 million/year. There is no incentive to make the process easier.
What to do: Log into your processor's PCI compliance portal (the URL is usually on your monthly statement). Complete SAQ A if you use hosted checkout, SAQ B if you use a standalone terminal, or SAQ B-IP if your terminal connects via IP. This eliminates the non-compliance fee immediately. If your processor does not have a portal, call and ask — they are required to provide a compliance path. If they make it unnecessarily difficult, that is a signal to switch to a processor that includes PCI compliance at no extra charge.
Small businesses underestimate breach probability and overestimate compliance cost. The Verizon DBIR consistently shows that small businesses are targeted disproportionately — attackers know they have weaker security. A 2024 Hiscox report found that 43% of cyberattacks target small businesses, and the average cost of a cyber incident for businesses with under $10M revenue was $145,000.
Compare that to the actual cost of compliance: $0-$250/year for Level 4 (which covers 99% of small businesses). Even if you assign a conservative 2% annual probability to a breach, the expected loss is $2,400-$4,000/year — ten to twenty times the cost of basic PCI compliance. The 60% closure rate within six months of a breach makes this an existential risk, not just a financial one.
PCI compliance is not a guarantee against breaches — it is a baseline that reduces attack surface and establishes due diligence. If you are breached while compliant, card brand fines are typically waived or reduced, forensic investigation costs are lower (because your environment is documented), and you have legal defenses that non-compliant merchants lack. The cheapest insurance is a 15-minute SAQ and a processor that handles tokenization.
Calculate your total processing costs — including PCI fees — with our interchange calculator, or see how much you could save by switching processors with the savings calculator.