PCI DSS compliance costs most small businesses almost nothing if they use a modern hosted processor. It costs Level 1 enterprises $100,000+ per year. The gap between these outcomes is determined by a single question: does your system ever see raw card data?
What PCI DSS requires
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for any business that stores, processes, or transmits credit and debit card data. Version 4.0, released in 2022 with compliance mandatory from March 2025, expanded requirements around multi-factor authentication, encryption in transit, and security culture documentation. The standard is maintained by the PCI Security Standards Council (a body founded by Visa, Mastercard, Amex, Discover, and JCB) and enforced by card networks through your acquiring bank.
There are 12 high-level requirements across 6 control objectives: build and maintain a secure network and systems, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. The 12 requirements expand to 300+ specific controls at the sub-requirement level in the full SAQ D for service providers.
Merchant levels: the compliance tier system
| Level | Annual Transaction Volume | Requirements | Annual Cost Range |
|---|---|---|---|
| Level 1 | Over 6 million transactions | Annual on-site QSA audit + quarterly network scans | $20,000–$100,000+ |
| Level 2 | 1–6 million transactions | Annual SAQ + quarterly scans (or QSA at acquirer's discretion) | $5,000–$20,000 |
| Level 3 | 20,000–1 million e-commerce transactions | Annual SAQ + quarterly scans | $1,000–$5,000 |
| Level 4 | Under 20,000 e-commerce / up to 1M other | Annual SAQ (recommended) + quarterly scans (recommended) | $50–$500 |
Most small businesses are Level 4. If you use Stripe, Square, Shopify Payments, or similar processors with hosted payment pages (no raw card data enters your systems), your compliance obligation is SAQ A (22 questions) and no required network scans. The "recommended" qualifier for Level 4 scans means your acquirer may not enforce them — though a breach without scans dramatically increases your liability.
SAQ types: choosing the right self-assessment
The SAQ type determines compliance cost and complexity. Using a processor that minimizes your cardholder data environment (CDE) scope is the most impactful compliance cost decision you can make:
| SAQ Type | Questions | Applies To |
|---|---|---|
| SAQ A | 22 | E-commerce/MOTO merchants fully outsourcing card processing (Stripe, Shopify, PayPal) |
| SAQ A-EP | 191 | E-commerce where your server receives card data before redirecting to processor |
| SAQ B | 41 | Physical imprint machines or standalone dial-out terminals, no electronic storage |
| SAQ B-IP | 83 | Standalone IP-connected terminals, no electronic storage |
| SAQ C | 160 | Payment app connected to internet, no cardholder data storage |
| SAQ C-VT | 65 | Virtual terminal accessed via web browser, no cardholder data storage |
| SAQ P2PE | 35 | Merchants using a PCI-validated P2PE solution end-to-end |
| SAQ D (merchants) | 329 | All other merchants — including those who store card data |
| SAQ D (service providers) | 341 | Service providers who store, process, or transmit cardholder data for others |
The strategic implication: a business that moves from SAQ D (329 questions) to SAQ A (22 questions) by switching from a custom payment form to Stripe Elements reduces compliance burden by 93%. Tokenization — replacing stored card numbers with processor-held tokens — eliminates SAQ D requirements for stored card data entirely. For most businesses, this is achievable without rebuilding their product.
QSA audits: what they cost and when you need one
A QSA (Qualified Security Assessor) is an independent company certified by the PCI Council to perform on-site PCI assessments. QSAs are required for Level 1 merchants and increasingly required by acquirers for Level 2 merchants with complex environments.
QSA assessment costs break down by scope:
| Assessment Type | Cost Range | Duration |
|---|---|---|
| QSA assessment (small Level 2) | $15,000–$30,000 | 4–8 weeks |
| QSA assessment (mid-market Level 1) | $30,000–$75,000 | 8–16 weeks |
| QSA assessment (large enterprise Level 1) | $75,000–$200,000+ | 3–6 months |
| QSA gap assessment (pre-audit readiness) | $5,000–$20,000 | 2–4 weeks |
| Quarterly ASV network scan (all levels) | $200–$1,000/quarter | Automated |
| Annual penetration test (Level 1&2 required) | $5,000–$25,000 | 1–3 weeks |
Companies like Coalfire, Trustwave, SecurityMetrics, and Verizon PCI Compliance are major QSA firms. Pricing varies by the complexity of the cardholder data environment (CDE) — a retailer with 50 retail locations, an e-commerce platform, and an internal data warehouse has a vastly more complex CDE than a software company with a single payment integration.
The real cost of non-compliance
PCI non-compliance fees from acquirers typically start at $5,000–$10,000/month and escalate to $100,000/month for persistent non-compliance. These are not fines from Visa or Mastercard directly — they're contractual penalties in your merchant processing agreement that your acquirer passes through from network rules.
Breach liability without compliance: A data breach at a non-compliant merchant triggers forensic investigation costs ($10,000–$100,000), card replacement fees ($3–$10 per compromised card, billed back to you), network fines ($5,000–$500,000 depending on breach scope), and potential civil liability. The 2013 Target breach cost $292 million in settlements; the 2014 Home Depot breach cost $179 million. Both were large-scale examples — but small merchant breaches have driven businesses into bankruptcy from fines alone.
PCI compliance doesn't eliminate breach liability — it mitigates it. A compliant merchant who suffers a breach faces investigation but typically avoids the highest network fines and has a defensible position against civil claims. A non-compliant merchant in the same situation has no defense.
PCI compliance for common business types
E-commerce using Stripe or Shopify Payments
SAQ A applies. 22 questions, all answered "yes" or "N/A." No network scans required at Level 4. Total annual compliance cost: $0–$100 if your acquirer charges a PCI compliance fee (Stripe includes compliance in its standard fees; some traditional acquirers charge $75–$150/year). This is the lowest-friction compliance environment available — if you're on a custom payment form that doesn't use hosted fields, switching to Stripe Elements or Checkout reduces your scope from SAQ A-EP (191 questions) to SAQ A (22 questions) immediately.
Brick-and-mortar using modern POS (Square, Toast, Clover)
If the terminal handles chip/tap reading and never transmits raw card data to your network, SAQ B-IP or SAQ C applies (83–160 questions). Quarterly network scans are recommended but not required for Level 4. Total annual cost: $200–$800 including acquirer PCI fees and voluntary scans. The main compliance obligation is keeping POS software updated and maintaining network segmentation between the payment terminal and your general business network.
Healthcare, legal, and high-trust services storing card-on-file
If you store card numbers internally for recurring billing, SAQ D applies unless you tokenize. True tokenization (replacing the stored PAN with a processor-issued token that has no value if stolen) eliminates the stored-data requirement and can drop you to SAQ C or lower. Most modern payment processors support tokenization for free — if yours doesn't, this is a reason to switch. The compliance cost difference between SAQ D ($5,000–$15,000/year in QSA-assisted completion) and SAQ C ($500–$2,000/year) is larger than the cost of implementing tokenization.
5 steps to reduce PCI compliance costs
- Use hosted payment fields (tokenized checkout). Stripe Elements, Braintree Drop-in, and Shopify Payments ensure card data never touches your server. This is the single highest-impact scope reduction available and costs nothing if you're already on these platforms.
- Tokenize stored card data. If you store cards for recurring billing, replace stored PANs with processor tokens. Stripe and Braintree provide this natively. The token is useless to an attacker — your data store scope is eliminated.
- Segment your payment network. If your payment terminals run on the same network as your general office systems, a breach of any device becomes a breach of your CDE. VLAN segmentation (a $0–$500 network configuration change) limits scope to the payment segment.
- Run quarterly ASV scans. Even if not required at your level, quarterly scans identify exploitable vulnerabilities before attackers do. At $200–$400/year for automated scan services, this is the best-value security investment available.
- Complete your SAQ annually, not just once. Many Level 4 merchants complete an SAQ at merchant account setup and never revisit it. Systems change, new vulnerabilities emerge, and your compliance posture degrades. Set a calendar reminder for annual SAQ renewal.
Processing costs and security costs together: Use our comparison tool to evaluate processors that include PCI compliance support in their fees vs. those that charge separately — a $10/month PCI fee from a traditional acquirer is often equivalent to the compliance support built into Stripe's 2.9%.