Question 1

How much does PCI DSS compliance cost?

Accepted Answer

PCI DSS compliance costs vary significantly by merchant level. Level 4 small merchants typically spend $1,000–$5,000/year for a SAQ and basic scanning. Level 3 merchants spend $5,000–$20,000. Level 2 merchants spend $10,000–$50,000. Level 1 merchants requiring a full QSA assessment can spend $50,000–$500,000+ per year.

Question 2

What are the fines for PCI non-compliance?

Accepted Answer

Card brands (Visa, Mastercard) can fine acquiring banks $5,000–$100,000 per month for merchants that are non-compliant. These fines are typically passed on to the merchant. If a data breach occurs while non-compliant, the merchant can also be held liable for all fraudulent charges and investigation costs.

Question 3

What is the difference between PCI SAQ and QSA assessment?

Accepted Answer

A Self-Assessment Questionnaire (SAQ) is a self-reported validation tool for smaller merchants. A Qualified Security Assessor (QSA) assessment is a formal audit conducted by a PCI-certified third party, required for Level 1 merchants (processing over 6 million transactions/year) and some Level 2 merchants.

Question 4

What is PCI DSS 4.0?

Accepted Answer

PCI DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard, released in March 2022. It includes 12 core requirements covering network security, cardholder data protection, vulnerability management, access control, monitoring, and information security policies. Version 3.2.1 was retired in March 2024.

How much does PCI DSS compliance really cost?

Your PCI Profile

Cost Breakdown