2026 reference / updated April 2026
How much does PCI compliance actually cost?
PCI DSS compliance runs from about $1,000 a year for a small SAQ A merchant to $500,000+ for a Level 1 enterprise. The number on your invoice depends on merchant level, what card data you handle, and whether a QSA is in the loop. Use the calculator below for a defensible budget figure.
- Level 4 typical year-one
- $1k - $5k
- Level 1 first-year ROC
- $50k - $500k+
- Card brand fine ceiling
- $100k / month
- Avg breach (Level 1-2)
- $1M - $50M
Cost estimator
Your environment
Merchant level
Current compliance posture
Assessment route
SAQ type
Cardholder environments
Staff handling cards
Year-one total
$9k - $41k
Annual recurring
$5k - $22k
Cost breakdown
| SAQ / consultant | $700 - $3k |
| ASV scanning (annual) | $800 - $3k |
| Penetration testing | $2k - $10k |
| Remediation & gap closure | $3k - $15k |
| Policy & documentation | $500 - $3k |
| Security awareness training | $750 - $3k |
| Tools & technology | $500 - $5k |
If you ignore it
$60k - $1.2Mcard brand fines, year one
Estimated timeline
5-16 weeksto first attestation
Estimates compiled from QSA pricing benchmarks, ASV vendor rate cards, and PCI SSC guidance. Real quotes vary by scope. QSA fees vary, especially across regions and firms.
At a glance
Annual cost by merchant level
Merchant level is set by your annual transaction count and is the single biggest driver of compliance cost. Visa and Mastercard publish slightly different thresholds, but the bands below cover both.
| Level | Volume threshold | Assessment | Annual cost | |
|---|---|---|---|---|
| Level 1 | Over 6 million transactions per year | Report on Compliance (ROC) by QSA | $50,000 - $500,000 | Detail → |
| Level 2 | 1-6 million transactions per year | SAQ + quarterly ASV scans (some acquirers require QSA) | $10,000 - $50,000 | Detail → |
| Level 3 | 20,000-1 million e-commerce transactions per year | SAQ + quarterly ASV scans | $5,000 - $20,000 | Detail → |
| Level 4 | Fewer than 20,000 e-commerce or 1 million total transactions | SAQ (type depends on payment acceptance method) | $1,000 - $5,000 | Detail → |
Where the money goes
Seven cost components
Total PCI cost is the sum of seven line items, in roughly the order you encounter them. Some are one-off (remediation, policy build); the rest recur every year.
Card brand fines
$5k - $100k / month
Levied by Visa and Mastercard, escalated monthly. Passed through your acquirer to the merchant.
Breach exposure
$50k - $5M+
PFI investigation, fraud reimbursement, card replacement, state AG fines, class actions. Heartland: $200M.
Processor fee
$10 - $50 / month
The line item on your merchant statement. Not a card brand fine. Removed when you complete your SAQ.
Sector view
Cost by industry
Same standard, very different costs. A Stripe-based e-commerce shop and a full-service hotel face different SAQ types, scope boundaries, and tooling requirements.
Need an independent assessment?
Our partner network includes QSAs and ISAs across all merchant levels. Costs vary by scope and QSA fees are quoted independently. We do not endorse a specific firm.
Frequently asked
Annual cost ranges from $1,000 for a small Level 4 SAQ A merchant to $500,000 or more for a Level 1 enterprise running a full QSA assessment. The biggest cost levers are merchant level (transaction volume), assessment route (SAQ vs QSA), how much card data you store, and how much remediation you need to pass.
Continue reading