Updated April 2026

How Much Does PCI Compliance Cost in 2026?

Independent cost data for PCI DSS 4.0.1 compliance, from Level 4 small merchants to Level 1 enterprises. No vendor bias. Real numbers you can use for budget planning.

Calculate Your CostCost by Merchant Level

Level 4

$1,000 - $10,000

/year

Level 3

$5,000 - $25,000

/year

Level 2

$30,000 - $150,000

/year

Level 1

$50,000 - $500,000+

/year

PCI DSS 4.0.1 fully enforced51 new requirements active since March 2025Non-compliance fines: $5K - $100K/month

Cost at a Glance

PCI compliance costs vary dramatically based on your merchant level, which is determined by annual card transaction volume. Here is a quick overview of what each level typically pays.

Level 4

$1,000 - $10,000

/year ongoing

Fewer than 20,000 e-commerce or 1 million total transactions/year

Self-Assessment Questionnaire (SAQ)

Level 3

$5,000 - $25,000

/year ongoing

20,000 to 1 million e-commerce transactions/year

SAQ

Level 2

$30,000 - $150,000

/year ongoing

1 million to 6 million transactions/year

SAQ or ROC (acquirer-dependent)

Level 1

$50,000 - $500,000+

/year ongoing

Over 6 million transactions/year (or any merchant compromised in a breach)

Full QSA on-site assessment (ROC) required

Calculate Your PCI Compliance Cost

Answer four questions to get a personalised cost estimate. This calculator covers assessment fees, scanning, penetration testing, remediation, monitoring, and training. No email required.

PCI Compliance Cost Calculator

2026 data

Step 1: What is your annual transaction volume?

What Is Included in PCI Compliance Costs

PCI compliance involves several distinct cost components. Not every merchant needs all of these, but understanding each one helps you budget accurately and avoid surprises.

Cost Component

Self-Assessment Questionnaire (SAQ)

$50 - $20,000

Self-assessment form for Level 2-4 merchants. Cost depends on SAQ type (A through D) and whether you use a consultant.

QSA Assessment / Report on Compliance (ROC)

$25,000 - $200,000

Full on-site assessment by a Qualified Security Assessor. Required for Level 1 merchants and some Level 2 merchants.

ASV Quarterly Vulnerability Scanning

$400 - $2,000/year

External vulnerability scans by an Approved Scanning Vendor. Required for all merchants with internet-facing systems.

Annual Penetration Testing

$5,000 - $50,000

Internal and external network penetration testing per PCI DSS Requirement 11.4. Cost depends on scope and environment complexity.

Remediation (Hardware, Software, Config)

$10,000 - $500,000

Fixing gaps identified in assessments: firewall config, encryption, access controls, network segmentation, WAF deployment.

Security Awareness Training

$500 - $5,000/year

PCI DSS Requirement 12.6 mandates security awareness training for all staff with access to the cardholder data environment.

Policy Documentation

$100 - $1,100

Written security policies covering all 12 PCI DSS requirement areas. Can be created in-house or purchased as templates.

Ongoing Monitoring / SIEM

$5,000 - $100,000/year

PCI DSS Requirement 10 requires logging and monitoring of all access to cardholder data. SIEM solutions provide centralised log management.

Gap Assessment (Optional, Year 1)

$3,000 - $8,000

Pre-assessment to identify compliance gaps before the formal audit. Recommended for first-time compliance to reduce remediation surprises.

For a detailed breakdown of each component, see the assessment and audit costs page. SIEM and monitoring costs are covered in detail at siemcostcalculator.com.

PCI DSS 4.0.1: What Changed and What It Costs

PCI DSS 4.0.1 is the current active version. 51 future-dated requirements became mandatory on 31 March 2025. These changes have direct cost implications for most merchants.

High Impact

Universal MFA for CDE Access

Multi-factor authentication is now required for all access to the cardholder data environment, not just remote access. This affects every employee and system account that touches card data. Implementation cost: $2,000 to $20,000 depending on existing infrastructure.

High Impact

Payment Page Script Monitoring (6.4.3)

All scripts loaded on payment pages must be inventoried, authorised, and verified for integrity. This targets Magecart-style skimming attacks. New tooling typically costs $3,000 to $10,000 per year for e-commerce merchants.

Medium Impact

12-Character Minimum Passwords

Minimum password length increased from 7 to 12 characters for all accounts with access to the CDE. Requires updates to password policies, system configurations, and user training. Typically $500 to $2,000 in implementation effort.

Medium Impact

Targeted Risk Analysis Option

PCI DSS 4.0.1 allows organisations to define their own frequency for certain controls through targeted risk analysis, replacing the fixed schedule approach. This adds flexibility but requires documented risk assessment processes.

For a full breakdown of all 12 requirements and their implementation costs, see the PCI DSS 4.0.1 requirements page.

Non-Compliance Costs Far More Than Compliance

The financial case for PCI compliance is straightforward. The cost of non-compliance, even before a breach occurs, typically exceeds the cost of maintaining compliance within months.

Annual Compliance Cost

Level 4$1,000 - $10,000
Level 3$5,000 - $25,000
Level 2$30,000 - $150,000
Level 1$50,000 - $500,000+

Non-Compliance Exposure

Monthly fines (months 1-3)$5,000 - $10,000
Monthly fines (months 7+)$50,000 - $100,000
Post-breach fines$500K - $5M+
Breach liability per record$50 - $90

Level 4 compliance costs $1,000 to $10,000 per year. One month of non-compliance fines can reach $5,000 to $10,000. The financial case is clear. See the full penalties and fines breakdown for real breach case studies including Target ($292M), Home Depot ($179M), and Heartland ($200M+).

How to Reduce Your PCI Compliance Cost

PCI compliance does not have to be expensive. The right strategy can cut costs by 50 to 90 percent. The key is reducing the scope of your cardholder data environment.

Reduce Your Scope

Tokenisation and hosted payment pages remove card data from your environment. Moving from SAQ D (251 controls) to SAQ A (22 controls) cuts compliance costs by up to 90%.

Choose the Right SAQ

Your SAQ type is the single biggest cost determinant. Use our interactive SAQ finder to identify which questionnaire you actually need, and whether you can simplify.

Use Compliance Automation

Platforms like Sprinto, Secureframe, and Vanta automate evidence collection and control monitoring. For SAQ D merchants, this can reduce audit preparation by 60 to 70 percent.

Frequently Asked Questions

How much does PCI compliance cost for a small business?
Level 4 small merchants typically spend $1,000 to $10,000 per year on PCI compliance. This covers a self-assessment questionnaire ($50 to $500), quarterly ASV scans ($400 to $1,500 per year), and basic security training. Note that the processor PCI fee on your statement (typically $10 to $30 per month) does not make you compliant on its own.
What are the fines for PCI non-compliance?
Non-compliance fines start at $5,000 to $10,000 per month and escalate to $50,000 to $100,000 per month for continued violations. After a data breach, non-compliant merchants face one-time fines of $500,000 to $5,000,000 or more, plus card replacement costs, forensic investigation fees, and potential lawsuits.
What are the 12 requirements of PCI DSS?
The 12 PCI DSS requirements cover: network security controls, secure configurations, stored data protection, encryption during transmission, malware protection, secure software development, access restriction, user authentication, physical access controls, logging and monitoring, security testing, and organisational security policies. PCI DSS 4.0.1 is the current version with 51 new requirements effective since March 2025.
Is PCI compliance required by law?
PCI DSS is not a federal law. It is a contractual requirement enforced by card brands (Visa, Mastercard, American Express, Discover) through acquiring banks. However, several US states including Minnesota, Nevada, and Washington have incorporated PCI DSS into data breach liability laws, making non-compliance a legal liability in those jurisdictions.
What is the PCI compliance fee on my credit card statement?
The PCI compliance fee ($10 to $125 per month) is charged by your payment processor to cover their compliance programme, including SAQ tools and basic scanning access. This is separate from your actual PCI compliance costs. Completing your annual SAQ through the processor portal typically removes any non-compliance surcharge.
How long does it take to become PCI compliant?
Timeline depends on your merchant level and current security posture. Level 4 with SAQ A: 2 to 4 weeks. Level 4 with SAQ D: 8 to 16 weeks. Level 2 or 3: 12 to 36 weeks. Level 1 (first time): 6 to 12 months. Level 1 renewal: 3 to 6 months.
Can I do PCI compliance myself or do I need a consultant?
DIY compliance is feasible for Level 4 merchants completing SAQ A ($50 to $500). SAQ D and higher complexity assessments typically benefit from a consultant ($3,000 to $15,000). Level 1 merchants must use a Qualified Security Assessor (QSA) by definition, costing $25,000 to $200,000 per year.
How does tokenisation reduce PCI compliance costs?
Tokenisation replaces card numbers with non-sensitive tokens, removing card data from your systems. This can reduce your SAQ type from D (251 controls) to A (22 controls), cutting compliance effort by 80 to 90 percent. Providers like Stripe and Braintree include tokenisation at no extra cost.

Related Security Cost Guides

PCI compliance intersects with several other security investments. These independent cost guides cover related areas that affect your total security budget.

Penetration Testing Cost

PCI Requirement 11 mandates annual pen testing. Full pricing guide.

SIEM Cost Calculator

Requirement 10 effectively requires SIEM. Compare platform costs.

EDR Cost Guide

Requirement 5 covers malware protection. EDR pricing breakdown.

MDR Cost Guide

Managed detection for Requirements 10 and 11 monitoring.

Data Breach Cost

What happens when PCI compliance fails. Full breach cost data.

XDR Cost Guide

Extended detection and response for comprehensive PCI monitoring.