PCI DSS Assessment and Audit Costs
PCI compliance costs break down into several distinct assessment components. Understanding each one helps you budget accurately and avoid paying for services you do not need. This page covers every assessment type with real 2026 pricing data from multiple sources.
Assessment Types Overview
| Assessment Type | Who Needs It | Typical Cost | Frequency |
|---|---|---|---|
| Self-Assessment Questionnaire (SAQ) | Self-assessment form for Level 2-4 merchants. | $50 - $20,000 | Annual |
| QSA Assessment / Report on Compliance (ROC) | Full on-site assessment by a Qualified Security Assessor. | $25,000 - $200,000 | Annual |
| ASV Quarterly Vulnerability Scanning | External vulnerability scans by an Approved Scanning Vendor. | $400 - $2,000/year | Quarterly |
| Annual Penetration Testing | Internal and external network penetration testing per PCI DSS Requirement 11. | $5,000 - $50,000 | Annual |
| Remediation (Hardware, Software, Config) | Fixing gaps identified in assessments: firewall config, encryption, access controls, network segmentation, WAF deployment. | $10,000 - $500,000 | Year 1 (primarily) |
| Security Awareness Training | PCI DSS Requirement 12. | $500 - $5,000/year | Annual |
| Policy Documentation | Written security policies covering all 12 PCI DSS requirement areas. | $100 - $1,100 | Year 1 + annual review |
| Ongoing Monitoring / SIEM | PCI DSS Requirement 10 requires logging and monitoring of all access to cardholder data. | $5,000 - $100,000/year | Ongoing |
| Gap Assessment (Optional, Year 1) | Pre-assessment to identify compliance gaps before the formal audit. | $3,000 - $8,000 | One-time |
QSA On-Site Assessment (Report on Compliance)
A Qualified Security Assessor (QSA) assessment is the most comprehensive and expensive PCI compliance evaluation. Required for all Level 1 merchants and some Level 2 merchants (depending on acquirer requirements), the QSA conducts an on-site audit of your cardholder data environment, reviews documentation, tests controls, and produces a Report on Compliance (ROC).
The assessment typically takes 2 to 6 weeks of active work, spread across 2 to 4 months including evidence gathering, on-site visits, and report drafting. The QSA will evaluate all 12 PCI DSS requirements, interview staff, test technical controls, review policies, and verify that compensating controls are properly documented.
Cost Range
$25,000 - $200,000+
Remote vs On-Site Savings
20 - 40% savings
Renewal vs First-Time
30 - 50% lower
Cost drivers include scope size (number of systems in the CDE), number of physical locations, complexity of network architecture, the QSA firm's tier and reputation, and whether the assessment is conducted on-site or remotely. Remote assessments, increasingly common since 2020, can save 20 to 40 percent on travel and logistics costs.
Finding a QSA: The PCI SSC maintains a list of Qualified Security Assessor companies on their website. There are approximately 400 QSA companies worldwide. When evaluating proposals, look for experience in your industry, clear scope definitions, fixed-fee pricing (avoid open-ended hourly engagements), and references from similar-sized organisations.
Red Flags in QSA Proposals
- Vague scope definitions that could expand during the engagement
- Hourly billing with no cap or estimate range
- No mention of remediation consultation or gap analysis
- Unusually low pricing that may indicate inexperience or superficial assessment
Self-Assessment Questionnaire (SAQ)
The SAQ is the primary assessment mechanism for Level 2 through Level 4 merchants. There are nine SAQ types, each designed for a specific payment acceptance environment. The SAQ type you need depends on how you accept card payments, and it dramatically affects your compliance cost.
You can complete an SAQ yourself (DIY) for $50 to $500, or hire a consultant to assist with the process for $1,000 to $20,000 depending on the SAQ type complexity. The consultant reviews your environment, helps gather evidence, identifies gaps, and guides remediation before you submit the completed SAQ.
| SAQ Type | Controls | Who It Is For | Typical Cost | Effort |
|---|---|---|---|---|
| SAQ A | 22 | Fully outsourced e-commerce (redirect or iframe) | $50 - $500 | 1-2 days |
| SAQ A-EP | 139 | E-commerce with website elements affecting payment security | $2,000 - $10,000 | 2-4 weeks |
| SAQ B | 38 | Imprint machines or standalone dial-out terminals | $200 - $1,000 | 2-5 days |
| SAQ B-IP | 80 | IP-connected standalone payment terminals | $500 - $3,000 | 1-2 weeks |
| SAQ C | 124 | Payment application systems connected to the internet | $1,000 - $5,000 | 2-4 weeks |
| SAQ C-VT | 79 | Virtual terminal (web-based, one transaction at a time) | $500 - $2,000 | 1-2 weeks |
| SAQ D (Merchant) | 251 | All other merchants not qualifying for SAQ A through C-VT | $5,000 - $20,000 | 4-16 weeks |
| SAQ D (Service Provider) | 269 | Service providers eligible to complete an SAQ | $10,000 - $50,000 | 8-24 weeks |
| SAQ P2PE | 33 | Merchants using a validated P2PE solution | $200 - $1,000 | 2-5 days |
Not sure which SAQ type you need? Use the interactive SAQ type finder to identify your questionnaire based on how you accept payments.
ASV Quarterly Vulnerability Scanning
Approved Scanning Vendor (ASV) scans are quarterly external vulnerability assessments required for all merchants with internet-facing systems. The ASV scans your public IP addresses and websites for known vulnerabilities, misconfigurations, and compliance issues. A passing scan is required for PCI DSS compliance.
Scans must be performed at least once every 90 days. If a scan fails, you must remediate the identified vulnerabilities and rescan until you achieve a passing result. Failed scans that are not resolved before the quarterly deadline count as a compliance gap.
Per-Quarter Cost
$100 - $500
Annual Cost
$400 - $2,000
Per-IP Pricing
$100 - $200/year
Named ASV providers include SecurityMetrics, Qualys, Rapid7, and Tenable. Most offer both per-scan and unlimited annual plans. For small merchants with a few IP addresses, per-scan pricing is most cost-effective. For organisations with many public-facing systems, an unlimited plan at $500 to $2,000 per year offers better value.
PCI DSS 4.0.1 also requires internal vulnerability scanning (Requirement 11.3.1), which must now be performed using authenticated scanning. Internal scanning can be done with commercial tools or managed services and is not required to use an ASV, but the scans must be documented and findings remediated.
Penetration Testing
PCI DSS Requirement 11.4 mandates annual penetration testing of both internal and external network boundaries. Penetration testing goes beyond vulnerability scanning by actively attempting to exploit identified weaknesses, simulating real-world attack scenarios against your cardholder data environment.
External Pen Test
$5,000 - $30,000
Internal Pen Test
$5,000 - $25,000
Segmentation Test
$3,000 - $15,000
If you use network segmentation to reduce PCI scope (a common cost-reduction strategy), you must also perform segmentation penetration testing at least every six months to validate that the segmentation controls are effective. This is separate from and in addition to the annual penetration test.
Penetration tests must also be repeated after any significant infrastructure or application changes. PCI DSS 4.0.1 requires that the penetration testing methodology cover the entire CDE perimeter, all critical systems, and both network-layer and application-layer testing.
For comprehensive penetration testing pricing data, see penetrationtestingcost.com.
Gap Assessment
A gap assessment is an optional but highly recommended pre-audit evaluation for first-time PCI compliance efforts. A consultant or QSA reviews your current security posture against PCI DSS requirements and produces a detailed report of gaps that need to be addressed before the formal assessment.
Gap Assessment Cost
$3,000 - $8,000
Typical Duration
1 - 2 weeks
Gap assessments save money long-term by identifying remediation needs early. Without one, organisations often discover critical gaps during the formal audit, leading to delayed compliance, additional remediation costs, and potentially needing to pay for a second round of QSA assessment time. The $3,000 to $8,000 investment typically pays for itself many times over.
Remediation Costs
Remediation is the wild card in PCI compliance budgeting. It covers all the fixes, upgrades, and changes needed to bring your environment into compliance. For organisations starting from a strong security baseline, remediation may be minimal. For those with significant gaps, it can be the largest single cost component at $10,000 to $500,000 or more.
| Remediation Item | Estimated Range |
|---|---|
| Firewall upgrade/configuration | $2,000 - $15,000 |
| MFA deployment | $2,000 - $20,000 |
| Encryption implementation | $5,000 - $50,000 |
| Network segmentation | $10,000 - $100,000 |
| WAF deployment | $3,000 - $30,000/year |
| SIEM implementation | $5,000 - $100,000/year |
SIEM implementation costs are covered in detail at siemcostcalculator.com. For network segmentation testing costs, see penetrationtestingcost.com.