PCI Compliance Cost by Merchant Level
PCI DSS classifies merchants into four levels based on annual card transaction volume. Your merchant level determines which assessment type you need, how much it costs, and how long compliance takes. Understanding the differences is the first step to accurate budgeting.
How PCI Merchant Levels Work
The PCI Security Standards Council defines four merchant levels, but the card brands (Visa, Mastercard, American Express, Discover) enforce them through their own compliance programmes. Transaction thresholds differ slightly between brands. Most merchants reference Visa thresholds as the primary standard, but you should verify with your acquiring bank which level applies to your business.
Your merchant level determines three critical things: the type of assessment required (SAQ versus full QSA audit), the frequency and depth of security testing needed, and ultimately how much PCI compliance will cost per year. Level 1 enterprises face full on-site audits costing $50,000 to $500,000 or more annually. Level 4 small merchants can self-assess for as little as $1,000 per year.
An important caveat: any merchant that suffers a data breach can be elevated to Level 1 status by the card brands, regardless of transaction volume. This means the cost difference between compliance and non-compliance is not just about fines. A breach can permanently change your assessment requirements and associated costs.
Level 1 - Enterprise
Over 6 million transactions/year (or any merchant compromised in a breach)
$50,000 - $500,000+
/year ongoing
Visa Threshold
Over 6 million Visa transactions per year (all channels)
Mastercard Threshold
Over 6 million Mastercard transactions per year
Assessment Type
Full QSA on-site assessment (ROC) required
- Annual on-site QSA assessment (ROC)
- Quarterly ASV scan
- Annual penetration test (internal and external)
- Attestation of Compliance (AOC)
Cost Breakdown
| Component | Estimated Range |
|---|---|
| QSA on-site assessment (ROC) | $25,000 - $200,000 |
| ASV quarterly scanning | $1,500 - $5,000/year |
| Penetration testing (internal + external) | $15,000 - $50,000 |
| SIEM/continuous monitoring | $5,000 - $100,000/year |
| Security staff/FTE | $80,000 - $200,000/year |
| Policy and governance | $2,000 - $10,000 |
| Remediation and infrastructure | $50,000 - $500,000 |
Year 1 Cost (Initial)
$150,000 - $750,000+
Year 2+ Ongoing
$50,000 - $500,000+
First-Time Timeline
6-12 months
Renewal Timeline
3-6 months
Typical Merchants
Major retailer, airline, large payment processor, Fortune 500 company
Key Risk
Level 1 requires a Qualified Security Assessor (QSA) by definition - you cannot self-assess. The QSA assessment alone costs $25,000-$200,000, and that is before any remediation work.
Level 2 - Large Merchant
1 million to 6 million transactions/year
$30,000 - $150,000
/year ongoing
Visa Threshold
1 million to 6 million transactions per year (all channels)
Mastercard Threshold
1 million to 6 million transactions per year
Assessment Type
SAQ or ROC (acquirer-dependent) + quarterly ASV + annual pen test
- SAQ-D or on-site assessment
- Quarterly ASV scan
- Annual penetration test
- Attestation of Compliance (AOC)
Cost Breakdown
| Component | Estimated Range |
|---|---|
| SAQ-D or QSA assessment | $5,000 - $50,000 |
| ASV quarterly scanning | $1,000 - $3,000/year |
| Annual penetration test | $10,000 - $30,000 |
| Ongoing monitoring/SIEM | $5,000 - $50,000/year |
| Security training (staff-wide) | $1,000 - $5,000/year |
| Policy and procedure updates | $500 - $2,000 |
| Remediation | $10,000 - $100,000 |
Year 1 Cost (Initial)
$80,000 - $200,000
Year 2+ Ongoing
$30,000 - $150,000
First-Time Timeline
12-36 weeks
Renewal Timeline
4-12 weeks
Typical Merchants
National retail chain, large e-commerce platform, hotel group
Key Risk
Some acquiring banks require Level 2 merchants to undergo a full QSA assessment rather than SAQ, which can double costs. Confirm requirements with your acquirer before budgeting.
Level 3 - Mid-Size E-Commerce
20,000 to 1 million e-commerce transactions/year
$5,000 - $25,000
/year ongoing
Visa Threshold
20,000 to 1 million e-commerce transactions per year
Mastercard Threshold
20,000 to 1 million e-commerce transactions per year
Assessment Type
SAQ + quarterly ASV scans + annual pen test recommended
- SAQ completion
- Quarterly ASV scan
- Annual penetration test (recommended)
- Attestation of Compliance (AOC)
Cost Breakdown
| Component | Estimated Range |
|---|---|
| SAQ (consultant-assisted) | $1,000 - $5,000 |
| ASV quarterly scanning | $500 - $2,000/year |
| Annual penetration test | $5,000 - $15,000 |
| Security training | $500 - $2,000/year |
| Policy documentation | $200 - $1,000 |
| Ongoing monitoring tools | $1,000 - $5,000/year |
| Remediation (if needed) | $2,000 - $15,000 |
Year 1 Cost (Initial)
$10,000 - $40,000
Year 2+ Ongoing
$5,000 - $25,000
First-Time Timeline
8-24 weeks
Renewal Timeline
4-8 weeks
Typical Merchants
Growing e-commerce brand, regional retail chain, mid-size SaaS with payment processing
Key Risk
Level 3 merchants often underestimate the impact of PCI DSS 4.0.1 requirement 6.4.3 (payment page script monitoring), which can add $3,000-$10,000 in new tooling costs.
Level 4 - Small Merchant
Fewer than 20,000 e-commerce or 1 million total transactions/year
$1,000 - $10,000
/year ongoing
Visa Threshold
Under 20,000 e-commerce transactions per year
Mastercard Threshold
Under 1 million total transactions per year
Assessment Type
Self-Assessment Questionnaire (SAQ)
- SAQ completion
- Quarterly ASV scan (if applicable)
- Attestation of Compliance (AOC)
Cost Breakdown
| Component | Estimated Range |
|---|---|
| SAQ (self-assessment) | $50 - $500 |
| Consultant-assisted SAQ | $1,000 - $5,000 |
| ASV quarterly scanning | $400 - $1,500/year |
| Security training | $200 - $1,000/year |
| Policy documentation | $100 - $500 |
| Remediation (if needed) | $500 - $5,000 |
Year 1 Cost (Initial)
$2,000 - $15,000
Year 2+ Ongoing
$1,000 - $10,000
First-Time Timeline
2-16 weeks (depends on SAQ type)
Renewal Timeline
1-4 weeks
Typical Merchants
Local restaurant, small e-commerce shop, independent retailer
Key Risk
Most Level 4 merchants are non-compliant without realising it. The processor PCI fee on your statement does not make you compliant.
Side-by-Side Comparison
| Metric | Level 4 | Level 3 | Level 2 | Level 1 |
|---|---|---|---|---|
| Annual Cost | $1,000 - $10,000 | $5,000 - $25,000 | $30,000 - $150,000 | $50,000 - $500,000+ |
| Year 1 Cost | $2,000 - $15,000 | $10,000 - $40,000 | $80,000 - $200,000 | $150,000 - $750,000+ |
| Assessment | Self-Assessment Questionnaire | SAQ | SAQ or ROC | Full QSA on-site assessment |
| First-Time Timeline | 2-16 weeks (depends on SAQ type) | 8-24 weeks | 12-36 weeks | 6-12 months |
| Renewal Timeline | 1-4 weeks | 4-8 weeks | 4-12 weeks | 3-6 months |