PCI compliance fees: what they actually are and when you're being overcharged
Your processor charges you $10-$75/month for PCI compliance. Visa and Mastercard didn't ask them to. Here's what's fair, what's a scam, and how to fix it.
There’s a line on your merchant statement that says something like “PCI compliance fee” or “PCI annual fee” or just “security fee.” It’s somewhere between $10 and $75 per month, and you’ve been paying it for as long as you can remember. You’ve never questioned it because it sounds important and vaguely regulatory, like something you have to pay.
Here’s what your processor isn’t telling you: Visa and Mastercard don’t charge processors for PCI compliance. The fee on your statement is 100% your processor’s markup. And in many cases, they’re charging you for a service they never actually provide.
What PCI compliance actually is
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules created by the card networks. If you accept credit cards, you’re required to follow them. The basics: protect card data, use secure systems, don’t store what you don’t need to. There are 12 requirements total, but for most small businesses using a modern terminal or hosted checkout, you’re already meeting them through your hardware and software.
To prove you’re compliant, you complete a Self-Assessment Questionnaire (SAQ) once a year. For a small retail shop with a standard terminal, that’s about 33 questions. For an online store using Stripe or Shopify checkout, it’s roughly 22 questions and takes 5-10 minutes.
That’s it. That’s what PCI compliance is. Your processor charges you a fee to “support” this process, but most processors do nothing beyond sending you a link to fill out the questionnaire yourself.
What a fair PCI fee looks like
A legitimate PCI compliance fee covers SAQ assistance, quarterly vulnerability scans (if you need them), and breach insurance. If your processor actually provides these services, $75-$120 per year is reasonable.
Here’s the problem: many processors charge far more and deliver far less.
| Processor | PCI fee | What you get |
|---|---|---|
| Square | $0 | Compliance handled automatically |
| Stripe | $0 | Compliance handled automatically |
| PayPal | $8-$10/month | Basic compliance portal |
| Worldpay | $30/month ($360/year) | SAQ portal access |
| Elavon | $74.99/month ($900/year) | SAQ portal access |
Square and Stripe charge nothing because they handle compliance on their end. Meanwhile, some traditional processors charge $360-$900 per year for access to the same self-service questionnaire you could complete for free through the PCI Security Standards Council.
If your PCI fee is over $120/year and your processor isn’t actively helping you with compliance (walking you through the SAQ, providing scans, offering breach insurance), you’re overpaying for a link to a form.
The non-compliance fee: where the real money is
This is where it gets ugly. Most processors also charge a PCI non-compliance fee of $19.95-$49.95 per month if you haven’t completed your annual SAQ. That’s $240-$600 per year in penalties on top of the compliance fee you’re already paying.
The math on this is wild. Only 43% of US businesses are currently PCI compliant. That means more than half of all merchants are paying non-compliance penalties every single month. For processors, that’s an enormous revenue stream.
And here’s the part that should make you angry: your processor has zero financial incentive to help you become compliant. A non-compliant merchant paying $39.95/month in penalties is worth $479/year. A compliant merchant paying a $99 annual fee is worth $99/year. Which one do you think your processor wants you to be?
Some processors make it worse by charging both fees simultaneously. You pay the annual PCI compliance fee AND the monthly non-compliance penalty. Compliant or not, they get paid.
Merchants regularly report being charged non-compliance fees even after submitting their completed SAQ. The processor’s system “didn’t update,” or the documentation was submitted through the “wrong portal,” or it’s still “being reviewed” three months later. Every month of delay is another $20-$50 in their pocket.
How to make it stop
Step 1: Complete your SAQ. This is the single most important thing. Log into your processor’s compliance portal (or ask them for the link). For most small businesses:
- Retail with a standard terminal: SAQ B-IP or SAQ P2PE (33-82 questions, about 30-60 minutes)
- E-commerce with hosted checkout (Stripe, Shopify, PayPal): SAQ A (22 questions, 5-10 minutes)
- Phone orders with virtual terminal: SAQ C-VT (70-80 questions)
If you’re not sure which SAQ applies to you, the PCI Council’s SAQ overview has a straightforward guide.
Step 2: Submit proof and demand fee removal. Once your SAQ is complete, you’ll get an Attestation of Compliance. Send it to your processor and call them with this:
“I’ve completed my PCI Self-Assessment Questionnaire and I’m fully compliant. Please remove the non-compliance fee from my account effective immediately and credit me for the current billing cycle.”
Step 3: Challenge the compliance fee itself. If your processor charges over $120/year for PCI compliance and doesn’t provide hands-on support, push back:
“Can you itemize exactly what services are included in my PCI compliance fee? I’d like to understand what I’m paying for beyond access to the SAQ portal.”
If they can’t give you a clear answer, you have two options: negotiate the fee down, or note it as one more reason to switch to a processor with transparent pricing.
Step 4: Check your next statement. Processors sometimes “confirm” fee removal on the phone but don’t actually process it. Verify the charge is gone on your next statement. If it’s still there, call back with your reference number from the first call.
Should you actually care about PCI compliance beyond the fee?
Yes. This is worth taking the 10-60 minutes to do properly, and not just to stop the non-compliance charges.
43% of small businesses that experience a data breach close within six months. Card brand fines for non-compliance after a breach run $5,000-$100,000 per month. The average US data breach costs $4.88 million. You are almost certainly not the target of a sophisticated attack, but if you’re storing card data you shouldn’t be, or running an unpatched system, you’re exposed.
The good news: if you’re using a modern POS terminal or hosted online checkout, you’re already doing 90% of what PCI requires. The SAQ just documents it. Complete it, file it, and move on. One hour of work eliminates both the fee and the risk.
The bottom line
Your PCI compliance fee exists because your processor decided to charge it, not because Visa or Mastercard required it. A fair fee is $75-$120 per year with real services attached. Anything above that, especially monthly charges of $30+, is profit padding. The non-compliance penalty is a $240-$600/year tax on not filling out a questionnaire your processor never told you about.
Complete your SAQ this week. It takes less time than you spent reading this post. Then call your processor, confirm your compliance, and demand the non-compliance fee removed. If your overall PCI charges are unreasonable and your processor won’t budge, that’s a data point worth having the next time you review your full statement.
Not sure what PCI fees are on your statement or whether they’re fair? Our fee decoder breaks down every line item, and a statement audit will flag exactly where you’re overpaying.
Check your numbers
Enter your monthly volume and total fees to see how you compare.