PCI Compliance Fees Explained: Everything You Need To Know

PCI Compliance Fees Explained: Everything You Need To Know

Processing companies will sometimes charge merchants a PCI compliance fee. The purpose of the fee is ambiguous, and it doesn’t always correspond to a concrete service being offered. Some merchants may also be charged a PCI non-compliance fee, if they fail to maintain proper security standards and procedures as outlined by their credit card processor. PCI compliance fees typically range from $35 to $99 per year, while PCI non-compliance fees are commonly around $20 per month.

PCI Compliance Fee: What Is It? How Does It Work?

PCI compliance fees are sometimes imposed on businesses owners by their credit card processors. This is a non-standard fee that doesn’t follow a strict set of rules. Paying a PCI compliance fee may come with different benefits, or lack of benefits, depending on what processor you end up working with. For example, the best processors will actually provide support and guidance to business owners on how they can remain compliant, in exchange for the fee. Others, we've found, will simply charge the fee without providing much value. Unfortunately for small business owners, there is little recourse against these fees. Currently, there is no regulation that prevents processors from charging PCI compliance fees without providing any additional value. If you want to avoid such a scenario, you will have to make sure you research how a particular processing company handles PCI compliance when you’re shopping for one.

Below is a listing of several credit card processors and the PCI compliance fees they charge.

ProcessorPCI FeePCI non-compliance Fee
HelcimNone$45 (90 day grace period)
Dharma Merchant Services$7.95/month$19.95/month
Intuit$35 – $100None
Flagship Merchant Services$99/year$19.95/month
Payment Depot$65 - $240/yearNone
Cayan (Merchant Warehouse)$99/yearNone
U.S. Merchant Systems$7.95/month$19.95/month
Forte Payment Systems$7.99/month$29.99/month
Transparent Merchant Services$99/yearNone
Host Merchant Services$4.99/monthNone
Merchant e-Solutions$9.95/monthNone
Soar Payments None$19.95/monthNone

Note that these fees can sometimes come with a different name. We’ve seen them referred to as a "security fee" or a "regulatory fee". Also, some of the merchants named above may waive or alter PCI fees for certain types of businesses. Some credit card processors don't charge any PCI or PCI non-compliance fees. Those include Stripe, PayPal, Authorize.net, Payline Data, Spark Pay, Braintree, PayJunction, Amazon Payments and Chase Paymentech.

What is PCI Compliance?

PCI, sometimes abbreviated PCI-DSS, refers to the Payment Card Industry Data Security Standard. It’s a set of rules that any organization handling card and payment information is expected to abide by, in order to minimize the risk of that data falling into the hands of a fraudster or hacker. Depending on your merchant level, which is determined by the total volume of sales you make per year, a different set of rules may apply to you.

Merchant LevelDescription
1Processing over $6M Visa transactions per year.
2Processing $1M to $6M Visa transactions per year
3Processing $20,000 to $1M Visa e-commerce transactions per year.
4Processing fewer than $20,000 Visa e-commerce transactions per year, and all other merchants

Most small business owners will find themselves in category 4, which is why we will go over the rules for these types of merchants in greater detail below.

Note that the card networks themselves are not responsible for PCI fees. Visa, Mastercard, Discover and American Express all expect the processors and merchants to adhere to PCI standards. If a data breach happens as a result of PCI non-compliance, the card networks may fine your processor for failing to maintain standards. The fees your processor charges you are a way to make sure all standards are met, and they avoid being fined themselves.

Originally, what is known as PCI compliance was managed by the card networks individually. These included Visa's Cardholder Information Security Program, MasterCard's Site Data Protection, American Express's Data Security Operating Policy, Discover's Information Security and Compliance, and the JCB's Data Security Program. Around 2004, the companies merged to form the Payment Card Industry Security Standards Council (sometimes abbreviated PCI SSC) to maintain policies in a more centralized way. According to the PCI Security Council, the goals of meeting the PCI requirements are:

  • To build and maintain a secure network
  • To protect cardholder data
  • To maintain a vulnerability management program
  • To implement strong access control measures
  • To maintain an information security policy

How To Avoid PCI Non-Compliance Fees As A Small Business

To remain PCI compliant, and avoid fees, all small business owners are required to fill out a Self-Assessment Questionnaire once per year. This is a fairly standard set of questions that asks some basic identifying questions about your business, such as the type of merchant you are what type of payments you take. You’ll be required to list all of your locations and facilities that accept card payments and what vendors you use.

Some credit card processors that charge a PCI compliance fee will give you assistance when filling out this form, and some will even fill it out for you.

A screenshot depicting one page of the PCI Questionnaire.

eCommerce businesses are also required to submit evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor. The scans need to be performed on a quarterly basis. It is required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service providers. Again, some processors will run these scans and mail proof on your behalf.

Yowana is a former product analyst at ValuePenguin, specializing in credit cards, rewards programs and travel. He previously covered mortgages, banking and insurance for the website. Yowana graduated from Columbia University with a B.A. in Political Science.