An audit to determine your organization’s compliance with the Payment Card Industry Data Security Standard (PCI DSS) can cost $15,000 to $40,000, depending on factors including business type, company size, the security culture at your enterprise, and the card processing methods used.

The higher cost is what Level 1 merchants would generally pay for a Qualified Security Assessor (QSA) to perform an on-site audit and complete a Report on Compliance (ROC attesting that your organization is PCI compliant. Add in quarterly vulnerability scans, penetration testing, employee security training, policy development, and more, and your compliance costs could top $50,000 per year.

If you have dedicated PCI staff, those salaries will factor into the equation, as well. And if the auditor finds compliance gaps or vulnerabilities, expect to pay remediation costs.

An on-site PCI audit is required only for Level 1 merchants and service providers, but many Level 2 and 3 entities choose to comply at this level. Smaller entities can expect to pay around $15,000 for the audit and report.

Organizations submitting an Attestation of Compliance and self-assessment questionnaire (SAQ) can save on third-party-audit expenses but often must pay someone to complete the forms. 

Other costs include quarterly vulnerability scans of your network environment, security training, and remediation. Estimates range from $60 per month for small businesses to $50,000 for those with multiple IP addresses.

In addition, credit card processors may charge a PCI compliance fee of $70 to $120 per year. Although you may wonder how to avoid paying this fee, the expense may be worthwhile if your processor provides PCI DSS compliance support such as vulnerability scanning and assistance with the self-assessment questionnaire.

If you’re a small business, PCI DSS compliance could cost at least $300 per year (depending on your environment).

  • Self-Assessment Questionnaire: $50 – $200
  • Vulnerability scanning: $100 – $200 per IP address
  • Training and policy development: $70 per employee
  • Remediation (software and hardware updates, etc.): Varies greatly based on where entity is today in relation to compliance and security, but estimated: $100 – $10,000

If you’re a very large enterprise and need a PCI DSS assessment, expect to pay $70,000+ in total costs (depending on your environment).

  • Onsite audit ~ $40,000
  • Vulnerability scans ~ $1,000
  • Penetration testing ~ $15,000
  • Training and policy development ~ $5,000
  • Remediation (software and hardware updates, etc.) ~ Varies greatly based on where the entity is today in relation to compliance and security, but estimated: ~ $10,000- $500,000

Level-by-level PCI compliance costs

Level 1

PCI Compliance Level 1: Merchants with more than 6 million transactions a year or any merchant that has had a data breach

  • PCI environment hardware, software, and security
  • Self-assessment
  • On-site third-party audit by qualified security assessor (QSA) plus remediation costs
  • Quarterly ASV-performed vulnerability scan
  • Penetration testing
  • Data security, classification, and encryption
  • Training

Total cost: Minimum $50,000 per year

Level 2

PCI Compliance Level 2: Merchants with between 1 million and 6 million transactions annually

  • Quarterly Approved-Scanning-Vendor-performed vulnerability scans
  • Annual Self-assessment Questionnaire 
    • Remediation
  • Penetration testing
  • Training

Total cost: Minimum $10,000 per year

Level 3

PCI Compliance Level 3: Merchants with between 20,000 and 1 million transactions annually

  • Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor (ASV)
  • Yearly Self-Assessment Questionnaire 
    • Remediation
  • Training

Total cost: Minimum $1,200 per year

Level 4

PCI Compliance Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year: minimum

  • Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor (ASV)
  • Yearly Self-Assessment Questionnaire 
    • Remediation
  • Training

Total cost: Minimum $60 to $75 per month

The high(er) costs of non-compliance

PCI DSS is not a law or regulation but an industry mandate. If your enterprise accepts credit card payments or handles payment card data, it must comply with PCI DSS.

PCI DSS is an information security framework intended to help merchants and service providers protect credit and debit card transactions from data breaches. But being out of compliance can feel worse than breaking the law.

PCI DSS’s origins date to 1999, when Visa developed a Cardholder Information Security Program in response to rampant increases in credit card fraud via the (new) Internet. Other major credit-card brands—Mastercard, Discover, American Express, and JCB—followed suit with their own security programs. In 2004 these five jointly launched PCI DSS 1.0.

In 2006, the card brands added financial institutions, merchants, processor companies, software developers, point-of-sale vendors, and others to their security initiative, forming the PCI Security Standards Council (PCI SSC). 

The consequences of ignoring or failing PCI DSS compliance are dire. Fines of up to $100,000 per month are only the beginning. When banks get the notification that you have failed to comply, it’s usually because your cardholder data has been breached. In that case, you could find yourself paying for the following:

  • A PCI DSS forensic investigation
  • Lawsuit and other legal fees
  • Remediation
  • High rates to banks and processors
  • Federal Trade Commission audits
  • Cardholder notifications
  • Compensation costs to affected customers (credit monitoring, identity theft insurance, new cards)

In addition, you could lose your credit card privileges—crippling to almost any business.

Also, a breach that compromises credit card data moves your enterprise, no matter how small, to PCI Compliance Level 1. This most stringent PCI DSS compliance level requires expensive on-site audits every year, network vulnerability scans every 90 days, and, for service providers, penetration tests, and internal scans.