PCI "compliance" fees:
the junk line in your statement
Almost every merchant statement carries a monthly "PCI fee" — and many carry a far uglier "non-compliance fee." Neither is a network rule, and most of it can be made to disappear once you understand what PCI DSS actually asks of you.
Quick answer
The PCI fee on your statement is not mandatory. The PCI Security Standards Council never bills merchants — your processor invented that line, so it can negotiate or remove it. PCI DSS compliance for most small businesses just means completing a Self-Assessment Questionnaire yourself. The avoidable "non-compliance" penalty stops once your SAQ is on file.
Scan your statement for a line that reads "PCI Compliance Fee," "PCI Program Fee," or — worse — "PCI Non-Compliance Fee." It is one of the most common charges in the merchant world, and one of the most misunderstood. Owners assume it is a mandatory security tax. It is not. It is a processor-set fee, the security standard behind it is something you can satisfy yourself, and the fee is very often negotiable, waivable, or removable outright.
The trick processors rely on is that the fee shares a name with a real, legitimate security standard — so it looks official. Pulling the two apart is where the savings live.
What PCI DSS actually is
PCI DSS — the Payment Card Industry Data Security Standard — is a real set of security requirements maintained by the PCI Security Standards Council, the body founded by the major card networks. Any business that stores, processes, or transmits cardholder data is expected to comply. That part is genuine, and it matters: it covers things like network security, encryption, access controls, and regular testing.
For most small and mid-sized merchants, "complying" does not mean hiring an auditor. It means completing a Self-Assessment Questionnaire (SAQ) — a checklist you fill out yourself attesting to how you handle card data — and, depending on your setup, passing a quarterly network scan from an Approved Scanning Vendor. The version of the SAQ you use (there are several, from a short SAQ A for fully outsourced e-commerce to longer ones for in-house systems) depends on how cards flow through your business.
The standard vs. the monthly "PCI fee"
Here is the part that gets blurred. The PCI Security Standards Council does not charge you a monthly fee. The "PCI fee" on your statement is something your processor invented. Typically it bundles two ideas:
- A "compliance" or "program" fee — a recurring charge (commonly billed monthly or annually) that supposedly covers access to a compliance portal, SAQ tooling, and a scanning vendor. Sometimes there is real service behind it; often it is close to pure margin.
- A "non-compliance" fee — a penalty the processor adds when you have not completed your SAQ on file with them. This is the one that stings, because it is entirely avoidable. It is not a fine from Visa or Mastercard reaching your account; it is the processor charging you for paperwork you simply have not turned in yet.
The networks do levy real fines for actual breaches and serious non-compliance, but those flow through the acquirer in rare, specific circumstances — they are not the routine monthly line you are seeing. The everyday "PCI fee" is a processor product.
The PCI Council never bills you a monthly fee. That line on your statement was added by your processor — which means your processor can take it off.
How much it commonly runs
Numbers vary widely by provider, but as an illustrative range, a monthly PCI compliance fee commonly lands somewhere around $5 to $25 a month — roughly $60 to $300 a year. The non-compliance penalty is steeper and is where merchants quietly bleed: it commonly runs in the neighborhood of $20 to $60 a month for as long as your SAQ is missing, which can mean hundreds of dollars a year for nothing but unfinished paperwork.
What makes it sting is the asymmetry. The work to make the fee go away is usually a 20-minute questionnaire. The penalty for not doing it can outrun the cost of the security tooling several times over. Processors are not always loud about which bucket you are in — many merchants discover they have been paying the non-compliance rate for a year simply because nobody told them an SAQ was outstanding.
How to get the SAQ done and the fee waived
The path off this line item is mechanical once you know the steps:
- Find your current status. Log into your processor's compliance portal (or call support) and ask whether your SAQ is on file and whether you are being charged the compliance fee, the non-compliance fee, or both.
- Complete the right SAQ. Ask which SAQ type applies to your setup, then complete it — it is a self-attestation, not an audit. If a quarterly scan is required, the portal usually arranges it.
- Clear the non-compliance penalty. Once your SAQ is validated, the non-compliance fee should stop. Ask explicitly for any recent penalty charges to be reversed; many processors will credit them when prompted.
- Negotiate the compliance fee itself. The base PCI program fee is often negotiable — and on a transparent, no-junk-fee processor it can frequently be waived or built into honest pricing rather than tacked on as a surprise.
None of this changes your actual security posture — you still want to genuinely meet the standard. It changes whether you are paying a premium to a processor for something you can largely handle yourself.
Frequently asked questions
Is the PCI fee on my merchant statement mandatory?
No. The PCI Security Standards Council never bills merchants a monthly fee. The line on your statement is a charge your processor invented and added, which means your processor can negotiate, waive, or remove it. PCI DSS itself is a real standard, but the monthly fee is a processor product.
What does PCI compliance actually require for a small business?
For most small and mid-sized merchants, complying does not mean hiring an auditor. It means completing a Self-Assessment Questionnaire, a checklist you fill out attesting to how you handle card data, and, depending on your setup, passing a quarterly network scan from an Approved Scanning Vendor.
What is the PCI non-compliance fee and how do I avoid it?
The non-compliance fee is a processor penalty charged when your SAQ is not on file with them, commonly running about $20 to $60 a month. It is not a network fine. Completing the right Self-Assessment Questionnaire stops it, and you can ask the processor to reverse recent penalty charges.
How much do PCI compliance fees typically cost?
As an illustrative range, a monthly PCI compliance fee commonly lands around $5 to $25 a month, roughly $60 to $300 a year. The non-compliance penalty is steeper, often around $20 to $60 a month for as long as your SAQ is missing. Confirm exact figures on your own statement.
Key takeaways
- PCI DSS is a real security standard; the monthly "PCI fee" on your statement is a processor charge, not a network rule.
- For most merchants, compliance means completing a Self-Assessment Questionnaire — no auditor, no Council bill.
- The "non-compliance fee" is the avoidable one: it is a penalty for a missing SAQ, commonly running $20–$60 a month until you file it.
- Finish the SAQ, request reversal of recent penalties, and negotiate or eliminate the base fee — transparent processors often waive it entirely.
Sources & how to verify
PCI Security Standards Council documentation on PCI DSS and the Self-Assessment Questionnaire (SAQ) types, published at the Council's official site. Visa and Mastercard merchant compliance program materials for context on network-level requirements. Fee ranges above are illustrative and assembled from common merchant-statement patterns — confirm the exact figures, fee type, and SAQ status on your own statement and processor portal.
Find out what you are really paying for "PCI"
Send us a recent statement and we will flag every junk line — PCI fees included — and show you which ones are negotiable, waivable, or pure margin.
Audit my statement → Prefer to browse first? See transparent pricing.