💳 Save money on credit card processing with one of our top 5 picks for 2025
Are PCI compliance fees legit? Start here to learn about PCI compliance fees, PCI non-compliance, and how to avoid these fees altogether.
WRITTEN & RESEARCHED BY
Expert Contributor
Last updated onUpdated
REVIEWED BY
Expert Contributor
Merchant services providers are notorious for tacking on all kinds of additional credit card processing fees and not disclosing them during the sales process.
One fee that raises a lot of questions from merchants is the PCI compliance fee. What is the fee for, and what does being PCI compliant mean? What services does the provider offer in exchange for it? Most importantly, is there any way to get out of paying for it?
Although many of the best payment processors don’t charge a PCI compliance fee, all businesses must pay for PCI compliance one way or another. We’ll look at the numerous ways in which providers charge (or don’t charge) for PCI compliance services and what kind of services you’ll receive. We’ll also discuss the dreaded PCI non-compliance fee and how you can avoid ever having to pay it.
Table of Contents
PCI compliance refers to compliance with data security standards set out in the Payment Card Industry Data Security Standard (PCI DSS). These standards are designed to ensure that your customers’ credit card data is handled safely and securely to minimize any chance of a data breach. Compliance with PCI DSS standards is required by the credit card associations (Visa, Mastercard, etc.), but enforcement is generally left up to the individual processors.
Requirements for being PCI compliant can be complex and vary widely from one business to the next. For example, a retail-only business that doesn’t use a payment gateway might have relatively few requirements to meet. At the same time, an eCommerce business that processes all sales over a payment gateway and uses a customer information database to store customer payment method information would have far more extensive requirements. Unfortunately, merchant services providers don’t always take these distinctions into account when setting PCI compliance fees, preferring to charge all merchants the same fee regardless of their actual compliance needs.
The credit card associations have divided businesses into four levels of risk based on how many transactions they process annually. Most small businesses will fall under Level 4, defined as “Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.”
To figure out which risk level your business falls under, check out our article on determining your PCI compliance level.
While your provider handles many of the required actions, you will also have to perform some steps to perform yourself. The most important action you’ll need to take is to complete the Self-Assessment Questionnaire (SAQ). This questionnaire needs to be updated annually. Failure to keep the SAQ updated is the most common reason merchants are charged a PCI non-compliance fee by their provider.
The PCI Security Standards Council (PCI SSC) publishes several different forms of the SAQ for different types of businesses. These forms are described on the PCI SSC website, which also includes links to instructions and documents you’ll want to refer to when filling out the SAQ.
The term “PCI fees” refers to any type of fee charged by your processor in conjunction with meeting PCI compliance standards. There are two kinds of PCI fees charged by credit card processors: PCI compliance fees and PCI non-compliance fees. Since you might see either one (or both!) of these fees on your processing statement, it’s important to understand what they’re for and why you have to pay them.
One common misconception about PCI compliance fees is that payment of the fee means that your provider will ensure that your account is fully compliant, and you don’t have to do anything. Unfortunately, this simply isn’t true. While robust PCI compliance services can take care of the more technical aspects of compliance, at a minimum, you’ll still have to complete the Self-Assessment Questionnaire (SAQ) and keep it updated.
Merchant account providers that charge for PCI compliance may impose this charge either annually or monthly. In the payments industry, PCI compliance fees generally average around $120 per year or $10 per month.
However, providers are free to charge for PCI compliance any way they want to, so naturally, there’s a lot of variation from one company to the next
Because merchants have generally been unhappy about having to pay yet another fee to maintain their accounts, many providers don’t charge a PCI fee at all. Does that mean that you’re getting PCI compliance services for free? Don’t be silly! In most cases, the PCI compliance cost for a small business is covered through either a higher monthly account fee, higher processing rates, or a combination of the two.
PCI non-compliance fees are handled differently because they are only charged if your account becomes non-compliant. Many providers will charge you a monthly fee of around $20-$30 per month (or more) until you get your account back in compliance. In theory, a provider would be well within its rights to shut down your account if you neglected to bring it back into compliance within a reasonable time. However, this rarely happens in actual practice — probably because the provider is still making money from your account fees and processing activity.
Here’s a breakdown of how several of the most popular merchant services providers in the industry charge for PCI compliance:
| Processor | PCI Compliance Fee | PCI Non-Compliance Fee |
|---|---|---|
| CDGcommerce | None | None |
| CardConnect | $259.99/year | $29.95/month |
| Dharma Merchant Services | None | None |
| TSYS | $99.50/year | $94.95/month |
| Stax | None | None |
| Flagship Merchant Services | $119.00/year | $30/month |
| Helcim | None | None |
| Host Merchant Services | None | None |
| National Processing | None | None |
| Payment Depot | None | None |
| PayPal | None | None |
| Square | None | None |
| Stripe Payments | None | None |
| Wells Fargo Merchant Services | Variable | Variable |
Misconceptions about PCI compliance requirements and a general distrust of merchant account providers have led many business owners to feel that PCI compliance fees are just a scam to squeeze more money out of them. While this might be the case with some providers, it’s usually not. Whether or not you’re being ripped off will depend on which of these possible approaches to PCI compliance your provider uses:
How will you know which of these approaches applies to your account? One way is to ask your sales agent. However, be aware that most agents won’t voluntarily disclose the existence or amount of PCI fees unless you ask them about the subject.
PCI fees, if any, are spelled out in your contract — usually in the Merchant Application section. Unless your provider specifically states on its website that it doesn’t charge PCI compliance fees, it’s a good bet that they will be part of your agreement. As for what services are provided in exchange for paying PCI fees, you’ll probably have to ask customer service for details. Most sales agents simply won’t be very knowledgeable about this subject.
In recent years, more and more providers have stopped charging discrete PCI fees in response to merchant complaints. If you’re dead set on not having to pay for PCI compliance, your best bet is to choose a provider that doesn’t charge those fees at all. This is getting easier to do, although we’d caution you that most of the big-name direct processors and their numerous resellers continue to charge PCI fees in most cases.
You should also be aware that payment service providers (such as Square) aggregate all of their users into a single merchant account. In this case, PCI compliance is handled directly by the provider, and you won’t be charged any PCI fees.
Finding a provider that won’t charge you any PCI fees is getting much easier, thanks to pressure from merchants to simplify or eliminate the number of extra fees they need to pay to maintain their accounts.
Payment services providers (such as Square and PayPal) take care of PCI compliance for you since you won’t have a unique merchant account for your business. These companies use a flat-rate pricing structure to cover the cost of PCI compliance, so at least a small part of your transaction processing fees goes to covering these costs. However, you won’t have to worry about getting stung with a PCI non-compliance fee.
On the other hand, traditional merchant account providers are more likely to impose PCI fees separately rather than including that cost in the other fees and processing rates that you’re already paying. Providers using membership pricing (such as Stax and Payment Depot) don’t charge separately for PCI compliance. However, you can bet that at least some part of your monthly subscription fee goes toward covering those costs.
Be sure to check out the table above for more providers that don’t charge for PCI compliance.
If you don’t like the idea of paying an extra $30 per month (or more) in junk fees just to have your provider remind you that your account is no longer PCI-compliant, there are many ways to prevent this from happening. Besides the obvious step of choosing a provider that doesn’t charge a PCI non-compliance fee, here are a few things you can do to avoid this penalty:
For most small business owners, these requirements for avoiding PCI compliance fines are relatively easy to meet and shouldn’t require an undue amount of time or effort on your part. Above all, remember that maintaining PCI compliance isn’t about avoiding a penalty fee. Ultimately, it’s about safeguarding your business from a potentially disastrous data breach that can cost you thousands of dollars and put you out of business altogether.
Needing to maintain PCI compliance requirements is an inevitable part of having a merchant account. You have to meet those requirements regardless of how much (or how little) assistance you receive from your provider. Because PCI compliance policies and fees vary so much from one provider to another, you should carefully research your provider’s approach to PCI compliance before you sign up for an account.
As we’ve noted, paying a reasonable PCI compliance fee is entirely acceptable as long as your provider offers some actual services to keep you compliant. The situation you want to avoid is one where you’re being charged a PCI compliance fee but aren’t receiving any compliance services.
It’s also critically important to review your contract thoroughly before you sign up with a new provider. While this is good advice in general, it’s particularly important in determining whether you’ll be liable for PCI compliance or non-compliance fees and how much they’ll cost. As we’ve noted, sales representatives generally don’t disclose these fees unless you specifically ask about them first.
For more information on maintaining PCI compliance standards and avoiding getting hit with a PCI non-compliance fee, check out our quick guide to PCI DSS compliance for small businesses.
Get in touch with a real human being on the Merchant Maverick team! Send us your questions, comments, reviews, or other feedback. We read every message and will respond if you'd like us to.
Reach OutGet in touch with a real human being on the Merchant Maverick team! Send us your questions, comments, reviews, or other feedback. We read every message and will respond if you'd like us to.
Reach Out
Let us know how well the content on this page solved your problem today. All feedback, positive or negative, helps us to improve the way we help small businesses.
Give Feedback
Want to help shape the future of the Merchant Maverick website? Join our testing and survey community!
By providing feedback on how we can improve, you can earn gift cards and get early access to new features.
Whether you're looking to save money on processing or to get approved for a merchant account, PaymentCloud can help.
Get Started
Help us to improve by providing some feedback on your experience today.
Is It Time To Switch Credit Card Processors?
If your payment processing provider is doing any of these six things, it's probably time to switch. Download our list to learn more.
The vendors that appear on this list were chosen by subject matter experts on the basis of product quality, wide usage and availability, and positive reputation.
Merchant Maverick’s ratings are editorial in nature, and are not aggregated from user reviews. Each staff reviewer at Merchant Maverick is a subject matter expert with experience researching, testing, and evaluating small business software and services. The rating of this company or service is based on the author’s expert opinion and analysis of the product, and assessed and seconded by another subject matter expert on staff before publication. Merchant Maverick’s ratings are not influenced by affiliate partnerships.
Our unbiased reviews and content are supported in part by affiliate partnerships, and we adhere to strict guidelines to preserve editorial integrity. The editorial content on this page is not provided by any of the companies mentioned and has not been reviewed, approved or otherwise endorsed by any of these entities. Opinions expressed here are author’s alone.
Whether you're looking to save money on processing or to get approved for a merchant account, PaymentCloud can help.
Get Started
