The Complete Guide To PCI Fees: How To Avoid PCI Compliance & Non-Compliance Fees (Plus How To Spot A Scam)
Merchant services providers are notorious for tacking on all kinds of additional fees for their services and not disclosing them during the sales process. Merchants are often left to find them buried somewhere in the pages and pages of fine print that make up their contracts.
One fee that raises a lot of questions from merchants is the PCI compliance fee. What is the fee for, and what does being PCI compliant mean? What services does the provider offer in exchange for it? Most importantly, is there any way to get out of paying for it?
This article will discuss PCI compliance, why it’s important, and how your merchant services provider treats it. We’ll look at the numerous ways in which providers charge (or don’t charge) for PCI compliance services and what kind of services you’ll receive. We’ll also discuss the dreaded PCI non-compliance fee and how you can avoid ever having to pay it.
Check out our Merchant Account Comparison Chart to get the full picture on fees — including PCI fees — from some of the best payment processors in the industry.
Table of Contents
What Is PCI Compliance?
Let’s start with the basics. PCI compliance refers to compliance with data security standards set out in the Payment Card Industry Data Security Standard (PCI DSS). These standards are designed to ensure that your customers’ credit card data is handled safely and securely to minimize any chance of a data breach. Compliance with PCI DSS standards is required by the credit card associations (Visa, Mastercard, etc.), but enforcement is generally left up to the individual processors.
Requirements for being PCI compliant can be complex and vary widely from one business to the next. For example, a retail-only business that doesn’t use a payment gateway might have relatively few requirements to meet. At the same time, an eCommerce business that processes all sales over a payment gateway and uses a customer information database to store customer payment method information would have far more extensive requirements. Unfortunately, merchant services providers don’t always take these distinctions into account when setting PCI compliance fees, preferring to charge all merchants the same fee regardless of their actual compliance needs.
The credit card associations have divided businesses into four levels of risk based on how many transactions they process annually. To figure out which risk level your business falls under, check out our article, The Complete Guide To PCI Compliance Levels & How To Determine Your Business’ Obligations For PCI Compliance. Most small businesses will fall under Level 4, defined as “Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.”
While your provider handles many of the required actions, you will also have to perform some steps to perform yourself. The most important action you’ll need to take is to complete the Self-Assessment Questionnaire (SAQ). This questionnaire needs to be updated annually. Failure to keep the SAQ updated is the most common reason merchants are charged a PCI non-compliance fee by their provider.
The PCI Security Standards Council (PCI SSC) publishes several different forms of the SAQ for different types of businesses. These forms are described on the PCI SSC website, which also includes links to instructions and documents you’ll want to refer to when filling out the SAQ. For more details on PCI compliance requirements, please see our article, The Complete Guide to PCI DSS: Why You Need To Understand PCI Compliance Standards & What Role Payment Processors Play.
What Are PCI Fees?
The term “PCI fees” refers to any type of fee charged by your processor in conjunction with meeting PCI compliance standards. There are two kinds of PCI fees charged by credit card processors: PCI compliance fees and PCI non-compliance fees. Since you might see either one (or both!) of these fees on your processing statement, it’s important to understand what they’re for and why you have to pay them.
PCI Compliance Fees
In theory, PCI compliance fees compensate your provider for any services they provide to ensure that your merchant account complies with all applicable PCI standards. We say “in theory” because you don’t always receive something of value in exchange for paying these fees.
eCommerce businesses will inevitably have more PCI compliance requirements to meet than most retail businesses, but both types of businesses will usually have to pay the same monthly or annual PCI compliance fee if their provider charges one.
PCI compliance fees are also a relatively new feature in the payments industry. The first set of PCI standards, PCI DSS 1.0, was published back in December 2004. At that time, eCommerce was still in its infancy, but rampant fraud was already on the rise. It quickly became clear that businesses were going to have to take extra steps to protect their customers’ sensitive credit card data. With the additional requirements came additional costs, and merchant services providers soon started passing those costs on to their clients in the form of PCI compliance fees.
One common misconception about PCI compliance fees is that payment of the fee means that your provider will ensure that your account is fully compliant, and you don’t have to do anything. Unfortunately, this simply isn’t true. While robust PCI compliance services can take care of the more technical aspects of compliance, at a minimum, you’ll still have to complete the Self-Assessment Questionnaire (SAQ) and keep it updated.
Most PCI compliance services offered by providers fall into one of the following three categories:
- Security Scans: This is the most basic compliance service your processor can provide you with, and it’s essential that it be included if you’re paying a PCI compliance fee. Security scanning services thoroughly check all aspects of your processing system, including your website, server, payment gateway, and any connected terminals or POS systems for viruses, Trojans, malware, and other potential security threats. Scans are required to be conducted quarterly, although some providers will scan your system every month.
- Data Breach Insurance: This is insurance that will reimburse you for any losses or claims resulting from a breach where your customer data is hacked or stolen. Data breach insurance is subject to policy limits and a number of exclusions, so there’s no guarantee that the insurer will accept your claim if you suffer a breach. You’ll want to review your insurance policy to determine what specific incidents it will or will not cover. While the possibility of a denied claim can make this type of insurance seem like a waste of money, it’s certainly better than not having any insurance against a breach at all. Data breach insurance is particularly important for eCommerce merchants. One of our highest-rated providers, CDGcommerce, offers $100,000 in data breach insurance as part of its optional cdg360 security package. At $15 per month, it’s a worthwhile investment.
- Customer Education & Assistance: This is perhaps the most nebulous, but also the most important, compliance service your provider can offer. What you want — and what some providers offer — is an in-depth knowledgebase to educate you about PCI compliance requirements and proactive assistance where your provider will contact you immediately if they detect anything amiss regarding your account’s security. Unfortunately, some providers offer only minimal services in this area while still charging you a full PCI compliance fee. Beware of providers that offer just a minimal FAQ on PCI compliance or are quick to start charging you a PCI non-compliance fee without notifying you that your account is out of compliance.
PCI Non-Compliance Fees
A PCI non-compliance fee is nothing less than a fine or penalty for failing to keep your account compliant with PCI DSS standards. It’s only imposed if you, the merchant, have neglected to do something on your end to keep your account compliant. Failure to complete or maintain the Self-Assessment Questionnaire (SAQ) is the most common reason for a PCI non-compliance fee to be imposed.
The biggest problem with the PCI non-compliance fee is that it doesn’t do anything to rectify the situation or bring your account into compliance. Your provider doesn’t offer any additional services for this fee, and as such, we consider it a “junk” fee. Unfortunately, your provider may impose a PCI non-compliance fee without notice to you, and it will continue to charge this fee every month until you bring your account back into compliance. PCI non-compliance fees vary from one provider to the next, but the industry average is about $20-$30 per month.
As much as we don’t like this fee, the fact is that almost all merchant services providers will charge you a PCI non-compliance fee if you fail to keep your account compliant. Some of the better providers will notify you in advance that your account is no longer PCI compliant and give you a chance to fix the problem before the non-compliance fee kicks in. However, many other providers won’t notify you at all and start charging the extra fee until you notice it and bring your account back into compliance on your own. This is yet another reason why you need to review your merchant account statement carefully every month.
Can you be charged for both PCI compliance and non-compliance at the same time? Of course, you can! In fact, if your provider charges you for PCI compliance and your account becomes non-compliant, you’re guaranteed to end up paying both fees simultaneously until you fix the problem. The bottom line on PCI non-compliance fees is that they’re easily avoided simply by keeping your account compliant. As long as you review your requirements and make sure you’re meeting them, you should never have to pay this fee.
How Much Does PCI Compliance Cost?
Providers are free to charge for PCI compliance any way they want to, so naturally, there’s a lot of variation from one company to the next. Over the years, an “industry standard” of sorts has developed that lumps charges for PCI compliance into a single annual fee of around $99 per year. (Note that this fee has crept up in recent years in response to inflation and additional compliance requirements and is now closer to about $120 per year.)
The problem with paying a single annual fee is that most providers will not give you a prorated refund on this fee if you close your account within the one-year period after you’ve paid it. In response to merchants’ numerous complaints about this practice, many providers now charge monthly for PCI compliance — typically around $7.99 to $9.99 per month (or more).
Because merchants have generally been unhappy about having to pay yet another fee to maintain their accounts, many providers don’t charge a discrete PCI fee at all. Does that mean that you’re getting PCI compliance services for free? Don’t be silly! In most cases, the PCI compliance cost for a small business is covered through either a higher monthly account fee, higher processing rates, or a combination of the two.
PCI non-compliance fees are handled differently because they are only charged if your account becomes noncompliant. Almost all providers will charge you a monthly fee of around $20-$30 per month until you get your account back in compliance. In theory, a provider would be well within its rights to shut down your account if you neglected to bring it back into compliance within a reasonable time. However, this rarely happens in actual practice — probably because the provider is still making money from your account fees and processing activity.
The sad truth is that far too many small business owners don’t take the time to review their processing statements every month. They often don’t even realize that they’re getting hit with a PCI non-compliance fee until many months after their account has become non-compliant.
Regardless of how your provider charges for PCI compliance, any applicable PCI fees should be disclosed in your contract documents. Be sure to review this information before you sign up for an account to avoid unpleasant surprises later.
Here’s a breakdown of how several of the most popular merchant services providers in the industry charge for PCI compliance:
|Processor||PCI Compliance Fee||PCI Non-Compliance Fee|
|Dharma Merchant Services||None||None|
|Electronic Merchant Systems (EMS)||$75.00/year||$50.00/month|
|Flagship Merchant Services||$99.00/year||$19.95/month|
|Host Merchant Services||None||None|
|Wells Fargo Merchant Services||Variable||Variable|
Are PCI Compliance Fees A Scam?
Misconceptions about PCI compliance requirements and a general distrust of merchant account providers have led many business owners to feel that PCI compliance fees are just a scam to squeeze more money out of them. While this might be the case with some providers, it’s usually not. Whether or not you’re being ripped off will depend on which of these possible approaches to PCI compliance your provider uses:
- No Fee Charged, No Services Provided: Under this approach, your provider basically leaves PCI compliance up to you. You won’t be charged a PCI compliance fee, but you won’t receive any services to help you maintain compliance, either. It’s very rare to see this approach still in use, given the prevalence of eCommerce today and the provider’s financial risk if a data breach occurs.
- No Fee Charged, Services Are Provided: This approach is the most popular with merchants. You receive at least some services that help you maintain PCI compliance, but you don’t pay a separate fee for them. Many of the providers in the chart above utilize this approach. Of course, nothing is ever really free in the processing industry. In most cases, providers using this approach are actually bundling your PCI compliance costs with your monthly account fee or charging you slightly higher processing rates than you would otherwise receive.
- Fee Charged, Services Are Provided: This is the most common approach used by traditional merchant account providers. You’ll have to pay a fee, but you’ll receive PCI compliance services in exchange for that fee to help keep you compliant. As long as the cost is reasonable and the services provided help keep your account secure, this is a fair and sensible approach.
- Fee Charged, No Services Provided: Unfortunately, there are some unscrupulous providers out there that will gladly charge you a PCI compliance fee but don’t offer any services in exchange. Not only are you on your own when it comes to maintaining compliance, but you’re also being ripped off by having to pay a “junk” fee that doesn’t provide anything other than increased profits to your provider. We recommend that you steer clear of providers that utilize this approach.
How will you know which of these approaches applies to your account? One way is to ask your sales agent. However, be aware that most agents won’t voluntarily disclose the existence or amount of PCI fees unless you ask them about the subject.
PCI fees, if any, are spelled out in your contract — usually in the Merchant Application section. Unless your provider specifically states on its website that it doesn’t charge PCI compliance fees, it’s a good bet that they will be part of your agreement. As for what services are provided in exchange for paying PCI fees, you’ll probably have to ask customer service for details. Most sales agents simply won’t be very knowledgeable about this subject.
How To Avoid PCI Compliance Fees
In recent years, more and more providers have stopped charging discrete PCI fees in response to merchant complaints. If you’re dead set on not having to pay for PCI compliance, your best bet is to choose a provider that doesn’t charge those fees at all. This is getting easier to do, although we’d caution you that most of the big-name direct processors and their numerous resellers continue to charge PCI fees in most cases.
You should also be aware that payment service providers (such as Square) aggregate all of their users into a single merchant account. In this case, PCI compliance is handled directly by the provider, and you won’t be charged any PCI fees.
Merchant Services With No PCI Compliance Fee
Finding a provider that won’t charge you any PCI fees is getting much easier, thanks to pressure from merchants to simplify or eliminate the number of extra fees they need to pay to maintain their accounts.
Payment services providers (such as Square and PayPal) take care of PCI compliance for you since you won’t have a unique merchant account for your business. These companies use a flat-rate pricing structure to cover the cost of PCI compliance, so at least a small part of your transaction processing fees goes to covering these costs. However, you won’t have to worry about getting stung with a PCI non-compliance fee.
On the other hand, traditional merchant account providers are more likely to impose PCI fees separately rather than including that cost in the other fees and processing rates that you’re already paying. Providers using membership pricing (such as Fattmerchant and Payment Depot) don’t charge separately for PCI compliance. However, you can bet that at least some part of your monthly subscription fee goes toward covering those costs.
Be sure to check out the table above for more providers that don’t charge for PCI compliance!
How To Avoid PCI Non-Compliance Fines & Fees
If you don’t like the idea of paying an extra $30 per month in junk fees just to have your provider remind you that your account is no longer PCI-compliant, there are many ways to prevent this from happening. Besides the obvious step of choosing a provider that doesn’t charge a PCI non-compliance fee, here are a few things you can do to avoid this penalty:
- Train your employees (and yourself) on proper credit card handling procedures
- Follow all practices recommended by the PCI SSC to secure your processing equipment
- For eCommerce merchants, consider using a hosted payment page to keep credit card data off your website entirely
- Ensure that quarterly security scans are being performed and review the results
- File an updated Self-Assessment Questionnaire (SAQ) every year
- Implement any additional security requirements identified in the SAQ and document your efforts
For most small business owners, these requirements for avoiding PCI compliance fines are relatively easy to meet and shouldn’t require an undue amount of time or effort on your part. Above all, remember that maintaining PCI compliance isn’t about avoiding a penalty fee. Ultimately, it’s about safeguarding your business from a potentially disastrous data breach that can cost you thousands of dollars and put you out of business altogether.
PCI Compliance & PCI Fees FAQ
Key Takeaway: PCI Compliance Is Mandatory; PCI Fees Aren’t
Needing to maintain PCI compliance requirements is an inevitable part of having a merchant account. You have to meet those requirements regardless of how much (or how little) assistance you receive from your provider. Because PCI compliance policies and fees vary so much from one provider to another, you should carefully research your provider’s approach to PCI compliance before you sign up for an account.
As we’ve noted, paying a reasonable PCI compliance fee is entirely acceptable as long as your provider offers some actual services to keep you compliant. The situation you want to avoid is one where you’re being charged a PCI compliance fee but aren’t receiving any compliance services.
It’s also critically important to review your contract thoroughly before you sign up with a new provider. While this is good advice in general, it’s particularly important in determining whether you’ll be liable for PCI compliance or non-compliance fees and how much they’ll cost. As we’ve noted, sales representatives generally don’t disclose these fees unless you specifically ask about them first.
For more information on maintaining PCI compliance standards and avoiding getting hit with a PCI non-compliance fee, check out our article, The Quick Guide To PCI Compliance For Small Businesses: What You Need To Know & How To Become Compliant.