The Complete Guide To PCI Fees: How To Avoid PCI Compliance & Non-Compliance Fees (Plus How To Spot A Scam)

Merchant services providers are notorious for tacking on all kinds of additional credit card processing fees and not disclosing them during the sales process.

One fee that raises a lot of questions from merchants is the PCI compliance fee. What is the fee for, and what does being PCI compliant mean? What services does the provider offer in exchange for it? Most importantly, is there any way to get out of paying for it?

Although many of the best payment processors don’t charge a PCI compliance fee, all businesses must pay for PCI compliance one way or another. We’ll look at the numerous ways in which providers charge (or don’t charge) for PCI compliance services and what kind of services you’ll receive. We’ll also discuss the dreaded PCI non-compliance fee and how you can avoid ever having to pay it.

What Is PCI Compliance?

PCI compliance refers to compliance with data security standards set out in the Payment Card Industry Data Security Standard (PCI DSS). These standards are designed to ensure that your customers’ credit card data is handled safely and securely to minimize any chance of a data breach. Compliance with PCI DSS standards is required by the credit card associations (Visa, Mastercard, etc.), but enforcement is generally left up to the individual processors.

Requirements for being PCI compliant can be complex and vary widely from one business to the next. For example, a retail-only business that doesn’t use a payment gateway might have relatively few requirements to meet. At the same time, an eCommerce business that processes all sales over a payment gateway and uses a customer information database to store customer payment method information would have far more extensive requirements. Unfortunately, merchant services providers don’t always take these distinctions into account when setting PCI compliance fees, preferring to charge all merchants the same fee regardless of their actual compliance needs.

PCI Compliance Levels

The credit card associations have divided businesses into four levels of risk based on how many transactions they process annually. Most small businesses will fall under Level 4, defined as “Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.”

To figure out which risk level your business falls under, check out our article on determining your PCI compliance level.

PCI Self-Assessment Questionnaire (SAQ)

While your provider handles many of the required actions, you will also have to perform some steps to perform yourself. The most important action you’ll need to take is to complete the Self-Assessment Questionnaire (SAQ). This questionnaire needs to be updated annually. Failure to keep the SAQ updated is the most common reason merchants are charged a PCI non-compliance fee by their provider.

The PCI Security Standards Council (PCI SSC) publishes several different forms of the SAQ for different types of businesses. These forms are described on the PCI SSC website, which also includes links to instructions and documents you’ll want to refer to when filling out the SAQ.

What Are PCI Fees?

The term “PCI fees” refers to any type of fee charged by your processor in conjunction with meeting PCI compliance standards. There are two kinds of PCI fees charged by credit card processors: PCI compliance fees and PCI non-compliance fees. Since you might see either one (or both!) of these fees on your processing statement, it’s important to understand what they’re for and why you have to pay them.

Does Paying A PCI Compliance Fee Ensure My Business Is PCI-Compliant?

One common misconception about PCI compliance fees is that payment of the fee means that your provider will ensure that your account is fully compliant, and you don’t have to do anything. Unfortunately, this simply isn’t true. While robust PCI compliance services can take care of the more technical aspects of compliance, at a minimum, you’ll still have to complete the Self-Assessment Questionnaire (SAQ) and keep it updated.

How Much Does PCI Compliance Cost?

Merchant account providers that charge for PCI compliance may impose this charge either annually or monthly. In the payments industry, PCI compliance fees generally average around $120 per year or $10 per month.

However, providers are free to charge for PCI compliance any way they want to, so naturally, there’s a lot of variation from one company to the next

Because merchants have generally been unhappy about having to pay yet another fee to maintain their accounts, many providers don’t charge a PCI fee at all. Does that mean that you’re getting PCI compliance services for free? Don’t be silly! In most cases, the PCI compliance cost for a small business is covered through either a higher monthly account fee, higher processing rates, or a combination of the two.

PCI non-compliance fees are handled differently because they are only charged if your account becomes non-compliant. Many providers will charge you a monthly fee of around $20-$30 per month (or more) until you get your account back in compliance. In theory, a provider would be well within its rights to shut down your account if you neglected to bring it back into compliance within a reasonable time. However, this rarely happens in actual practice — probably because the provider is still making money from your account fees and processing activity.

Here’s a breakdown of how several of the most popular merchant services providers in the industry charge for PCI compliance:

Are PCI Compliance Fees A Scam?

Misconceptions about PCI compliance requirements and a general distrust of merchant account providers have led many business owners to feel that PCI compliance fees are just a scam to squeeze more money out of them. While this might be the case with some providers, it’s usually not. Whether or not you’re being ripped off will depend on which of these possible approaches to PCI compliance your provider uses:

• No Fee Charged, No Services Provided: Under this approach, your provider basically leaves PCI compliance up to you. You won’t be charged a PCI compliance fee, but you won’t receive any services to help you maintain compliance, either. It’s very rare to see this approach still in use, given the prevalence of eCommerce today and the provider’s financial risk if a data breach occurs.
• No Fee Charged, Services Are Provided: This approach is the most popular with merchants. You receive at least some services that help you maintain PCI compliance, but you don’t pay a separate fee for them. Many of the providers in the chart above utilize this approach. Of course, nothing is ever really free in the processing industry. In most cases, providers using this approach are actually bundling your PCI compliance costs with your monthly account fee or charging you slightly higher processing rates than you would otherwise receive.
• Fee Charged, Services Are Provided: This is the most common approach used by traditional merchant account providers. You’ll have to pay a fee, but you’ll receive PCI compliance services in exchange for that fee to help keep you compliant. As long as the cost is reasonable and the services provided help keep your account secure, this is a fair and sensible approach.
• Fee Charged, No Services Provided: Unfortunately, there are some unscrupulous providers out there that will gladly charge you a PCI compliance fee but don’t offer any services in exchange. Not only are you on your own when it comes to maintaining compliance but you’re also being ripped off by having to pay a “junk” fee that doesn’t provide anything other than increased profits to your provider. We recommend that you steer clear of providers that utilize this approach.

How will you know which of these approaches applies to your account? One way is to ask your sales agent. However, be aware that most agents won’t voluntarily disclose the existence or amount of PCI fees unless you ask them about the subject.

PCI fees, if any, are spelled out in your contract — usually in the Merchant Application section. Unless your provider specifically states on its website that it doesn’t charge PCI compliance fees, it’s a good bet that they will be part of your agreement. As for what services are provided in exchange for paying PCI fees, you’ll probably have to ask customer service for details. Most sales agents simply won’t be very knowledgeable about this subject.

How To Avoid PCI Compliance Fees

In recent years, more and more providers have stopped charging discrete PCI fees in response to merchant complaints. If you’re dead set on not having to pay for PCI compliance, your best bet is to choose a provider that doesn’t charge those fees at all. This is getting easier to do, although we’d caution you that most of the big-name direct processors and their numerous resellers continue to charge PCI fees in most cases.

You should also be aware that payment service providers (such as Square) aggregate all of their users into a single merchant account. In this case, PCI compliance is handled directly by the provider, and you won’t be charged any PCI fees.

Merchant Services With No PCI Compliance Fee

Finding a provider that won’t charge you any PCI fees is getting much easier, thanks to pressure from merchants to simplify or eliminate the number of extra fees they need to pay to maintain their accounts.

Payment services providers (such as Square and PayPal) take care of PCI compliance for you since you won’t have a unique merchant account for your business. These companies use a flat-rate pricing structure to cover the cost of PCI compliance, so at least a small part of your transaction processing fees goes to covering these costs. However, you won’t have to worry about getting stung with a PCI non-compliance fee.

On the other hand, traditional merchant account providers are more likely to impose PCI fees separately rather than including that cost in the other fees and processing rates that you’re already paying. Providers using membership pricing (such as Stax and Payment Depot) don’t charge separately for PCI compliance. However, you can bet that at least some part of your monthly subscription fee goes toward covering those costs.

Be sure to check out the table above for more providers that don’t charge for PCI compliance.

How To Avoid PCI Non-Compliance Fines & Fees

If you don’t like the idea of paying an extra $30 per month (or more) in junk fees just to have your provider remind you that your account is no longer PCI-compliant, there are many ways to prevent this from happening. Besides the obvious step of choosing a provider that doesn’t charge a PCI non-compliance fee, here are a few things you can do to avoid this penalty:

• Train your employees (and yourself) on proper credit card handling procedures
• Follow all practices recommended by the PCI SSC to secure your processing equipment
• For eCommerce merchants, consider using a hosted payment page to keep credit card data off your website entirely
• Ensure that quarterly security scans are being performed and review the results
• File an updated Self-Assessment Questionnaire (SAQ) every year
• Implement any additional security requirements identified in the SAQ and document your efforts

For most small business owners, these requirements for avoiding PCI compliance fines are relatively easy to meet and shouldn’t require an undue amount of time or effort on your part. Above all, remember that maintaining PCI compliance isn’t about avoiding a penalty fee. Ultimately, it’s about safeguarding your business from a potentially disastrous data breach that can cost you thousands of dollars and put you out of business altogether.

Key Takeaway: PCI Compliance Is Mandatory; PCI Fees Aren’t

Needing to maintain PCI compliance requirements is an inevitable part of having a merchant account. You have to meet those requirements regardless of how much (or how little) assistance you receive from your provider. Because PCI compliance policies and fees vary so much from one provider to another, you should carefully research your provider’s approach to PCI compliance before you sign up for an account.

As we’ve noted, paying a reasonable PCI compliance fee is entirely acceptable as long as your provider offers some actual services to keep you compliant. The situation you want to avoid is one where you’re being charged a PCI compliance fee but aren’t receiving any compliance services.

It’s also critically important to review your contract thoroughly before you sign up with a new provider. While this is good advice in general, it’s particularly important in determining whether you’ll be liable for PCI compliance or non-compliance fees and how much they’ll cost. As we’ve noted, sales representatives generally don’t disclose these fees unless you specifically ask about them first.

For more information on maintaining PCI compliance standards and avoiding getting hit with a PCI non-compliance fee, check out our quick guide to PCI DSS compliance for small businesses.