You’re Probably Paying a Fine Right Now for Something That Takes an Hour to Fix
You’re Probably Paying a Fine Right Now for Something That Takes an Hour to Fix
Most small merchants have a line item on their monthly processing statement they’ve never looked at closely. It’s labeled something like “PCI non-compliance fee” or “data security fee” or sometimes just “monthly compliance fee.” The amount varies by processor — but $60 to $80 per month is common. Some processors charge more.
That’s $720 to $960 per year. For not answering a questionnaire.
The PCI compliance fee structure has two parts — and most merchants only know about one of them. There’s a legitimate base fee your processor charges every month regardless of your compliance status, and then there’s the non-compliance penalty on top of it. The penalty is the one that’s costing you money. And it’s the one that goes away the moment you spend 20 to 40 minutes completing a self-assessment questionnaire online.
Here’s what the PCI compliance fee actually is, what it requires for most small merchants, and why your processor hasn’t made this easier for you.
PCI Compliance Fee — The Two Charges on Your Statement
Most processors charge two separate PCI-related line items, and the distinction between them is the entire point.
A monthly or annual fee covering your processor’s cost of managing compliance, providing the SAQ portal, and maintaining their own certification. Typically $3–$10/month. This is legitimate and shows up whether or not you’ve completed the questionnaire.
A separate penalty charged when you haven’t completed your annual Self-Assessment Questionnaire. This is the charge that ranges from $60 to $80 per month. It is not a standard cost of doing business — it’s a fine for an incomplete action. It disappears the moment you complete the SAQ.
The problem is that many processors bundle or label these fees in ways that make them look like one fixed charge. If your monthly statement shows a PCI-related fee above $15–$20, look closely at the label. Non-compliance fees are often buried in statement formatting designed to make them look routine.
The CFPB’s guidance on card payment fees provides context on how processors are permitted to structure and disclose these charges. Understanding your full fee picture is what a free statement review is built to uncover.
What PCI DSS Is — and Why Every Merchant Is Required to Comply
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security requirements established by Visa, Mastercard, American Express, and Discover to protect cardholder data. Every business that accepts card payments is required to comply — the card networks mandate it, and your processor enforces it through your agreement.
The standard is administered by the PCI Security Standards Council, an independent body created by the card networks. The Federal Reserve’s payment systems oversight framework establishes the broader regulatory context that acquiring banks and processors operate within.
The PCI compliance fee penalty is the least of your problems if a breach occurs while you’re non-compliant. You’d be liable for the breach investigation, card reissuance costs, and potential fines from the card networks — exposure that can be financially catastrophic for a small merchant. Compliant merchants face substantially reduced liability in breach scenarios.
The good news: for most small merchants, achieving compliance is a questionnaire — not an audit.
For Most Small Merchants, Eliminating the PCI Compliance Fee Takes One Form
PCI compliance requirements vary based on transaction volume and how your business handles card data. Most small businesses fall into the category that requires only a Self-Assessment Questionnaire (SAQ) — no external auditor, no security consultant, no IT infrastructure review.
There are several SAQ types, but the two most common for small merchants are:
For merchants who accept cards through a fully outsourced payment system where no card data touches their own systems. Covers most e-commerce merchants using hosted checkout pages. About 22 questions, 15–20 minutes.
For merchants using standalone dial-out card terminals that don’t store card data. Covers most brick-and-mortar retailers with a standard countertop terminal. About 41 questions, 20–30 minutes.
Your processor should have told you which SAQ type applies to your business. If they haven’t, ask. Once you complete the questionnaire through your processor’s compliance portal — most use a third-party platform like SecurityMetrics or Trustwave — the PCI non-compliance fee stops immediately.
If your processor is telling you that you also need a quarterly vulnerability scan and you’re a small retailer with a standard terminal, ask them to show you where in your agreement that requirement is documented. For SAQ-A and SAQ-B merchants, scans are typically not required.
The cost of not having that proactive walkthrough is real and we’ve seen it. Marisol Vega’s optometry practice in Tampa paid a $124.99 monthly PCI non-compliance fee for eighteen months — over $2,200 — before she realized completing the questionnaire would have stopped it. Her processor never proactively walked her through the SAQ. The questionnaire itself took her eighteen minutes once she actually opened the portal.
Three Steps to Eliminate the Non-Compliance Portion of Your PCI Compliance Fee
If the portal is confusing, call your processor’s support line and ask them to walk you through it. It’s in their interest to get you compliant — the non-compliance fee generates merchant friction, and processors prefer clean accounts. Review your effective rate before and after — the savings are usually immediately visible.
Frequently Asked Questions
A PCI compliance fee is a charge your processor adds for managing your compliance status under the Payment Card Industry Data Security Standard. It typically appears as two components: a compliance fee ($5–$15/month) for merchants who have completed their self-assessment, and a non-compliance fee ($30–$100/month) for merchants who haven’t. The non-compliance fee disappears once you complete the SAQ.
Most small businesses qualify for the SAQ-A or SAQ-B self-assessment — a questionnaire that takes 30–60 minutes to complete online. Log into your processor’s compliance portal (usually accessible from your online account), complete the applicable SAQ, and submit it. The non-compliance fee should stop appearing on your next statement. If you can’t find the portal, call your processor and ask for the PCI compliance link.
Most processors charge some form of PCI fee. What varies is the amount and whether they separate the compliance fee from the non-compliance penalty. Under interchange-plus pricing, PCI fees appear as distinct line items on your statement. Under flat-rate or tiered pricing, they’re often buried in the fee schedule or added as a separate monthly line item you may not have noticed.
Keep Reading
Think You Might Be Paying the Non-Compliance Fee?
Send us your last processing statement. We identify every fee line item — including PCI non-compliance fees, service fees, and anything else quietly adding to your monthly cost. If you’re already compliant and still being charged, we’ll show you what’s happening and what you can do about it. If the fee is legitimate but the overall rate isn’t, we’ll show you that too.
Get Your Free Statement ReviewNo obligation • No pressure • Response within one business day