TL;DR

PCI compliance fees on your processing statement are not paid to the PCI Security Standards Council. They are processor-billed line items, typically $99 to $360 per year, plus a separate $19.95 to $39.95 monthly non-compliance fee if you have not completed your annual Self-Assessment Questionnaire. Most small merchants can self-attest in under 90 minutes through their processor portal. The first move: pull your last 12 statements, total the PCI and non-compliance lines, then file your SAQ before the next billing cycle.

What this actually is

The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 high-level requirements maintained by the PCI Security Standards Council, a consortium founded by Visa, Mastercard, American Express, Discover, and JCB. The standard itself is published free and does not require payment to access. The PCI Council does not charge merchants for compliance; it certifies Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs), and it publishes the Self-Assessment Questionnaires (SAQs) merchants under Level 4 use to attest.

What appears on your processing statement as a "PCI compliance fee," "PCI program fee," "PCI service fee," or "data security fee" is a charge from your acquirer or ISO. The fee bundles a few things: access to a self-attestation portal, sometimes a quarterly external vulnerability scan from an ASV, and in some cases a breach-coverage warranty of $50,000 to $100,000. Visa's published merchant requirements (Visa small business regulations) confirm acquirers, not Visa, set these fees. Mastercard's interchange documentation (Mastercard interchange) similarly does not list any PCI fee.

If you fail to complete the SAQ by the deadline your processor sets, that same processor adds a monthly non-compliance fee, typically $19.95 to $39.95, until you attest.

A PCI compliance fee is a processor-charged line item, not a regulatory fee, billed to fund self-attestation tools, optional ASV scans, and an optional breach warranty.

How it works under the hood

The card brands require every merchant who stores, processes, or transmits cardholder data to validate compliance with PCI DSS annually. The card brands push enforcement responsibility down to acquirers. Acquirers push the cost, and the work, down to you.

Here is the actual flow:

  1. The card brands set tiers. Visa defines Level 4 as merchants processing fewer than 1 million Visa transactions per year. Almost every reader of this article is Level 4. Levels 1 to 3 require an on-site assessment by a QSA. Level 4 can self-attest with an SAQ. (Visa merchant levels).
  2. The acquirer chooses a PCI vendor. Companies like SecurityMetrics, Trustwave, ControlScan, and Sysnet provide white-labeled portals where merchants log in, answer the SAQ, and run external scans on their card-present terminal IPs or e-commerce domains. The acquirer pays the vendor a wholesale rate, usually $10 to $40 per merchant per year.
  3. The acquirer marks up the cost. The statement line is $99 to $360 annually. The spread between vendor cost and merchant fee is pure processor margin.
  4. Annual reattestation triggers a new charge. Most processors bill the fee once per year, on the merchant's anniversary date. A few bill it monthly at $8.25 to $19.95.
  5. Failure to attest triggers the non-compliance fee. If you do not complete the SAQ within 60 to 90 days of opening the merchant account, or within 60 days of the anniversary, the processor flips you to non-compliant status and adds $19.95 to $39.95 per month. This stops the day you complete the SAQ.
  6. The PCI Council gets nothing from these fees. Per the council's own published merchant guidance (PCI SSC merchant process), merchants validate through their acquirer. The council collects fees from QSAs and vendors, not merchants.

Most merchants on flat-rate plans pay PCI fees they could eliminate in under 90 minutes. The non-compliance fee alone can exceed $400 per year on a single mid-five-figure account.

Where it goes wrong for operators

Four patterns drain the most money. Each one is a contract or workflow problem, not a card-brand problem.

1. Auto-billed PCI fee on a processor you do not actively use

If you have a legacy merchant account that you stopped routing volume through, or a backup MID, you are still paying the annual PCI fee. At $120 to $180 per inactive MID, an operator with three legacy gateways from old vendors is paying $360 to $540 per year for nothing. The fix is to close the MIDs in writing.

2. Non-compliance fee on a new account

New merchant accounts come with a 60 to 90 day grace period to file the SAQ. Most onboarding emails bury the deadline in paragraph 14 of the welcome packet. At $29.95 per month, missing the deadline costs $360 in year one if it runs the full 12 months. The fix is to file the SAQ during account setup, not after the first statement.

3. Double-billed PCI fees on multi-MID setups

Operators with a sub-account structure (separate MIDs for ecommerce, retail, and mail order) are often billed a separate PCI fee on each MID. A merchant with four MIDs at $144 per year is paying $576 per year for one SAQ. The fix is to ask the processor to consolidate PCI billing to a single parent account, which most will do on request.

4. PCI fee bundled with a flat-rate plan that already "includes" it

Some flat-rate processors (notably Square and Stripe) do not charge a separate PCI fee. Others (PayPal, Helcim) follow the same model. If your statement lists a PCI fee on a flat-rate plan you were told was all-in, the processor is either out of policy or you signed a different agreement than you remember.

Watch outSome processors charge both an annual PCI fee and a monthly PCI program fee. The annual fee covers the SAQ portal; the monthly fee is pure margin and is negotiable. Pull both lines from the statement before calling.

The non-compliance fee is a clock. Every month it runs adds $20 to $40 to your statement. Stopping it takes 90 minutes.

Worked example with real numbers

Profile: a regional auto-parts retailer running both a retail counter and a Shopify storefront. Monthly card volume is $180,000, split 70 percent card-present and 30 percent e-commerce. Average ticket is $58. The merchant uses a tiered-pricing processor sold by a local ISO three years ago.

Sample statement: PCI compliance line items broken out for an auto-parts retailer at $180K monthly volume.
Sample statement: PCI compliance line items broken out for an auto-parts retailer at $180K monthly volume.

The last 12 months of statements show three relevant line items:

  • Annual PCI compliance fee: $149, billed once in February.
  • Monthly PCI program fee: $9.95 per month, $119.40 per year.
  • Non-compliance fee: $29.95 per month for 7 months last year, $209.65 total. The bookkeeper never filed the SAQ.

Total year-one PCI-related cost: $478.05. On $2.16 million in annual volume, that is 2.2 basis points of pure overhead, before any interchange markup.

Real-world exampleThis merchant called the processor, asked for the non-compliance fee to be reversed once the SAQ was filed, and requested the monthly PCI program fee to be waived. The processor agreed to reverse three months of non-compliance fees ($89.85) and dropped the monthly program fee. Year-two PCI cost: $149 annual fee only. Net annual savings: $329.05.

If the same operator had two MIDs (retail and e-commerce billed separately), the savings would double. Some processors charge the annual fee per MID even when one SAQ covers both.

The math gets sharper at higher volume. At $500,000 monthly, a merchant paying $480 per year in PCI and non-compliance fees is spending 0.8 basis points on a line item that should be 0.3 basis points or zero. On a five-year horizon, that is $2,400 left on the table by not picking up the phone.

Operator playbook

Five actions to take this week. Each one is a phone call, a portal login, or a statement audit.

  1. Pull the last 12 statements and search for these line items: "PCI," "data security," "compliance," "DSS," "program fee," "non-compliance." Sum the annual total. This is your baseline.
  2. Log into the PCI portal your processor provided. The link is in your welcome email or on the processor's merchant dashboard. Common vendors: SecurityMetrics, Trustwave, ControlScan, Sysnet. Complete the SAQ. For most Level 4 merchants, this is SAQ A (e-commerce, no card data touches your servers) or SAQ B (standalone terminal). It takes 30 to 90 minutes.
  3. Ask the processor to reverse non-compliance fees retroactively. Once you complete the SAQ, call and ask for the last 3 to 6 months of non-compliance fees to be credited. Most processors will refund 2 to 3 months without escalation. The script: "I just completed my SAQ. Please reverse the non-compliance fees from the last three months."
  4. For multi-MID setups, ask for PCI fee consolidation. The exact request: "I have one PCI attestation covering all MIDs under my account. Please bill the annual PCI fee on the parent MID only and remove it from the sub-MIDs." Most processors will accommodate this.
  5. Close inactive MIDs in writing. If you have a legacy gateway or backup processor you have not used in 12 months, send a written account closure request. Verbal closures do not stop the annual PCI auto-bill.
  6. Negotiate the PCI fee at renewal. When your contract comes up, treat the PCI fee as a line item like any other. A $99 annual fee is reasonable. A $189 annual fee plus a $9.95 monthly fee is not. The lever: a competing processor quote that itemizes PCI at $0 to $99.
  7. Set a calendar reminder for the SAQ anniversary. The single highest-ROI action in this entire playbook. A 60-second calendar entry prevents 12 months of non-compliance fees.
Operator noteReattestation is annual, not one-and-done. Even merchants who filed last year get switched back to non-compliant status if they miss the anniversary. The processor does not warn you in big letters; the fee just reappears.