Apex Pay · Fees, decoded
PCI Compliance Fees Explained (and When You're Being Overcharged)
TL;DR — A PCI compliance fee is a charge your payment processor adds — not Visa or Mastercard — to cover the tools that prove you handle card data safely (your self-assessment questionnaire and vulnerability scans). A fair fee runs roughly $6.95–$12.95/month or $79–$150/year. You're likely being overcharged when it climbs well past that, when you're hit with a monthly "non-compliance" penalty even though you've validated, or when the fee buys scans and insurance you never touch.
What is a PCI compliance fee, exactly?
It's a fee your processor bills to offset the cost of helping you meet the Payment Card Industry Data Security Standard (PCI DSS) — the security rulebook every business that accepts cards must follow. In practice, the fee is supposed to pay for a bundle: access to your Self-Assessment Questionnaire (SAQ), quarterly ASV vulnerability scans where required, breach-liability coverage, and support to keep your attestation current.
The important nuance: PCI DSS is a real, mandatory standard. The fee attached to it is not standardized at all. Two merchants with identical setups can pay wildly different amounts depending purely on who processes their payments.
Who actually charges it — and who doesn't?
Your processor or acquiring bank charges it. The card networks do not. Visa, Mastercard, Amex, and Discover require you to be compliant, but they never send you a line item called "PCI compliance fee." That distinction matters, because it means the charge is a business decision by your provider — which makes it negotiable, and sometimes entirely removable.
If a rep tells you the PCI fee is "a Visa requirement" or "non-negotiable," that's a signal to push back. The requirement is compliance; the fee is their markup.
What should a fair PCI compliance fee cost?
Answer first: for a small business, expect roughly $8–$13 per month when billed monthly, or $79–$150 per year when billed annually. Anything materially above that should come with a clear explanation of what extra you're getting. Here's how the common line items compare.
| Line item | Industry-typical range | Legit or junk? |
|---|---|---|
| PCI compliance fee (monthly) | $6.95–$12.95 | Reasonable if it includes scans + SAQ tools |
| PCI compliance fee (annual) | $79–$150 | Fair; often cheaper than monthly |
| Non-compliance penalty (monthly) | $19.95–$49.95+ | Avoidable — validate to make it stop |
| "PCI compliance" with no scans, no SAQ portal | $20–$45/mo | Junk — pure margin, dispute it |
What is the PCI "non-compliance" fee — and how do I stop paying it?
The non-compliance fee is a recurring penalty that kicks in when you haven't completed your annual validation. It's not a fine from the card brands — it's your processor's way of nudging you (and profiting) until you attest. The fix is almost always straightforward: complete your SAQ and, if required, pass a quarterly ASV scan.
Which SAQ you file depends on how you take cards. Your merchant "level" is set by annual transaction volume — Level 4 covers most small businesses (under ~20,000 e-commerce or under 1 million total transactions a year), up to Level 1 for the largest merchants (6M+). The questionnaire itself ranges from the short SAQ A (about 31 questions, for merchants who fully outsource card handling) to the exhaustive SAQ D (250+ questions). Most small, card-present or hosted-checkout merchants land on SAQ A or SAQ A-EP under the current PCI DSS v4.0.1 standard, which added requirements 6.4.3 and 11.6.1 to guard against e-skimming on payment pages.
When are you being overcharged? Three red flags
Answer first: the fee is fair when it's modest and clearly tied to real tools. Be suspicious when you see any of these patterns on your statement:
- The number keeps creeping up. A PCI fee that quietly rose from $9.95 to $29.95 across renewals, with no new service attached, is margin — not compliance.
- You're paying a non-compliance penalty despite validating. If your SAQ is on file and you're still billed the penalty, that's a billing error or a stalling tactic. It's recoverable.
- The fee buys nothing you can log into. A legitimate PCI program gives you a portal, a scan schedule, and an attestation certificate. No portal, no scans, no SAQ walkthrough? You're paying for a label.
Two more to watch: double-dipping (a monthly compliance fee and an annual one for the same coverage) and bundled breach insurance you never opted into and can't see the policy for.
How do I lower or remove PCI fees?
- Pull three recent statements and highlight every line with "PCI," "compliance," "regulatory," or "security" in it.
- Confirm your validation status. Log into your processor's PCI portal and complete or renew your SAQ — this alone kills any non-compliance penalty.
- Call and ask three questions: Is this fee negotiable? What tools does it include? Will you waive or reduce it given my compliance history and volume?
- Get any waiver in writing and set a calendar reminder to re-check at renewal, when fees tend to drift upward.
- If the answers are vague, benchmark elsewhere. A transparent processor will itemize exactly what the fee covers before you ask twice.
A quick illustration of the math
Consider a representative composite home-services company running about $40,000/month in card volume. Their statement carried a $34.95 monthly "PCI compliance fee" with no visible scans or SAQ portal. After validating their SAQ A and requesting a review, the fee dropped to a $99 annual charge — roughly $320 saved in year one, for the same actual compliance coverage.
Illustrative sample. "Representative composite" is a hypothetical SMB, not a specific Apex Pay client; figures are illustrative and not a guarantee of results. Your fees depend on your processor, merchant level, and volume.
Frequently asked questions
Is a PCI compliance fee mandatory?
No. PCI compliance is mandatory, but the fee is charged at your processor's discretion — the card networks don't require it. Many processors will waive or reduce it, and some don't charge one at all.
What's the difference between a compliance fee and a non-compliance fee?
The compliance fee covers tools to keep you validated (SAQ access, ASV scans, support). The non-compliance fee is a penalty applied when you haven't completed your validation. Finishing your SAQ removes the penalty.
How do I know which SAQ I need?
It depends on how card data flows through your business. Merchants who fully outsource checkout to a hosted, PCI-validated provider usually qualify for the short SAQ A; those touching more card data may need SAQ A-EP or SAQ D. Your processor's PCI portal recommends the right one during validation.
Can I really get PCI fees refunded?
Sometimes. Non-compliance penalties billed after you validated, or duplicate compliance charges, are frequently reversible if you ask promptly. Standard compliance fees are more often reduced or waived going forward than refunded retroactively.
Does going PCI-compliant myself avoid the fee?
Completing your SAQ and scans is what makes you compliant, but the processor's service fee is separate. If you handle validation independently, ask your provider to drop or lower the fee accordingly — you're no longer relying on their managed program.
The Apex Pay take: a PCI fee should be small, itemized, and obviously connected to real tools you can log into. Anything else is a line item worth a phone call. We build payments for the businesses the giants overlook — which means no mystery fees, and a statement you can actually read.