TL;DR
The cost of PCI compliance in 2026 ranges from about £2,000 a year for a clean SAQ A merchant to £150,000+ for a Level 1 Report on Compliance. The biggest variable isn't your QSA's day rate — it's how much of your environment you've left in scope. Descope the contact centre and you collapse the audit by 80-95%.
Last updated: 29 May 2026
Most teams asking about the cost of PCI compliance want one number. There isn't one. The honest answer is a range that swings between about £2,000 and £250,000 per year, and where you land on it depends less on your QSA's hourly rate and more on choices you made about your architecture two or three years ago. A retailer with a fully outsourced phone-payment flow and an iframed checkout sits at the bottom of that range. A contact centre with 400 agents who all hear card numbers, recordings that capture DTMF tones, and a CRM that stores the PAN sits at the top.
This guide walks through the cost of PCI DSS compliance the way we'd talk through it with a prospect on a buying call. It's written from where we sit — we're a PCI DSS Level 1 service provider, ten years deep in contact centre integrations, and our clients typically arrive when their current audit bill has crossed a threshold they can't justify any more. We'll cover what each merchant level actually costs to validate, the cost of PCI compliance for small business operators specifically, the line items vendors never put on the first quote, and the descoping work that moves you from one cost bracket to another. We'll also tell you when descoping isn't the right answer — there are cases where leaving it in scope is cheaper than the work to take it out.
What drives the cost of PCI compliance in the first place#
Before any numbers make sense, you need to know what you're paying for. The cost of PCI compliance breaks down into five buckets, and every quote you ever see is a mix of these — the proportions just shift depending on your merchant level and your architecture.
The first bucket is validation. That's the cost of someone — either you, your acquirer, or a Qualified Security Assessor — confirming you meet the standard. For SAQ merchants it's an internal exercise plus an annual sign-off; for Level 1 merchants it's a QSA-led Report on Compliance that runs into six figures. Validation gets the headlines because it's the visible invoice, but it's usually the smallest part of the total.
The second bucket is technical controls. Network segmentation, MFA across the cardholder data environment, file integrity monitoring, log management, endpoint protection, vulnerability scanning, penetration testing. These are the controls that have to exist whether anyone validates them or not. They run constantly, they cost money constantly, and they scale with the size of your environment rather than your merchant level.
The third bucket is people. The internal compliance lead who runs the programme, the security engineers who maintain the controls, the contact centre managers who train staff on call handling, the procurement team who chase Attestations of Compliance from vendors. On a Level 1 RoC, internal staff time usually exceeds the QSA bill by a factor of two or three. On an SAQ A, internal time might be ten hours a year.
The fourth bucket is third-party services that exist specifically because of PCI. Approved Scanning Vendor subscriptions, penetration test engagements, security awareness training platforms, GRC tools, vendor management platforms. None of them are mandatory by name in the standard — but every one of them is the practical answer to a control requirement that would cost more to meet in-house.
The fifth bucket is the cost of breach exposure that PCI compliance is supposed to reduce. Cyber liability insurance premiums, the implicit cost of card-scheme fines if a control fails, the reputational cost of an incident. These are the costs people forget to count when they're comparing the price of compliance against the price of doing nothing. We cover the full picture of what non-compliance actually costs in our piece on hidden costs of PCI non-compliance.
The five buckets don't sum to the same total for every merchant. A 10,000-transaction-a-year insurance broker on SAQ A might spend £4,000 across all five. A Level 1 contact centre might spend £180,000 a year on the same five buckets, with the technical controls and the people lines making up most of it. Anyone quoting you a fixed "cost of PCI compliance" without asking what your environment looks like is selling you a number they can't honour.
The cost of PCI compliance by merchant level#
The PCI Council defines four merchant levels based on annual card transaction volume across all channels. Levels are set by your acquiring bank rather than self-declared, and they drive the validation route you have to follow. Here's what each level typically costs to validate and run, based on the engagements we see clients arriving from and quotes they share with us.
Level 1 — 6m+ transactions a year
Level 1 merchants need an annual Report on Compliance produced by a QSA, plus quarterly Approved Scanning Vendor scans and an annual penetration test. The QSA engagement alone runs from £40,000 at the bottom end (small, well-segmented environment with mature controls and tight scope) to £150,000 at the top end (large enterprise with significant in-scope estate, multi-site, multiple business units, and complex outsourcing arrangements). The number depends on how many days the QSA team needs to walk the controls, test the evidence, and write the report — and that's a direct function of how big your cardholder data environment is.
Add the technical controls running costs and the picture doubles or triples. A Level 1 contact centre we worked with in 2025 was spending £45,000 a year on the QSA RoC, £18,000 on quarterly ASV scans and the annual pen test, £30,000 on file integrity monitoring and log aggregation, £25,000 on internal compliance staff time, and another £15,000 on vendor management and training. That's £133,000 a year before they paid a single penny for the payment platform itself. Their architecture had grown by accretion — every new system somebody added had been quietly pulled into PCI scope because nobody had the time to argue.
After descoping the contact centre — removing card data from recordings, taking agents off the path during digit entry, restricting PAN exposure in the CRM — the same merchant moved to SAQ D from a much smaller in-scope footprint. The annual cost dropped to around £35,000. The piece on what "descoped" actually means walks through the mechanics.
Level 2 — 1m to 6m transactions a year
Level 2 merchants can usually self-assess using SAQ D, with an Attestation of Compliance signed by an internal officer. Some acquirers require a QSA-led on-site assessment regardless of the standard's self-assessment provision — check with yours before you assume.
A typical Level 2 cost picture: £8,000 to £15,000 for the SAQ D preparation and sign-off (which often involves a QSA-assisted assessment even when not strictly required, because the questionnaire is 300+ questions and the cost of getting it wrong outruns the cost of getting help), £12,000 to £18,000 for ASV scans, internal pen tests, and external pen tests, £20,000 to £40,000 in internal staff time, and £15,000 to £30,000 across the technical control stack. Total: £55,000 to £103,000 a year.
The wide spread at Level 2 reflects how variable the merchant population is. A retail chain doing 2m phone transactions across 200 stores has a much bigger PCI surface than a single-site contact centre doing 1.5m. The technology stack matters more than the transaction count at this level.
Level 3 — 20,000 to 1m e-commerce transactions a year
Level 3 applies to e-commerce merchants specifically, with self-assessment via the appropriate SAQ. For most online-only retailers using a fully hosted checkout (Stripe Checkout, Worldpay hosted, etc.), SAQ A applies — that's the 22-question form for fully outsourced card handling. The annual validation cost is essentially the time of one internal owner signing off the questionnaire.
The technical control bill is small because the cardholder data environment is small. ASV scans on the merchant website (which doesn't store PAN but is still nominally in scope for SAQ A under v4.0.1's expanded e-commerce rules) cost £1,500 to £3,500 a year. Internal time on a clean SAQ A might be 8 to 15 hours annually. Total: £2,500 to £6,000.
The catch is that "hosted checkout" is one of the most misunderstood compliance categories. A merchant who thinks they're on SAQ A because they use a hosted form might actually be on SAQ A-EP if any payment-page JavaScript lives on their own domain — and SAQ A-EP requires Requirement 6.4.3 script integrity monitoring, which adds £8,000 to £25,000 a year for tooling and review time. The compliance cost can swing by a factor of five based on which side of that line your architecture sits on.
Level 4 — under 20,000 e-commerce or under 1m channel-mixed
Level 4 covers most small businesses and the long tail of the merchant population. Validation is via SAQ, with the SAQ choice driven by data flow rather than transaction count. A small-business retailer using a hosted POS and a hosted checkout might run an SAQ B-IP or SAQ A at a total annual cost of £800 to £2,500 — mostly the ASV scan and a few hours of admin. A small contact centre running a phone-payment platform where agents hear the card might be on SAQ D at £8,000 to £15,000, even at low transaction volumes. The architecture, not the merchant level, drives the bill.
We cover the small-business picture in detail in PCI compliance for small business — including the specific quotes small operators have shared with us and the trade-offs they had to make. The headline message: "how much does PCI compliance cost" has a smaller answer for a small business, but the SAQ logic is the same as a Level 1. Get the data flow right and you get the cheap SAQ. Get it wrong and you're paying enterprise-shape money on a small-business turnover.
The SAQ-by-SAQ cost breakdown#
The merchant level sets the validation route at the top. Underneath, the SAQ you fill in drives most of the variable cost. SAQ A is short and cheap. SAQ D is long and expensive. The work to move between them is exactly the descoping work this guide is built around.
SAQ A — 22 questions, around £2,000 to £6,000 a year all-in
SAQ A applies to merchants whose systems never store, process, or transmit cardholder data. All card handling is outsourced to a PCI DSS validated third party. For phone payments, that means a masked DTMF flow with a Level 1 service provider sitting in the audio path; for e-commerce, that means a fully hosted checkout with no payment-page JavaScript on the merchant's domain.
The annual cost runs to £2,000 to £6,000 for most operators. That covers the SAQ A itself (4-8 hours of internal time once you've got the routine), the ASV scan on the small remaining attack surface (£1,500 to £3,500 from a vendor like Trustwave, ControlScan, or Qualys), the third-party management overhead under Requirement 12.8 (a few hours to refresh AoCs from your providers each year), and the security awareness training for the handful of internal staff who touch the payment plumbing.
What you're paying for isn't the validation — it's the descoping work that put you on SAQ A in the first place. A masked phone-payment platform costs £200 to £2,000 a month depending on volume; a hosted checkout costs nothing on top of standard gateway fees. The compliance line on your P&L looks small because the architecture decision did the heavy lifting upstream.
SAQ A-EP — around £15,000 to £40,000 a year
SAQ A-EP applies to e-commerce merchants whose website redirects to a third-party payment page but where the redirect itself involves merchant-controlled code. The 2026 version expanded sharply under v4.0.1's Requirement 6.4.3 — every script on a payment page now needs to be inventoried, justified, and integrity-checked.
The cost picture: £4,000 to £8,000 for the SAQ A-EP completion (it's longer than SAQ A and the script-integrity questions need real evidence), £5,000 to £12,000 a year for script monitoring tooling (Source Defense, Feroot, Akamai Page Integrity Manager, or equivalent), £3,000 to £7,000 for ASV scans, and the rest in internal time. Most merchants on SAQ A-EP are e-commerce operators who didn't realise they'd moved out of SAQ A territory the first time their marketing team installed a third-party tag on a checkout page.
SAQ B-IP — around £3,000 to £8,000 a year
SAQ B-IP applies to merchants using only IP-connected payment terminals at a physical location — typical small-business retail. The questionnaire is shorter than SAQ D but longer than SAQ A. Most cost sits in network controls (segmenting the terminal network from everything else) and ASV scans on the segment.
SAQ D — 300+ questions, around £25,000 to £80,000 a year
SAQ D is the full self-assessment for merchants who don't fit a more specific scenario. If your systems store, process, or transmit cardholder data — including a contact centre where agents hear card digits or recordings capture them — SAQ D applies. Validation is annual self-assessment, but the underlying control set is the full PCI DSS, which means everything a Level 1 RoC would require, minus the QSA audit.
The annual cost runs to £25,000 to £80,000 for a mid-size contact centre. That's £8,000 to £18,000 for SAQ D preparation (most operators use a QSA-as-consultant model — the £1,400 to £1,800 day rate adds up across the 6 to 10 days a thorough SAQ D walk takes), £6,000 to £15,000 for ASV scans and pen tests, £8,000 to £25,000 for the technical control stack, and £10,000 to £40,000 in internal compliance time depending on the size of the team.
The number that gets people's attention is the gap between SAQ D and SAQ A. A descope from SAQ D to SAQ A on a mid-size operation typically saves £20,000 to £60,000 a year on the compliance line alone — before counting the reduction in breach risk. That's why the descoping decision is almost always the biggest financial lever in a PCI programme. Our piece on in-house vs outsourced PCI cost walks through the trade-off in more detail.
QSA day rates and what a Report on Compliance actually costs#
For Level 1 merchants, the QSA bill is the single biggest visible line on the PCI budget. QSAs are independent assessors qualified by the PCI Council to produce Reports on Compliance. The UK market has around 50 firms with active QSA accreditation; the global market is in the low hundreds. Daily rates and engagement scopes vary widely.
A typical Big Four QSA practice (Deloitte, EY, KPMG, PwC) charges £1,800 to £2,500 a day for a Level 1 RoC engagement. A mid-tier specialist firm (NCC Group, Coalfire, Bridewell, A-LIGN, Sumeru, Verizon Business) charges £1,200 to £1,800 a day. Smaller boutique QSAs can come in at £900 to £1,300 a day but may not have the bandwidth or specialism for a complex multi-site engagement.
The number of days drives the total. A clean, well-segmented Level 1 environment with mature controls might take a QSA team 25 to 35 days across the full engagement (scoping, evidence review, on-site walks, sample testing, RoC drafting, quality review, final delivery). A complex multi-site environment with significant in-scope estate and tangled outsourcing arrangements can run 60 to 100 days. At £1,500 a day, that's the difference between £45,000 and £150,000 on the QSA invoice alone.
What drives day count? Three things. First, the size of the cardholder data environment — every additional system in scope adds testing days. Second, the maturity of your evidence — if your QSA has to chase you for control evidence rather than reviewing what you provided upfront, the engagement extends. Third, the complexity of your third-party relationships — every service provider in scope needs their AoC reviewed and their responsibility matrix validated. We cover the line-by-line breakdown in PCI audit cost broken down.
The line items vendors don't put on the first quote#
Every compliance quote you'll ever see leaves things off. Not because the vendor is being dishonest — most aren't — but because their quote covers their bit and the rest is on you. Here are the line items that consistently catch teams out when they're modelling the total cost of PCI compliance.
Approved Scanning Vendor subscriptions. ASV scans are required quarterly for any merchant with externally facing systems in scope. Costs run from £1,500 a year for a small-business package up to £15,000 a year for a multi-IP enterprise scan. Larger ASV providers — Qualys, Tenable, Trustwave — typically charge per IP and per scan frequency. If your scope expands mid-year, your ASV bill expands with it.
Penetration testing. Required annually under Requirement 11.4 and after any significant infrastructure change. A standard external pen test on a small environment runs £6,000 to £12,000; an internal-and-external pen test on a Level 1 environment runs £25,000 to £60,000. The 2026 version of v4.0.1 strengthened the segmentation testing requirement — pen testers now have to validate that the cardholder data environment is genuinely isolated from the rest of your network, which often surfaces leaks that quietly extend scope.
Internal scanning. Required quarterly under 11.3.1. From v4.0.1 those scans have to be authenticated (credentialed), not unauthenticated. Setting up the service accounts, agreeing scope with system owners, and rerunning the baseline takes work — budget £3,000 to £8,000 in tooling plus internal time the first year, less subsequently.
File integrity monitoring. Required across the cardholder data environment under Requirement 11.5. Tripwire, OSSEC, Wazuh, or vendor-bundled FIM — pick your tool. Costs run £8,000 to £30,000 a year for a Level 1 environment, scaling with the number of monitored endpoints.
Log management. Required under Requirement 10. The v4.0.1 tightening to daily log review under 10.4.1 means most operators run a SIEM — Splunk, Elastic, Microsoft Sentinel, Sumo Logic. Annual SIEM costs for a Level 1 environment run £20,000 to £100,000+ depending on log volume.
Security awareness training. Required under Requirement 12.6. Platforms like KnowBe4, Proofpoint, or SANS run £8 to £25 per user per year. Small numbers across hundreds of agents add up — a 400-seat contact centre might spend £6,000 a year on this line alone.
Vendor management. Required under Requirement 12.8. Tracking AoCs from every PCI-relevant third party, refreshing them annually, validating the responsibility matrix. Most mid-size operators run this in a spreadsheet, which costs nothing in tooling but consumes 40 to 80 hours a year of compliance time. Larger operators use GRC platforms (OneTrust, ServiceNow GRC, Hyperproof) at £15,000 to £80,000 a year.
Cyber liability insurance. Not strictly a PCI cost, but premiums are heavily driven by your PCI posture. A Level 1 contact centre with a clean SAQ A descope pays meaningfully less than the same operator on SAQ D with open findings. The insurance line is one of the places descoping work pays itself back the fastest.
Acquirer non-compliance fees. If your acquirer flags you as non-compliant, monthly fees of £50 to £500 a month appear on your statement. Sustained non-compliance over six months can quietly cost £3,000 a year on the merchant statement — most operators don't notice until it's added up.
The cost of PCI compliance for small business#
Small businesses asking "how much does PCI compliance cost" usually get one of two answers from their acquirer: "it's free, just fill in the form" or "that depends on your environment." Neither is wrong, but both miss the picture.
For a small e-commerce retailer using a fully hosted checkout — Shopify Payments, Stripe Checkout, Squarespace Commerce — the cost of PCI compliance is essentially zero. The hosted platform handles validation; the merchant signs an SAQ A and pays nothing extra. We see this routinely with sub-£500k turnover online stores. The compliance line on the P&L is genuinely a non-event.
For a small contact centre or phone-only merchant — a charity fundraising team, a small insurance broker, a private healthcare clinic — the picture changes fast. The same SAQ A is available if the architecture is right, but "the architecture is right" means a masked DTMF flow with a validated service provider. Pricing for that runs £200 to £800 a month for low-volume operators (under 2,000 transactions a month), £800 to £2,000 a month for mid-volume operators. Total annual compliance cost (SAQ A plus the masking platform plus the small ancillary lines) sits at £4,000 to £20,000 a year — which is materially less than the £25,000-£60,000 a Level 4 merchant would pay on SAQ D if they tried to take phone payments without descoping.
The trap small operators fall into is assuming "small" means "cheap to comply." If your environment doesn't qualify for a short SAQ, your merchant level doesn't help you — Requirement 8.3.6's MFA rules, Requirement 11.3.1.2's authenticated internal scans, Requirement 10.4.1's daily log review all apply at the same standard whether you're doing £200k or £200m. The cost of PCI DSS compliance scales with scope, not turnover. Our pillar on PCI DSS for small business spells out the smallest-cost path through the standard.
How descoping changes the maths#
The biggest financial decision in a PCI programme isn't which QSA to use or which ASV to subscribe to. It's whether to descope the cardholder data environment by routing card handling through a validated service provider rather than processing it yourself. Descoping is the single intervention that moves a merchant from SAQ D to SAQ A — or from a 100-day Level 1 RoC to a 30-day one — and the cost difference is enormous.
Take a worked example. A mid-size insurance broker takes around 80,000 phone payments a year. Agents previously heard the customer's card digits and entered them into a CRM payment screen. Call recordings captured the digits, the recording archive was in-scope cardholder data, the CRM was in-scope, the agent workstations were in-scope, and the QA tooling that pulled audio for sampling was in-scope. The annual compliance cost on SAQ D came to about £62,000 — £15,000 SAQ D preparation, £8,000 ASV plus pen test, £12,000 log management and FIM, £20,000 in internal compliance time, and £7,000 in training and vendor management.
After descoping with DTMF masking — agents stay on the call but the digits are intercepted at the network edge before reaching the contact centre — recordings, the CRM, the workstations, and the QA tooling all dropped out of scope. The cardholder data environment shrunk to the masking provider's platform and the gateway connection. The merchant moved to SAQ A. Annual compliance cost dropped to about £8,000 — £2,500 SAQ A preparation, £1,800 ASV, £2,000 vendor management, £1,500 training, £200 acquirer charges. The masking platform itself cost £14,000 a year. Total: £22,000. Net annual saving: £40,000.
That saving compounded over three years and paid for the descoping work several times over. It also reduced the breach exposure on the cardholder data environment, which dropped the cyber insurance premium by another £4,000 a year. That kind of payback is why descoping shows up as the headline recommendation in nearly every PCI cost analysis we run. Our piece on how to reduce PCI compliance cost walks through the descoping decisions in detail.
Descoping doesn't always pay back. For merchants on very low volumes — under 1,000 phone payments a month — the masking platform's monthly minimum can exceed the marginal saving from a smaller SAQ. For merchants whose architecture is already on SAQ A (everything else outsourced), descoping the phone payments delivers zero scope reduction because there's nothing left to descope. And for merchants on SAQ D for reasons unrelated to phone payments (e-commerce environments where they self-host card forms, or POS estates where they store PAN), descoping the phone leg doesn't help. Always model the actual scope-reduction effect before committing to a masking project.
What the cost of PCI DSS compliance looks like over three years#
One-year cost numbers hide a lot. The QSA setup cost in year one usually doesn't repeat in year two. The technical control build-out in year one is amortised across the subscription in years two and three. The internal time spent learning the SAQ in year one drops by 40 to 60% in year two. A three-year view is the honest one.
For a Level 1 contact centre on SAQ D the three-year cost picture typically looks like £180,000 in year one (with significant setup and tooling investment), £140,000 in year two, £135,000 in year three. Total: £455,000.
The same operator after descoping to SAQ A: £45,000 in year one (including the descoping project itself — the masking platform setup, the call-flow redesign, the SAQ A migration), £18,000 in year two, £18,000 in year three. Total: £81,000. Three-year saving: £374,000.
That's the kind of number that gets boardroom attention. It's also the kind of number where the procurement team needs to push for evidence — three-year savings models are easy to assemble on a slide and harder to honour in practice. The honest evidence is to talk to operators who've already done the descoping work and ask them what their actual run-rate looks like in year three. We're happy to put prospects in touch with clients who'll talk through their numbers.
The cost of PCI compliance for in-house vs outsourced models#
There's a recurring debate inside contact centres about whether to build PCI capability in-house — your own staff, your own controls, your own evidence pack — or to outsource the heavy lifting to a payment service provider with its own Level 1 attestation. The right answer depends on what you're optimising for.
In-house is cheaper at very high volumes if you have the security operations capability to run it well. A Level 1 merchant processing 50m phone transactions a year can amortise a £200,000 annual compliance run-rate across enough revenue that the per-transaction cost is negligible. The control set you build also stays inside the business — it doesn't disappear if a vendor goes under.
Outsourced is cheaper at low and mid volumes, and the break-even sits at around 3m to 5m phone transactions a year for most contact centre operators. Below that point, the fixed cost of running an in-house compliance programme (a dedicated compliance lead, in-house security ops, in-house QSA relationship, in-house tooling) outweighs the per-transaction premium of a managed service. Outsourcing also moves a chunk of the breach risk onto the service provider's AoC, which is what cyber insurers pay close attention to.
For most mid-size operators, the practical answer is hybrid: outsource the descoping piece (the masking, the gateway connection, the tokenisation) to a Level 1 service provider, and keep the rest of the compliance programme in-house. That's the architecture our clients typically arrive at after a year or two of running both models. Our piece on PCI cost in-house vs outsourced covers the trade-off in detail, including the maturity model that tells you when you're ready to bring more in-house.
Region-specific cost differences: UK, EU, US#
The PCI DSS is the same worldwide. The cost of PCI compliance isn't, because the regulatory environment around it shapes how expensive the surrounding controls are.
In the UK, FCA-regulated firms (insurance brokers, financial advisers, payment institutions) carry an additional operational resilience burden under PS21/3, which doesn't show up in the PCI invoice but does show up in the security ops team's headcount. The Information Commissioner's Office treats card data as personal data under UK GDPR, so a breach reporting capability has to exist alongside the PCI incident response plan. UK QSA day rates are broadly in the ranges quoted above; UK ASV pricing tends to be slightly lower than US equivalents because the competitive landscape is denser.
In the EU, NIS2 expanded cybersecurity reporting obligations for "essential" and "important" entities, catching a lot of mid-size contact centres. The expanded obligations don't change the PCI bill directly, but they raise the bar on the surrounding control stack — most NIS2-affected operators end up spending £10,000 to £40,000 more a year on SIEM and incident response capability. PSD2 strong customer authentication requirements apply to most card-present and card-not-present flows.
In the US, state-level data breach notification laws layer on top of PCI. California's CCPA/CPRA, New York's SHIELD Act, the Texas Data Privacy and Security Act, and around 15 other state regimes all have specific notification triggers for cardholder data exposure. The compliance programme has to handle PCI plus a patchwork of state regimes, which adds compliance staff time but not much in QSA or tooling cost. US QSA day rates tend to be slightly higher than UK equivalents — $2,000 to $3,500 a day at the big firms — but the engagement structure is similar. For healthcare operators in the US, HIPAA crossover means a card-data exposure in a clinical recording triggers both PCI and HIPAA notification clocks; we cover the overlap in HIPAA vs PCI DSS.
Where the cost of PCI compliance goes wrong — the patterns we see#
Most operators arriving at a compliance budget review have one of four problems. They're not architectural debates — they're recurring operational patterns that drive the bill up without anyone noticing for a year or two.
Pattern one: scope creep. A new system gets added to the network, someone forgets to ask whether it's in or out of the cardholder data environment, and by next year's audit it's been pulled into scope because it talks to something that talks to something that touches card data. The QSA has to test it, the SIEM has to log it, the FIM has to monitor it. The fix is an annual scope review under Requirement 12.5.2 — but the operator running it has to push back on every new system rather than rubber-stamping. We cover the scope-review pattern in cardholder data environment.
Pattern two: partial outsourcing. A merchant outsources most of the card flow but keeps one path in-house — usually an "agent-keyed fallback" or a "disability access route" or a "premium customer manual handling" path. The whole environment then falls into SAQ D for the audit because of that one path. The annual cost stays high even though 95% of transactions go through the outsourced flow. The fix is to route the exception through a different mechanism that also bypasses the merchant's environment — a hosted IVR, a payment link, a callback to a separate validated handler.
Pattern three: stale AoCs. A vendor's Attestation of Compliance was current when the contract was signed three years ago and has been quietly out of date for two of those years. The audit catches it, the merchant scrambles to get it refreshed, the QSA's billable time extends. The fix is a vendor management process that tracks expiry dates and chases providers 60 days before they lapse. Most operators discover this is sitting in a spreadsheet nobody owns.
Pattern four: evidence chaos. The controls work, but the evidence is scattered across SharePoint, email threads, screen captures, and a forgotten Confluence page. The QSA spends three days reconstructing what should have been a half-day evidence review, and the bill reflects it. The fix is a GRC platform or a disciplined evidence repository — either works, the discipline is what matters.
What questions to ask before you sign a PCI quote#
The same five questions cut through most compliance vendor pitches, whether you're hiring a QSA, an ASV, or a managed compliance partner.
First: "What's your assumption about the size of our cardholder data environment, and what happens to the quote if it's wrong?" Most quotes are anchored to a scope estimate the vendor made on a 30-minute call. Push them to write the assumption down and price the variance.
Second: "Which specific deliverables are inside this quote and which trigger a change order?" Scope changes, additional testing days, additional SAQ sections, rework after remediation — these are the lines where vendors quietly add 20-40% over the original quote.
Third: "What does your team do if we miss a control during the assessment — extra testing or move on?" Some QSAs build in 2-3 days of remediation support for major findings; some treat every finding as a change order. The answer tells you what next year's relationship will look like.
Fourth: "Can you give me three references at our merchant level who finished the engagement in the last 18 months?" Vendors that can't will have something to hide. Vendors that can will sometimes share rough cost numbers if you ask politely.
Fifth: "What's your view on our current architecture — would descoping change the engagement materially?" A QSA who's only interested in the engagement they were called for isn't on your side. The good ones will tell you upfront where the real saving lives, even if it means selling you less work.
Next steps#
If you're trying to model the cost of PCI compliance for your environment, the most useful thing you can do is draw the data flow first and price the SAQ second. The architecture decisions you make this year set the cost line for the next three. A masked DTMF flow paired with an iframed checkout will run you a small SAQ A; an in-house contact centre with a CRM that stores PAN will run you the full SAQ D regardless of how clever the rest of your stack is.
We're a PCI DSS Level 1 service provider with ten years of contact centre integrations behind us. If you'd like to walk through your own cost picture with someone who's done this before, get in touch and we'll talk through your specific path. If you'd rather see the masking architecture in action first, book a 15-minute working demo and we'll wire up a live capture using your actual phone system. The DTMF masking solution page covers the technical detail; the PCI DSS v4 solution covers the broader descope story.
Cut your PCI compliance cost — descope the contact centre
Paytia's DTMF masking moves agents, call recordings, and transcripts out of PCI scope. Most clients reduce from SAQ D to SAQ A and save £20,000-£60,000 a year on the compliance line. PCI DSS Level 1 certified service provider — our AoC is available on request and slots straight into your vendor management file.
