The cost of PCI compliance is the question every finance director asks first, and the question every PCI vendor sidesteps. There isn't a flat number, and anyone quoting one upfront is either selling a tool or hiding most of the bill. What you actually pay depends on three things: your merchant level, which Self-Assessment Questionnaire you fall under, and how much of your network you've taken out of PCI scope. Get those three right and your annual PCI cost can drop by 80% or more without dropping your security posture. Get them wrong and you'll keep paying for a Report on Compliance you didn't need.
This piece walks through the four cost lines that actually make up your PCI bill, what each one costs in the UK in 2026, where most merchants over-pay, and the two moves that compound to bring the number down. It's written from where we sit — a PCI DSS Level 1 service provider since 2016, which means we've been through the full QSA-led audit ourselves every year and we've seen what customers spend at every merchant level.
The four cost lines that add up to your PCI bill#
Every PCI compliance budget breaks down into the same four lines. They scale very differently by merchant level, but the structure doesn't change.
The first is assessment — the cost of either filling in your Self-Assessment Questionnaire correctly or paying a Qualified Security Assessor to write your Report on Compliance. For most UK merchants this is a SAQ, and the direct cost is your time rather than a third-party invoice. For Level 1 merchants and a chunk of Level 2s the cost is a QSA engagement, which we'll come back to.
The second is remediation, and this is almost always the biggest line. The SAQ or RoC tells you which controls you're missing; remediation is the actual work to put them in. A missing multi-factor authentication setup on admin accounts is a controls gap. A flat network where the cardholder data environment is reachable from every laptop is a controls gap. A call recording archive that holds five years of PANs is a controls gap. None of those get fixed by the assessment itself.
The third is ongoing tooling — Approved Scanning Vendor scans, log management for Requirement 10, vulnerability scanning, file integrity monitoring, MFA for non-console admin, and so on. Most of these run as annual subscriptions and most of them you only need at certain SAQ levels.
The fourth is internal staff time, and it's the line every budget under-counts. The SAQ itself takes anywhere from a couple of days to several weeks of focused work depending on how much network and process scope is in it. Evidence collection, screenshots, log samples, policy documents — all of it is real hours that come out of someone's calendar. Pretend you costed those hours and the picture changes.
Your merchant level decides whether it's a SAQ or a Report on Compliance#
Visa and Mastercard each publish their own merchant level definitions, but they line up closely. Level 1 is roughly six million transactions a year per scheme and pulls you into a mandatory QSA-led Report on Compliance. Level 2 is one to six million; many Level 2 merchants self-assess on SAQ D and some get pushed to RoC by their acquirer. Levels 3 and 4 are e-commerce only and tiered by volume; the cap for Level 4 is under twenty thousand e-commerce transactions a year, and most UK SMEs sit there.
Service providers — anyone who stores, processes or transmits cardholder data on behalf of merchants — have their own levels, with the cut-off for Level 1 around three hundred thousand transactions a year. Paytia is a Level 1 service provider, which is why our customers can lean on our compliance to reduce their own scope.
Practically: if you take card payments over the phone for your own business and you're under a million annual transactions total, you almost certainly self-assess. If you're a contact-centre outsourcer handling cards for other brands, you're a service provider and the rules are stricter regardless of volume. Either way, your level is non-negotiable — it's set by your acquirer based on what you actually process — but the SAQ you fall under is very much in your control.
The SAQ you fall under is the biggest single cost lever#
There are nine SAQs and they exist precisely because PCI's cost can't be one-size-fits-all. SAQ A is around 22 questions and applies when you've fully outsourced card-data handling — typically e-commerce merchants using a hosted payment page. SAQ A-EP is around 190 questions and applies to e-commerce merchants whose own site touches the payment page even indirectly. SAQ D-Merchant is around 329 questions and applies when card data passes through your environment at all.
Each question in your SAQ equates to a control you have to evidence — and probably implement. Every additional question is more engineering, more documentation, more annual proof. The cost gap between filling in SAQ A and filling in SAQ D, for the same business, is the difference between a quiet week of paperwork and a six-figure compliance programme. Most contact centres taking phone payments default to SAQ D because their network touches card data. They could be on SAQ A with the right architecture — that move, and the rest of the v4.0.1 picture for call centres, sits in our PCI DSS v4.0 call centre guide. That's where the descoping conversation starts — and it's the move that dwarfs every other cost optimisation. Our guide to what "descoped" actually means walks through the mechanic in plain English.
What it actually costs in the UK in 2026#
Honest UK ranges, working from what we and our customers actually pay and what the Approved Scanning Vendor market quotes.
ASV scans for the external-facing IPs in your cardholder data environment run around £200 to £3,000 a year, scaling with how many IPs you have to scan and how often you want re-scans for failed findings. A small contact centre with two or three IPs sits at the bottom of that range. A multi-site retailer with dozens of public IPs sits near the top.
QSA day rates in the UK currently run around £1,500 to £3,000 a day, with most full RoC engagements taking anywhere from ten to thirty days of QSA effort plus your team's time. A small Level 1 service provider's annual RoC tends to be £25,000 to £60,000 of QSA fees alone; a large complex one runs into six figures. None of that includes the remediation it surfaces. The audit walkthrough covers what those days actually buy you.
Internal staff time is the line that always blows the budget. For a small merchant the SAQ alone is roughly 80 to 300 hours a year, including evidence collection and the trail of small fixes the SAQ exposes. For a contact centre with phone payments still in scope, double that. At a fully loaded internal cost of £50 to £100 an hour, you're at £4,000 to £30,000 of time on the SAQ that nobody invoices for.
Tooling ranges from "you already have it" to a couple of pounds per user per month for an MFA provider, plus log management licences your CISO probably already has running. The trap here is buying a PCI-branded version of a tool you already own — log management is log management, and Splunk doesn't get more compliant when you label the dashboard "PCI".
Add it up for a typical UK SMB contact centre stuck on SAQ D with phone payments in scope, and you're looking at £30,000 to £80,000 a year all-in. Move the same business to SAQ A by descoping the phone channel, and the same total drops below £10,000 — including the cost of the descoping tooling itself.
Where most merchants over-pay#
Three patterns come up again and again when we look at what customers were spending before they descoped.
The first is renewing the same SAQ shape year after year. A business outsources its e-commerce checkout in March, gets DTMF masking on the phones in June, decommissions a legacy POS in September — and still files SAQ D in January because that's what it filed last year. The SAQ should follow your architecture. If it doesn't, you're paying SAQ D's controls bill for an SAQ A reality.
The second is doubling up on tooling that overlaps with what's already in the stack. Most enterprises already run something covering Requirement 10 (centralised logging) and Requirement 8 (MFA). Buying a "PCI suite" on top of those is paying twice for the same control. A QSA will accept your existing tooling as long as it covers the requirement; what they care about is that the requirement is met, not which logo's on the dashboard.
The third is hiring a QSA when an Internal Security Assessor would do. ISAs are PCI Council-certified individuals on your own staff who can sign off on most things a QSA can — except the formal Report on Compliance for Level 1 merchants. For everyone else, an ISA does the same work without the consultancy day rate. The QSA exam isn't trivial but it's a fraction of a year's QSA fees.
How to drop the bill without dropping standards#
Two moves compound: descope, and outsource the surfaces you can't descope.
Descoping means removing card data from parts of your environment that don't strictly need it. The single biggest descoping move for any business that takes phone payments is putting DTMF masking between the customer's keypad and everything else — the agent's screen, the call recording, the network. Card numbers reach the payment provider directly; the contact-centre side of the network never sees them. That single architectural change can move a contact centre from SAQ D to SAQ A and cut the annual compliance bill by an order of magnitude. The wider mechanism — and the reasons it usually pays for itself within months — is covered in our guide to PCI compliance on phone payments, and there's a 2026 checklist if you want the short version.
Outsourcing means using a Level 1 service provider for the surfaces you genuinely can't descope. Card capture, payment links, IVR payments, tokenisation — all of these can be handed to a provider whose Attestation of Compliance covers the work, leaving your own SAQ scope narrower and your costs lower. Our overview of how Paytia helps with PCI compliance walks through which surfaces are descopable and which aren't.
One newer line item we can take off the table entirely for SAQ A and SAQ A-EP merchants: the SAQ paperwork itself. A free SAQ app works through every requirement of every SAQ in plain English, captures the evidence on your phone, and exports the completed PDF for your acquirer or QSA. The spreadsheet-and-Word-doc tax — usually a few hundred to a few thousand pounds of internal time a year — drops to zero. We built it because the SAQ itself shouldn't be the expensive part.
The honest summary#
PCI compliance cost ranges from a few hundred pounds a year for a tiny e-commerce merchant on SAQ A through to seven-figure programmes for global Level 1 acquirers. For the typical UK contact centre taking phone payments — the most common Paytia customer — the realistic range is £30,000 to £80,000 a year if the phone channel is still in scope, and well under £10,000 a year once it's been properly descoped. The single biggest move is the one most teams put off: change the architecture so the SAQ changes with it. Everything else is variations on a theme.
