TL;DR
A typical UK PCI audit cost lands between £18,000 and £85,000 once you count QSA fees, ASV scans, penetration testing, internal staff hours, and the remediation work that always falls out of the gap analysis. The split is usually 35-50% QSA invoice and 50-65% internal effort and tooling. Cutting scope first — with DTMF masking or channel separation — moves the bill toward the SAQ A end of the range, often under £5,000.
Last updated: 29 May 2026
When a finance director asks us "what does a pci audit cost?" the honest answer is: it depends on what they're being asked to audit. The cheque you write the QSA is rarely the largest number. The bigger costs are the staff time you spend pulling evidence together, the penetration test you didn't budget for, the remediation that surfaces during the gap analysis, and the annual repeat the following year. We've sat on both sides of those invoices — ours, and our clients' — and the patterns are predictable enough that you can model the bill before you sign an engagement letter.
This breakdown takes a Level 1 service provider audit and a mid-sized Level 2 merchant audit and walks through every line item. If you only need the SAQ A version, jump to the section on small-merchant costs further down. If you're trying to decide whether to invest in scope reduction before the QSA arrives, the answer is almost always yes — we'll show you the maths.
What you're actually paying for in a pci audit cost#
A PCI audit isn't one thing. It's a stack of activities, each with its own price tag, that combine to produce either a Report on Compliance (for Level 1 entities) or a validated Self-Assessment Questionnaire (for everyone else). Before we put numbers on anything, here's what's in the stack.
The QSA engagement itself covers scoping, evidence collection, control testing, interviews, sampling, the on-site (or remote) assessment days, and the final report writing. That's the headline invoice and it's what most people think of when they ask about audit cost. But sitting around it are five other categories that all need money: the ASV scanning subscription, the internal and external penetration test, the remediation work that surfaces once a QSA actually looks at your environment, the internal staff time spent pulling evidence and answering questions, and the annual ongoing cost of maintaining what you've just built.
We see clients underestimate the staff-time line every single year. A QSA engagement that bills out at £45,000 will typically pull 400-700 hours of internal effort across IT, security, compliance, finance, and contact centre management. At a fully-loaded £60/hour, that's another £24,000-£42,000 of cost that never appears on the QSA's invoice but absolutely lands on your P&L. If you want the wider context on where this fits in your annual compliance spend, our pillar on the full cost of PCI compliance walks through the operating budget too.
QSA engagement fees — the line item everyone sees#
QSA day rates in the UK currently sit between £1,800 and £3,500 per day depending on the firm, the consultant's seniority, and how aggressively you negotiate. The Big Four security practices charge at the top of that range. Mid-tier specialist QSACs (the bulk of the UK market) sit in the middle. Smaller boutique QSACs come in cheaper but you sometimes lose continuity if their lead assessor changes between years.
For a Level 1 service provider audit — think a contact centre BPO handling card payments for multiple clients — expect a QSA engagement of 18-30 days. That's £35,000-£70,000 just for the QSA's time. A Level 2 merchant audit (1-6 million transactions a year, validated annually) is usually 8-15 days, so £16,000-£45,000. A Level 3 or Level 4 merchant using SAQ D will pay 3-6 days of QSA review if they engage one at all, which is £6,000-£18,000.
What pushes the day count up? Multi-site assessments, complex network segmentation that needs to be validated, cardholder data discovery scans that turn up surprises, and any control gaps that need re-testing after remediation. What pulls it down? A well-defined scope, mature documentation, a stable environment between audit cycles, and a tokenised or descoped card-capture flow that takes most of your systems out of scope altogether. Our PCI DSS scope glossary entry covers the boundary mechanics if you want the technical version.
ASV scanning — quarterly, mandatory, and cheaper than you think#
Approved Scanning Vendor (ASV) scans are a flat-rate annual cost for most merchants. Quarterly external vulnerability scans against your in-scope public-facing IP addresses, run by a PCI SSC-approved scanning vendor, with passing scans uploaded as evidence for your assessment. Expect £1,200-£4,500 per year depending on IP count and whether you bundle in internal vulnerability scans (Requirement 11.3.1).
Where ASV bills surprise people: when an unexpected service comes up on a scanned IP and triggers a fail. You then need to remediate, re-scan, and pay for the re-scan. Some ASVs include unlimited re-scans in the annual fee. Some charge per scan. Read that clause carefully — we've seen clients pay an extra £2,000 in re-scan fees in a single quarter when a misconfigured firewall exposed an SSH port.
If you've descoped your card-capture flow entirely, your in-scope IP list shrinks dramatically and the ASV bill drops with it. A SAQ A merchant paying £450/year is not unusual once card data never touches their infrastructure.
Penetration testing — the line item that always blows the budget#
Requirement 11.4 mandates internal and external penetration testing at least annually and after any significant change to the cardholder data environment. For Level 1 service providers, segmentation penetration tests are also required every six months under Requirement 11.4.5. This is where audit budgets blow up.
A scoped external pentest for a single web-facing application sits around £6,000-£12,000. Add the internal network test and you're at £12,000-£25,000. A segmentation validation pentest for a Level 1 service provider — proving that your CDE is genuinely isolated from your corporate network — is another £8,000-£18,000 and you need it twice a year. Application-layer testing on a complex e-commerce platform with payment APIs, customer portals, and admin interfaces routinely hits £25,000+.
The cost driver is methodology hours, not the QSA. Pentest firms quote in person-days at £1,400-£2,200/day and most engagements run 5-15 days of testing plus 2-3 days of reporting. The way to reduce this cost is the same way you reduce every other audit cost: shrink the scope. If your DTMF masking setup takes the contact centre out of the cardholder data environment, the pentest scope shrinks with it.
Remediation — the budget item nobody asks about until it's too late#
Every PCI audit finds gaps. The question isn't whether you'll have remediation costs, it's how big they'll be. We've seen first-time Level 1 audits surface £150,000-£400,000 of remediation work — logging infrastructure upgrades, key management overhauls, network segmentation rebuilds, identity-management consolidation, and the perennial "we need to move card data out of these spreadsheets" project.
Mature, mid-cycle audits surface less. A client on their fourth annual Level 1 audit might spend £25,000-£60,000 on remediation. A SAQ A merchant who has genuinely descoped their environment might spend nothing on remediation in a given year. That's the value of getting scope right at the start — you're not just saving on QSA fees, you're avoiding annual remediation invoices that compound year after year.
The remediation items we see most often are inadequate audit logging (Requirement 10), missing or weak multi-factor authentication on administrative access (Requirement 8.4), and unencrypted card data discovered in backup systems, call recordings, or CRM notes (Requirement 3). The last one is brutal. If a QSA finds card numbers in your call recordings, you're either deleting the recordings, paying to redact them, or implementing pause-and-resume — and pause-and-resume just shifts the problem rather than solving it.
Internal staff hours — the cost nobody invoices but everyone pays#
This is the line item we wish CFOs asked about more often. A QSA arrives at your premises (or kicks off a remote engagement) and immediately starts asking for evidence. Network diagrams. Data flow diagrams. Cardholder data inventory. Access logs. Change-management records. Vulnerability scan reports. Penetration test reports from the last 12 months. Vendor due-diligence documentation. PCI DSS policies and procedures. Training records. Incident response plans. Sample interviews with developers, system administrators, contact centre agents, and management.
Pulling that together takes time. A lot of time. We typically see 400-700 hours of internal effort for a Level 1 service provider audit, 200-400 hours for a Level 2 merchant audit, and 80-150 hours for a Level 3/4 merchant on SAQ D. That's IT staff, security staff, compliance staff, contact centre team leaders, and senior management spending real working days on audit evidence rather than their actual jobs.
At a fully-loaded UK rate of £45-£70/hour (including employer NI, pension, overheads), 600 hours is £27,000-£42,000. That number doesn't appear on any QSA invoice but it shows up in your operating costs, your project delays, and the burnout you see in your security team every Q4 when the assessment lands. The single biggest lever for reducing this cost is mature documentation and scope reduction. Less scope means less evidence. Less evidence means fewer interviews. Fewer interviews means fewer person-hours.
How much pci audit cost for a small business — the SAQ A path#
If you're a small merchant or service provider asking "how much pci audit" you're going to pay, the answer changes dramatically based on which SAQ applies. SAQ A — the lightest validation path — is available to merchants who fully outsource card capture and processing to PCI-validated third parties. Done properly, the entire annual compliance bill can sit under £5,000.
The SAQ A breakdown looks roughly like this: ASV quarterly scans £450-£1,200, attestation review by a QSA (optional but recommended for higher-trust assurance) £1,500-£4,000, internal staff time pulling evidence 30-60 hours (£1,500-£4,200 fully loaded), policy and procedure updates £500-£1,500 if you don't already have them in place. Add it up and you're at £3,950-£10,900 for a properly-run SAQ A.
If you're on SAQ D right now and you suspect you could move to SAQ A by changing how you capture card data, run that maths before your next renewal. Our PCI compliance for small business guide covers the SAQ selection logic and the descoping path. The numbers move from "five-figure annual problem" to "four-figure tickbox" if you get the architecture right.
What a Level 2 merchant audit actually looks like — worked example#
Take a UK retailer with about 3 million card transactions a year, an e-commerce platform, a contact centre handling phone orders, and stored card-on-file tokens for repeat customers. That's a Level 2 merchant, validated annually via SAQ D-Merchant (or a full ROC if their acquirer demands one).
QSA engagement: 12 days at £2,400/day = £28,800. ASV scans: £2,400/year. External pentest: £9,500. Internal pentest: £12,000. Application pentest on the e-commerce platform: £18,000. Remediation work (typical year): £18,000. Internal staff hours: 320 hours at £60/hour fully loaded = £19,200. Total annual cost: £107,900.
Now run the same retailer with a descoped contact centre using DTMF masking, tokenised online checkout, and no cardholder data stored in their own environment. The merchant level might drop to Level 3 (or stay at Level 2 depending on acquirer rules) but the SAQ moves from D to A or A-EP. QSA engagement: 3 days at £2,400 = £7,200 (attestation review only). ASV scans: £900/year. External pentest: £6,000 (much smaller scope). Application pentest: not required for SAQ A. Remediation: £2,500. Internal staff hours: 80 hours at £60 = £4,800. Total annual cost: £21,400.
That's an annual saving of £86,500 by changing the architecture. Pinnacle Group cut their PCI scope by 95% using channel separation — same pattern, same maths. Our how to reduce PCI compliance cost piece walks through the descoping mechanics.
QSA audit cost vs in-house effort — where the real spend is#
Finance teams often ask whether to invest in in-house PCI expertise to reduce QSA fees. The maths rarely works. A senior PCI specialist in the UK costs £85,000-£120,000 fully loaded. That's more than two complete Level 1 audits per year. Unless you have multiple audit cycles, multiple in-scope environments, or you're running a managed service to other companies, in-house specialism is a luxury, not a saving.
What does work is having strong in-house ownership of documentation and evidence — a compliance lead who knows where everything lives and can answer the QSA's questions without convening cross-functional meetings every time. That role usually sits inside an existing security or IT manager position rather than being a dedicated hire. Our PCI cost in-house vs outsourced comparison runs the full break-even analysis.
What pushes pci audit fees up — the gotchas#
Some cost drivers we see repeatedly across QSA engagements. A change in your environment between gap analysis and assessment, which forces re-scoping. Multi-cloud deployments where the same controls need testing in AWS, Azure, and on-prem. Acquired companies whose CDEs haven't been integrated yet — each one is effectively a separate assessment. Custom-built payment integrations that the QSA needs to dig into rather than tick off as a standard configuration. Legacy systems running unsupported operating systems where the compensating controls take weeks to validate.
On the operational side: late evidence delivery (every day of QSA waiting time is a day they bill for), key staff being unavailable for interviews and pushing dates back, and finding cardholder data in unexpected places during the discovery phase — the classic being CSV exports in finance team email or PAN data in CRM call notes. The latter triggers either a redaction project (expensive) or a re-architecture (more expensive but solves the problem permanently).
Hidden cost — the cost of doing nothing#
One number that doesn't show up in audit budgets but absolutely should: the cost of a compliance failure or breach. The card schemes can fine an acquirer up to £500,000 for a serious non-compliance event, which the acquirer almost always passes through to the merchant. ICO fines under UK GDPR for data breaches involving payment data can reach 4% of global turnover. The reputational cost of a breach is harder to quantify but real.
If your annual audit bill is £80,000 and the avoided cost of a breach is conservatively £500,000 over five years, the audit pays for itself many times over. Our piece on the hidden costs of PCI non-compliance works through the financial exposure if you want to model it for your board.
How descoping changes the entire cost stack#
The cheapest PCI audit is the one you don't have to do. If you can architect your payment flows so card data never enters your environment — captured directly by a PCI-validated payment service provider via DTMF masking on phone calls, hosted iframe checkouts online, and tokenised storage for card-on-file — you can often move from SAQ D to SAQ A. That single change can drop annual compliance cost by 60-90%.
The savings compound. Smaller QSA engagement. Lower ASV bills. Less pentest scope. Less remediation. Less internal staff time. Less risk of breach. We've helped contact centres make this transition and the typical numbers we see are an annual saving of £60,000-£200,000 against the cost of implementing the descoped architecture, with payback usually in the first year. The take card payments over the phone page explains the architecture; the audit-cost saving is what makes the business case stack up.
Budgeting for next year's audit — what to do now#
If you're heading into next year's audit cycle, three things are worth doing in the next quarter. First, run a scope review. Where does card data live? Where could it stop living? Every system you can take out of scope is QSA hours, pentest days, ASV IPs, and remediation cost you don't have to fund. Second, do a pre-audit gap analysis 60-90 days before the formal assessment. The remediation cost is the same whether it lands in February or May, but knowing it in February gives you time to plan rather than scramble. Third, look at the descoping path specifically. If you're on SAQ D and you could be on SAQ A, the maths almost always justifies the change.
The audit cost is a symptom. The disease is scope. Treat the scope and the audit cost takes care of itself.
Gap analysis vs full assessment — the two-stage cost structure#
One thing that confuses first-time merchants is that a PCI audit usually isn't a single engagement. It's typically two: a gap analysis (sometimes called a readiness assessment) followed by the formal assessment that produces the AoC or ROC. The gap analysis runs 3-8 QSA days for a Level 2 merchant and 5-12 days for a Level 1 service provider. That's £6,000-£30,000 depending on size and complexity. Its job is to surface the controls that aren't in place, the documentation that's missing, and the remediation work you need to do before the formal assessment can produce a clean result.
Some QSACs roll the gap analysis into a single fixed-fee engagement; others quote the two stages separately. The structural advantage of the two-stage approach is that you can negotiate a longer remediation window between the two engagements without the QSA's meter running. The disadvantage is that you've paid for the QSA's time twice — once to find the gaps, once to verify they've been closed. For mature environments on their third or fourth audit cycle, a combined engagement usually makes more sense because the gaps are smaller and the QSA already knows the environment.
A point that's worth being explicit about: the gap analysis cost is largely fixed regardless of your scope, but the formal assessment cost scales sharply with scope. That's another reason scope reduction matters — a SAQ A merchant who does an optional QSA-assisted attestation is essentially paying gap-analysis-level fees with no formal assessment on top.
The Report on Compliance vs Self-Assessment Questionnaire cost gap#
Level 1 entities — merchants over 6 million Visa/Mastercard transactions a year and most service providers handling significant volumes — need a full Report on Compliance signed off by a QSA. Everyone else completes a Self-Assessment Questionnaire, optionally validated by a QSA. The cost gap between these two paths is enormous and it's worth understanding why.
A ROC is roughly 60-80 pages of documented evidence covering every applicable PCI DSS requirement. The QSA has to physically test and document each control, sample evidence, conduct interviews, perform on-site observations (or remote equivalent), and produce a defensible report that an acquirer's compliance team will accept. That's labour-intensive and labour is what you're paying for. A typical ROC engagement bills 20-40 QSA days at full rate, putting the QSA fee alone at £40,000-£140,000.
An SAQ is self-attestation. You complete a questionnaire (anywhere from 22 questions for SAQ A to 329 for SAQ D), sign the Attestation of Compliance, and submit it to your acquirer. There's no QSA requirement at all. Many merchants do engage a QSA for an attestation review — particularly Level 2 merchants whose acquirers expect higher assurance — but that's an optional 2-6 day engagement, not a 20-40 day one. The cost differential between SAQ D-validated and ROC-required can easily be £50,000-£100,000 per year, and that's before you factor in the operational overhead difference.
This is also why PCI DSS levels matter so much commercially. If your transaction volume is on the edge of the Level 1 threshold, every transaction over the line pulls you into a permanently more expensive compliance model. Some merchants deliberately restructure their card-processing flow across multiple legal entities or acquirer relationships to keep individual entities under the Level 1 threshold — a perfectly legitimate approach, just one that needs careful structuring.
Industry-specific cost patterns we see#
Audit costs vary by sector in ways that aren't always obvious. Contact centre BPOs handling card payments for multiple clients face the highest costs we see, because they're typically Level 1 service providers with multi-tenant environments, segmentation that needs constant re-validation, and segmentation pentests every six months. Annual all-in compliance cost for a 200-seat contact centre BPO routinely sits at £180,000-£350,000 before any descoping.
Healthcare organisations face a double-stack problem: PCI for the payment side and HIPAA (in the US) or UK GDPR special-category data rules for the clinical side. The audit costs themselves are PCI-sized, but the remediation costs are inflated because controls have to satisfy both frameworks simultaneously. Our healthcare page covers the PCI-plus-clinical-compliance overlap.
Utility companies typically have the highest internal-staff-hours line because they have decades-old systems that nobody fully understands, payment flows that have grown organically, and customer-service teams capturing card data over the phone in patterns the security team didn't know existed. Audit cycles for utilities surface more remediation than almost any other sector — £80,000-£200,000 in remediation isn't unusual on a first proper audit.
Insurance and legal-services firms tend to have cleaner audit cycles because their payment volumes are lower and their card-capture flows are usually narrower. But they often pay disproportionately for application-layer pentests because their customer portals contain extremely sensitive non-payment data that the testing has to cover anyway.
Retail with both physical and online presence has the most complex scope: card-present POS systems, e-commerce checkout, contact centre phone orders, payment links for delivery slot rebooking, and stored card-on-file for loyalty programmes. Each channel is its own scope conversation. The descoping wins here can be massive — if you can move every channel onto a PCI-validated payment service provider with consistent tokenisation, you collapse five compliance problems into one.
Multi-year audit cost trajectories#
Worth modelling this as a five-year curve, not a single-year number, because it changes how you make the descoping investment decision. Year one with a new environment and a first-time QSA is always the most expensive: high QSA day count because they're learning your environment, high remediation cost because the gap analysis surfaces multi-year backlogs, and high internal-staff-hours because you've never done this before.
Year two typically drops 20-30% on QSA fees as the assessor knows your environment and your documentation is now in shape. Remediation drops sharply because the major gaps closed in year one. Internal staff hours drop because the team has the muscle memory. Year three settles into a steady state — call it 50-65% of year one's all-in cost — assuming no major environmental changes.
What pushes the curve back up: a significant change in your environment (new cloud region, acquisition, contact-centre platform migration), a change in QSAC (new assessor, new learning curve), or a change in the PCI DSS standard itself. The move from v3.2.1 to v4.0 and then v4.0.1 added new requirements and pushed audit hours up across the market in 2024-2025. Plan for periodic step-changes in cost when standards versions move; the next material change is unlikely to land before 2027, but it'll be material when it does. Our PCI DSS v4 page covers the requirement-level changes if you're modelling future-year impact.
Tools and tooling — the software costs around the audit#
There's a category of cost that sits between QSA fees and internal staff hours: the tools the standard effectively requires you to run. SIEM or log aggregation for Requirement 10 (£15,000-£60,000/year for a mid-sized environment). File integrity monitoring for Requirement 11.5 (£8,000-£20,000/year). Vulnerability management beyond ASV scans (£10,000-£25,000/year). MFA for administrative access on every in-scope system (£15-£35 per user per year). Key management infrastructure if you handle PANs or sensitive authentication data (£25,000-£80,000/year for HSM-backed key management).
None of these appear on a QSA invoice. All of them are required to pass the audit. We've seen Level 1 service providers spending £150,000-£300,000 a year just on the operational tooling needed to maintain audit-ready status — a number that often dwarfs the QSA fee. Descoping kills most of these costs because the tools follow the in-scope systems. Fewer in-scope systems means smaller SIEM licences, fewer MFA seats, less file integrity monitoring coverage, and a smaller vulnerability management footprint.
For a contact centre that fully descopes its card-capture flow with channel separation, we routinely see total tooling cost drop by 60-80% over two audit cycles. That's the saving that doesn't show up in any "PCI audit cost" calculator but lands hard on the operational P&L.
Negotiating the QSA engagement letter#
A few practical levers we've seen reduce audit cost without compromising assessment quality. First, multi-year engagement letters: commit to three years with the same QSAC and most will discount the per-year fee by 10-15%. Second, scope of the engagement letter itself: have the QSA quote against a clearly documented scope (which means doing the scope work properly before they arrive) rather than a vague "we need a PCI audit" brief. Vague briefs come back with the highest day count because the QSA is pricing in discovery risk.
Third, remote versus on-site: remote assessments save the QSA's travel time and most QSACs will pass some of that saving back if you ask. Hybrid models — remote evidence review, on-site sampling and interviews — are increasingly the default and the cost is usually 10-20% below pure on-site delivery. Fourth, evidence packaging: arrive at the engagement with a pre-built evidence library that maps to PCI DSS requirement numbers. The QSA spends less time hunting for documents and your day count goes down. We've seen well-organised clients knock 2-4 days off a Level 2 engagement just by having their evidence in the right format from day one.
What we don't recommend negotiating: trying to push the QSA to skip controls or accept thin evidence. Reputable QSACs won't do it, and even if you find one that will, the resulting AoC won't survive scrutiny if you ever have a breach. The point of the audit is defensibility, not the lowest possible fee. Spend the energy on scope reduction instead.
Common QSA invoice mistakes — what to check before you pay#
One thing we recommend every time: review the QSA invoice line-by-line against the engagement letter before approval. The mistakes we see aren't fraud — they're billing-team errors and they're more common than you'd think. Days billed against the wrong project code. Travel time charged when the engagement letter said remote. Re-test days for remediation that the QSA actually waived. Junior consultant hours billed at the senior rate. Extra report-writing days that weren't in the original quote.
None of these are huge individually. Most QSAs will correct them without argument when you flag them. But across a £45,000 invoice, billing errors of £2,000-£5,000 are normal and they cost nothing to catch beyond an hour of finance team review time. Build it into your audit process the same way you'd review any other supplier invoice. The QSAC partner doesn't take it personally — they get it from every well-run client.
One more thing: get the final ROC or AoC in your hands before the final invoice is paid. That's where your negotiating position sits for any disputes. Once you've paid and the QSA has moved on to the next client, getting fixes or clarifications added to the report becomes a months-long exercise rather than a same-week one.
Next steps#
If you want a concrete model of what your next PCI audit will cost — with line items for your specific environment — our team can walk through it with you. We've sat in on hundreds of audits and we know where the surprises hide. Get in touch for a no-pressure scoping conversation, or book a demo of the channel-separation architecture if you want to see how descoping actually works before you commit to next year's budget.
