PCI Cost: In-House vs Outsourced — Real Numbers Compared

Last updated: 29 May 2026

Most people we talk to start the PCI conversation thinking the in-house option is cheaper. It looks cheaper. There's no line item on a vendor invoice — just the QSA fee, which feels manageable. Then we sit down and walk through what "in-house" actually means once you're a Level 2 or Level 3 merchant taking card payments over the phone, and the picture changes fast. The audit fee is maybe 15% of the real annual cost. The other 85% is hiding in segmentation, logging, scans, training, evidence collection and the time your security and ops people spend on it.

This post pulls those numbers out into the open. We'll show you what a typical in-house PCI programme costs a UK business of 50–500 staff, what an outsourced model costs over the same period, and where the break-even point sits. If you'd rather see the headline figure first: a Paytia subscription for agent-assisted phone payments lands between £4,800 and £18,000 a year depending on volume. The in-house equivalent is rarely under £45,000 once everything's loaded in. That's the comparison we're making.

What PCI in house vs outsourced actually means#

Let's get the definitions straight before we throw numbers around, because the words "in-house" and "outsourced" both get used loosely and the cost difference depends entirely on which version we're talking about.

In-house PCI means your business stores, processes or transmits cardholder data inside its own systems. Your agents take card numbers over the phone and key them into your CRM or payment terminal. Your servers touch the PAN. Your network sits inside the Cardholder Data Environment (CDE) and every workstation, switch, firewall and call recorder that can see or hear that PAN falls into PCI scope. You sign the SAQ D (or full ROC if you're Level 1), you appoint a QSA, you run quarterly ASV scans on your external IPs, and your security team owns the evidence trail.

Outsourced PCI means you've engineered the card data out of your environment entirely. Your agent never sees the PAN. Your recordings never capture it. Your CRM never stores it. A PCI-DSS Level 1 service provider — that's what we are — captures the digits via DTMF masking, tokenises them, sends the token to your gateway, and hands you back nothing more sensitive than a transaction reference. You drop from SAQ D (332 controls) to SAQ A (around 22 controls) overnight. That's the descope.

There's a middle ground people try, which is "semi-outsourced" — usually a redirect or an iframe checkout for the web channel, but agents still hearing card numbers on calls. It rarely works because the phone channel is where the PCI scope lives for most contact centres. We've covered this in detail in our piece on the cost of PCI compliance, which is the pillar this post sits under.

The in-house cost stack — what's really in there#

Here's where the numbers start hurting. We've put together hundreds of these costings for prospects over the years and the same line items show up every time. Let's walk through them for a hypothetical 50-seat contact centre taking around 8,000 phone payments a month — call it a Level 3 merchant on Visa/Mastercard rules.

QSA audit and validation. If you're SAQ D self-assessing, you can technically do this without a QSA, but most merchants at this size buy in a Qualified Security Assessor for at least the gap analysis and the SAQ review. Budget £8,000–£25,000 a year for a UK QSA depending on complexity. A full Report on Compliance (ROC) for Level 1 merchants is £40,000–£120,000. We break the audit side of this down further in our PCI audit cost breakdown.

ASV scans. Quarterly external vulnerability scans by an Approved Scanning Vendor. £2,000–£5,000 a year for a small IP estate, more if you've got a sprawling external footprint.

Network segmentation. This is the one that catches people. To keep the CDE small you need firewalls between the cardholder zone and everywhere else, plus logging, plus annual penetration testing on the segmentation boundary. £15,000–£40,000 in year one for kit and config, then £5,000–£15,000 a year for the pen test and maintenance.

Logging and SIEM. Requirement 10 says you log every access to cardholder data and review the logs daily. A managed SIEM service for a small CDE is £6,000–£18,000 a year. Doing it in-house with the ELK stack is technically free until you cost in the engineer who runs it.

Staff time. The one nobody puts on the spreadsheet. Reckon on 0.3–0.5 FTE for PCI evidence collection, change management, vendor reviews and the dreaded annual self-assessment exercise. At a £55,000 fully-loaded UK security analyst salary that's £16,500–£27,500 a year. If you've got call centre supervisors picking it up off the side of their desk instead, the cost is hidden but the controls slip.

Annual training. Requirement 6.2 and 12.6 — security-awareness training for everyone with access to the CDE, plus role-based training for developers. £30–£80 per head per year. For a 50-seat centre call it £2,000–£4,000.

Penetration testing. Internal and external, annually and after significant change. £8,000–£20,000 a year for a small CDE. More if your call-recording platform has anything custom about it.

Tooling. File integrity monitoring (Requirement 11.5), anti-malware (5.1), strong cryptography for transmission (4.1) — assume £8,000–£15,000 a year for licences if you don't already have an enterprise security stack you can extend.

Add it up. The honest range for a 50-seat UK contact centre running PCI in-house is £45,000–£120,000 a year, with a £25,000–£60,000 capex spike in year one for segmentation kit. That's before you've reserved a penny for breach risk, and the hidden-cost picture gets even worse if you're under-resourced — we walk through what non-compliance actually costs in our piece on the hidden costs of PCI non-compliance.

The outsourced cost stack — what disappears and what stays#

Now let's run the same scenario through the outsourced model. Your agents are still on the phone. Your CRM still tracks orders. Your callers still pay by card. The only thing that changes is where the digits go.

When the caller is ready to pay, the agent stays on the line and hands the digit-entry over to the Paytia capture session. The caller types their PAN on their phone keypad. We mask the DTMF tones so the agent hears nothing decodable and the call recorder records nothing decodable. The digits hit our PCI-DSS Level 1 environment, never yours. We tokenise, push to your gateway (Stripe, Worldpay, Adyen, whoever), and return a confirmation.

Here's what falls out of your cost stack:

• QSA fees drop from £8,000–£25,000 to £0–£3,000 because you've moved from SAQ D (332 controls) to SAQ A (22 controls). Many SAQ A merchants self-attest with no QSA at all.
• ASV scans drop to zero on the CDE because there's no CDE left in your environment.
• Network segmentation costs drop to maintenance-only — you don't need a hardened CDE zone because there's no cardholder data inside your perimeter.
• Logging and SIEM costs around card data drop to nothing. You still log everything else for general security, but the PCI-specific evidence burden goes away.
• Staff time on PCI evidence collection drops by 70–90%. Our customers typically report saving 0.2–0.4 FTE.
• Pen testing scope shrinks dramatically. You still test your wider environment, but the call-handling boundary doesn't need annual cardholder-data pen tests.

What stays: a Paytia subscription. For a 50-seat contact centre at 8,000 calls a month that's typically £8,000–£14,000 a year on standard commercials, including DTMF masking, agent-assisted capture, tokenisation, gateway routing and the SAQ A attestation letter we write for you each year. You still need to do basic PCI hygiene on your wider IT — password policy, access reviews, the SAQ A controls — but the heavy lift is gone.

Total annual cost for the outsourced model on this scenario: £10,000–£18,000 all-in.

Side-by-side: the comparison most people don't run#

Let's lay it out. Same 50-seat contact centre, same call volume, same year:

In-house PCI (SAQ D). QSA £15,000. ASV scans £3,500. Segmentation amortised £8,000. SIEM £10,000. Staff time £22,000. Training £3,000. Pen testing £12,000. Tooling £10,000. Total: £83,500 a year, plus a £40,000 year-one capex spike.

Outsourced PCI (SAQ A with Paytia). Paytia subscription £12,000. Residual SAQ A controls and staff time £2,500. Total: £14,500 a year, no capex.

That's a £69,000 annual delta — about 83% reduction in PCI cost — and we haven't yet priced in the breach-risk reduction. Average UK card-data breach cost from IBM's 2025 study is £3.8 million when you include legal, notification, regulatory and brand damage. The probability is small, but the expected-value calculation for breach reserve at 1% per year is £38,000 a year on the in-house model and effectively zero on the outsourced model (the breach surface lives in Paytia's environment, which is PCI-DSS Level 1, ISO 27001 and SOC 2 audited).

If you want to see this calculation tailored to a smaller business — say 5–20 agents — read our companion piece on PCI compliance for small business. The proportions change but the direction of travel doesn't.

Where the break-even point actually sits#

People sometimes ask: surely if you're tiny, in-house is cheaper? The honest answer is no, not really. The PCI controls don't scale down. A 3-seat contact centre still needs the same firewalls, the same logging, the same SAQ, the same QSA opinion if anyone wants one. The minimum viable in-house PCI programme is around £25,000–£35,000 a year for a SAQ B-IP or SAQ C-VT merchant.

The Paytia minimum for a small business is around £4,800 a year. The break-even is essentially "do you take card payments by phone at all". If yes, outsourced wins. If no, you might not need either of us — you just need a tokenised online checkout and SAQ A.

The one exception we'll flag honestly: very large enterprises (Level 1, multi-region, multi-channel) sometimes find that a hybrid model works — outsource the phone channel to descope the contact centre, but keep an internal PCI programme for the rest of the estate. We'll happily talk through a hybrid if that's where you are.

What gets cheaper that nobody mentions#

The line items above are the obvious ones. There are several others we've watched our customers benefit from that don't show up on a typical TCO spreadsheet.

Cyber insurance premiums. Underwriters look at whether you store PAN. Removing PAN from your environment is one of the single biggest premium reducers for mid-sized contact centres. We've seen renewal quotes come in 15–30% lower.

RFP wins. Enterprise procurement teams ask "are you PCI compliant and how do you take payments". "We use a Level 1 service provider so we're SAQ A" is the answer that closes the question fastest. SAQ D answers invite follow-up questions and security-questionnaire pain.

Hiring. If your security team isn't fighting a PCI fire every quarter, you can hire one fewer security analyst. That's £55,000–£80,000 of headcount you don't need.

Audit fatigue. SOC 2 audits, ISO 27001 audits and customer security reviews all get faster when there's no cardholder data in scope. Less evidence, fewer interviews, shorter reports.

One of our clients, Pinnacle Group, cut their PCI scope by 95% on day one of moving to agent-assisted phone payments. That number isn't a vendor case-study exaggeration — it's the descope you get when 332 controls become 22. We've also worked with names you'll recognise like Warby Parker and InsureandGo who moved to Paytia precisely to get this scope reduction. The cost story is consistent across all of them.

The honest case for staying in-house#

We'll close the loop with the cases where in-house genuinely makes sense, because they exist and we'd rather be straight with you.

You should consider keeping PCI in-house if: you already have a mature, ISO-27001-aligned security function with spare capacity; your card volumes are so high that the per-transaction economics of a service provider get expensive (we're talking Level 1 merchant volumes, north of 6 million transactions a year on the phone channel specifically); you have unique compliance requirements that force the data to stay on your side (rare but real in defence, certain government contexts); or you're a payments platform yourself and the CDE is your product.

For everyone else — and that's the vast majority of UK contact centres, healthcare providers, insurers, utilities, charities and retailers we work with — outsourcing card capture is straightforwardly cheaper, faster to deploy and lower risk. We've also published a deeper guide to reducing PCI compliance cost that goes into the tactical moves you can make whichever path you choose.

How Paytia prices it#

We don't have a public price list because the volume bands matter and we'd rather quote you something accurate than something headline-grabbing. The structure is straightforward: a monthly platform fee covering DTMF masking, agent-assisted capture, tokenisation and the SAQ A attestation; a per-transaction component for the card capture itself; and optional add-ons for things like payment links, IVR self-service or web-chat payments.

For most contact centres of 10–100 agents we land between £6,000 and £24,000 a year all-in, with the bulk of the value concentrated in the SAQ A descope and the breach-risk transfer. If you want a breakdown specific to your call volume, channel mix and current PCI scope, the fastest route is a 20-minute call.

A worked example — a 25-seat insurance contact centre#

Numbers stick better with a real shape, so here's a worked example from a project we ran with a UK insurer (anonymised, with their permission). They had 25 customer-service agents handling renewals, mid-term adjustments and claims payments. Phone-channel card volume was around 4,500 transactions a month at an average ticket of £180. Pre-Paytia, they were on SAQ D and had a QSA opinion every year. Annual PCI-related spend, on the books:

• QSA fees, including gap analysis, SAQ D review and remediation guidance: £18,500.
• Quarterly ASV scans against 14 external IPs: £4,200.
• Network segmentation hardware refresh amortised over five years from a £45,000 capex spend: £9,000 a year.
• Managed SIEM service covering the CDE: £14,000.
• Annual external pen test plus internal scope test: £16,500.
• FIM, anti-malware and key management tooling licences: £12,000.
• Half an FTE (a senior compliance analyst) on PCI evidence collection, change management, vendor reviews and the SAQ exercise: £31,000 fully loaded.
• Annual training across 60 staff (CDE-adjacent roles): £3,200.

Total annual PCI spend, audited and visible: £108,400. Not far off six figures. They also carried a £25,000-a-year cyber-insurance loading because the underwriter classed them as a PAN-storing merchant.

Post-Paytia, twelve months in, the same business looked like this:

• Paytia subscription including DTMF masking, agent-assisted capture, tokenisation and the SAQ A attestation letter: £14,400.
• QSA opinion retained for ISO 27001 alignment, scope reduced: £4,200.
• Residual SAQ A control maintenance and staff time: £3,000.
• SIEM, pen testing and tooling retained for general security but no longer scoped specifically for the CDE — let's call the PCI-attributable portion £1,500 (they kept the broader programme for non-PCI reasons).

Total annual PCI-attributable spend: £23,100. Plus a cyber-insurance reduction of £9,000 at the next renewal once their broker confirmed the SAQ A status. Net annual saving: £94,300. Payback on the Paytia subscription happened inside the first month.

The bit that surprised them most wasn't the cost saving — it was how much calmer the compliance team's calendar got. No more quarterly fire drills before the QSA visit, no more chasing log evidence from the SIEM team, no more pen-test prep weeks. The compliance analyst went from 50% PCI to about 8% PCI, and that capacity went into ISO 27001 and SOC 2 work that had been sitting in the backlog.

What the comparison looks like at different business sizes#

The 50-seat and 25-seat examples are useful but lots of merchants are bigger or smaller. Here's how the in-house-versus-outsourced gap behaves across sizes, in rough terms.

Micro merchants (1–5 agents, <1,000 transactions/month). The in-house cost falls to around £15,000–£25,000 a year — basically QSA-light, manual segmentation, no full SIEM. The outsourced cost falls to around £4,800–£7,200 a year. The gap is smaller in absolute terms but the percentage saving is still significant, and the breach-risk transfer matters disproportionately for small businesses where a single fine can be existential.

Small businesses (5–25 agents, 1,000–5,000 transactions/month). In-house lands at £25,000–£60,000. Outsourced lands at £6,000–£14,000. This is where the cost gap really starts to bite and where we see the highest concentration of new customers.

Mid-market (25–100 agents, 5,000–25,000 transactions/month). In-house £60,000–£150,000. Outsourced £12,000–£28,000. The descope value is enormous here because the in-house control burden grows non-linearly with seat count.

Upper mid-market (100–500 agents, 25,000–150,000 transactions/month). In-house £150,000–£400,000. Outsourced £28,000–£75,000. Almost always worth outsourcing the phone channel even if other channels stay in-house.

Enterprise (500+ agents, 150,000+ transactions/month). In-house £400,000–£2M. Outsourced £75,000–£300,000+. The break-even point can shift here depending on per-transaction economics. We've still saved seven-figure annual costs for several Level 1 merchants by descoping the call-centre estate, but the conversation gets more nuanced.

Common objections and our honest answers#

"We've already paid for the segmentation kit — isn't that a sunk cost we should keep using?" The capex is sunk but the opex isn't. The annual maintenance, pen testing and certification renewals on segmentation keep coming. You don't have to throw the kit away — many of our clients redeploy it as part of their general network defence — but the PCI-specific reason for owning it goes away.

"What if Paytia goes down? Are we exposed?" Fair question. Our SLA is 99.95% and we publish status at status.paytia.com. We've had a small number of incidents over the years — every payments business has — and they've been measured in minutes, not hours. The in-house alternative isn't free of downtime risk either; we'd argue PCI-validated multi-region infrastructure is more resilient than most contact centres' homegrown payment stacks. Our multi-region architecture lives in three Vercel POPs and the data layer is multi-region Supabase. The full uptime methodology is published.

"Our security team will lose the PCI work they enjoy." We hear this less often than people expect. Most security analysts we've worked with were glad to redirect time to threat detection, incident response and zero-trust projects that move the needle on actual risk. PCI evidence collection isn't anyone's favourite job.

"What about regulatory reporting? Don't we still own that?" Yes, you do. We provide the underlying PCI-DSS Level 1 AOC and the attestation letter for the channel we handle, but the SAQ A is your document. We're not a regulatory liability shield — you're still the merchant of record and responsible to the card brands. What we do is shrink the surface where you can fail.

"Our customers won't trust typing card numbers into a phone keypad." This is mostly a perception issue and almost always evaporates after the first few weeks live. We've measured customer satisfaction before and after with several clients and the scores either stay flat or improve. The agent staying on the line is the key — caller hears a familiar voice throughout, types the digits, hears the success confirmation, all on the same call.

Procurement timing — when to make the switch#

The cheapest time to switch from in-house to outsourced PCI is the month before your next QSA renewal. You don't waste the assessment fee you've already paid, and you can take the SAQ change live before the new audit cycle begins. The second-cheapest time is immediately after a failed or qualified QSA opinion — the cost of remediating a finding usually exceeds the cost of moving the channel out of scope entirely.

The worst time to switch is mid-PCI-incident. Don't try to descope while you're firefighting a breach or an audit finding. Stabilise first, then plan the migration.

From a budget-cycle perspective, most UK businesses set their PCI budget alongside their wider IT security budget — typically Q3 of the previous year for an April start. If you're reading this in May–August, you're in the planning window for next year's spend. That's the right time to model both options properly and pick the one that wins on TCO.

How to brief your CFO on the comparison#

If you're a security or operations lead trying to get sign-off, the conversation with the CFO usually needs three numbers and one question.

The three numbers: current annual PCI spend (be honest, include staff time), projected outsourced spend (we'll quote it), and the year-one transition cost (typically £3,000–£8,000 of internal effort plus any short-term overlap of subscriptions and QSA fees). Lay them out as a three-year TCO. The outsourced option pays for itself inside the first year for nearly every merchant we work with, and the cumulative three-year saving is usually £150,000–£500,000 for a mid-sized contact centre.

The one question your CFO will ask: "what's the risk if it doesn't work?" The risk profile is genuinely low because you can run both in parallel for a transition month, validate the descope with your QSA, and only retire the in-house controls once the SAQ A attestation is signed. We've done dozens of these migrations and we haven't had to roll one back.

Industry-specific cost considerations#

The general numbers hold up across most sectors, but a few industries have specifics worth flagging.

Healthcare and insurance. Often have additional HIPAA, FCA or GDPR considerations that interact with PCI scope. Outsourcing card capture simplifies the overlap because you've reduced the data you hold. We've worked with insurers like InsureandGo where the combined regulatory load was the trigger for descoping.

Charities and non-profits. Often run lean security teams, so the in-house PCI burden falls disproportionately on operations staff. The outsourced model is almost always the right answer.

Utilities and housing. High volumes of recurring payments and vulnerable-customer interactions. Phone payments need to be both PCI-secure and accessible. We support this with channel-separation and accessible-keypad options.

Retail and e-commerce. Already typically use a tokenised web checkout, so the question is just the phone channel. Adding agent-assisted capture is usually a quick win once the rest of the stack is descoped.

Legal and professional services. Smaller volumes but higher-value transactions, so the breach-risk reduction matters disproportionately. The PCI cost gap is smaller in absolute terms but the reputation-risk transfer is large.

What the year-one transition really looks like#

The transition itself isn't free, and we'd be misleading you if we pretended it was. Here's what to budget for in year one beyond the subscription itself.

Internal project time. Reckon on 30–60 hours of work from your IT, security, contact-centre operations and procurement teams combined. That's the people side of integrating the platform, training agents, briefing your QSA and updating documentation. At a fully-loaded rate of around £65 an hour that's £2,000–£4,000 of opportunity cost.

Telephony integration. If your contact centre runs on Genesys, Avaya, Five9, Talkdesk, NICE CXone, Amazon Connect or another standard platform, the integration is usually a routine config change at the SIP-trunk level. We've done dozens of each. If you run something bespoke or on-premise, there's slightly more work but it's still a known quantity. Budget zero to £3,000 of integration cost; we don't charge for standard telephony work.

QSA briefing and SAQ rewrite. Your QSA needs to be told what's changing, given our AOC, and walked through the new SAQ A scope. Most QSAs charge £1,500–£3,500 for the scope-change review. Worth doing properly so the next renewal goes smoothly.

Parallel running. For peace of mind we usually recommend a one-month parallel period where the old in-house flow remains available as a fallback. That means double-paying for one month on whichever in-house costs are monthly (subscriptions, support contracts). Most clients are confident enough after two weeks to cut over fully.

Documentation refresh. Your security policies, incident-response runbooks and agent scripts all need a light edit to reflect the new flow. Most companies handle this in-house in a day or two.

Total year-one transition cost above the subscription: typically £3,000–£8,000. Set against the £60,000–£90,000 of in-house cost you're removing, the payback is immediate.

How we'd model your specific scenario#

If you want to know your own number, we'll build the model with you in a 20-minute call. The information we need is straightforward: rough headcount in your contact centre, monthly phone-payment volume, current PCI level (1, 2, 3 or 4 — most people aren't sure and that's fine), current QSA arrangement, and a sense of which channels other than phone you take payments on. We'll plug those into the same spreadsheet we used for the case studies above and you'll walk away with a year-one and three-year TCO comparison you can take straight to your CFO.

We don't charge for the discovery work. The reason we offer it free is that two-thirds of the businesses who run the model end up moving across, so the time investment makes sense for us. If your scenario genuinely points toward staying in-house, we'll tell you that. We've turned down work where it wasn't the right fit, including a couple of contact centres that were already so deep into their own platform build that switching would have cost more than it saved.

What changes after year three#

One question we get from CFOs is whether the savings compound or plateau. Honest answer: they compound modestly. In-house PCI costs creep upward over time as headcount grows, as the PCI-DSS standard evolves (v4.0.1 has more controls than v3.2.1, and v5 is on the horizon), as cyber-insurance premiums drift, and as auditor day-rates rise. The outsourced cost grows roughly with your transaction volume, which is a far gentler curve for most contact centres.

Over a five-year horizon, the cumulative saving for a typical mid-market contact centre lands between £350,000 and £750,000. That's the real prize and it's why most of the conversations we have aren't really about the year-one cost — they're about whether the operating model is sustainable into the late 2020s. We think the answer is clearly no for in-house, mainly because of the talent cost of running niche compliance work in a market that's short on security analysts.

Glossary cross-references#

If any of the PCI terminology in this post is new, we've got plain-English entries for the main acronyms: SAQ (Self-Assessment Questionnaire), PCI DSS scope, descoping PCI, tokenisation and PCI Level 1 service provider. Worth bookmarking before you brief your finance director on what you're changing.

Next steps#

If you're sketching out next year's PCI budget and want a like-for-like cost comparison for your specific contact centre, the quickest path is to book a 20-minute call via our contact page and we'll model it with you on screen. If you'd rather see the platform in action first, our live demo walks through agent-assisted capture end to end so you can see exactly what your agents and callers experience. Either way, we won't push you toward outsourcing if your situation genuinely points the other way — we've turned business away when it wasn't a fit.