The cost of PCI compliance is the question every CFO asks first, and the question every PCI vendor sidesteps. There's no flat number, and anyone quoting one upfront is either selling you a tool or hiding most of the bill.
What you actually pay depends on three things: your merchant level, which Self-Assessment Questionnaire you fall under, and how much of your network you've taken out of PCI scope. Get those three right and your annual PCI cost can drop by 80% or more without dropping your security posture. Get them wrong and you'll keep paying for a Report on Compliance you didn't need.
This piece walks through the four cost lines that actually make up your PCI bill, what each one costs in the US in 2026, where most merchants over-pay, and the two moves that compound to bring the number down. It's written from where we sit — a PCI DSS Level 1 service provider since 2016, with over $500M in transactions processed. We've been through the full QSA-led audit ourselves every year and we've seen what customers spend at every merchant level.
The four cost lines that add up to your PCI bill#
Every PCI compliance budget breaks down into the same four lines. They scale very differently by merchant level, but the structure doesn't change.
The first is assessment — the cost of either filling in your Self-Assessment Questionnaire correctly or paying a Qualified Security Assessor to write your Report on Compliance. For most US merchants this is an SAQ, and the direct cost is your team's time rather than a third-party invoice. For Level 1 merchants and a chunk of Level 2s, the cost is a QSA engagement, which we'll come back to.
The second is remediation, and this is almost always the biggest line. The SAQ or RoC tells you which controls you're missing; remediation is the actual work to put them in. A missing MFA setup on admin accounts is a controls gap. A flat network where the cardholder data environment is reachable from every laptop is a controls gap. A call recording archive that holds five years of PANs is a controls gap. None of those get fixed by the assessment itself.
The third is ongoing tooling — Approved Scanning Vendor scans, log management for Requirement 10, vulnerability scanning, file integrity monitoring, MFA for non-console admin, and so on. Most of these run as annual subscriptions and most of them you only need at certain SAQ levels.
The fourth is internal staff time, and it's the line every budget under-counts. The SAQ itself takes anywhere from a couple of days to several weeks of focused work depending on how much network and process scope is in it. Evidence collection, screenshots, log samples, policy documents — all real hours coming out of someone's calendar. Cost those hours properly and the picture changes.
Your merchant level decides whether it's an SAQ or a Report on Compliance#
Visa and Mastercard each publish their own merchant level definitions, but they line up closely. Level 1 is roughly six million transactions a year per scheme and pulls you into a mandatory QSA-led Report on Compliance. Level 2 is one to six million; many Level 2 merchants self-assess on SAQ D and some get pushed to RoC by their acquirer. Levels 3 and 4 are e-commerce only and tiered by volume; the cap for Level 4 is under twenty thousand e-commerce transactions a year, and most US small businesses sit there.
Service providers — anyone who stores, processes or transmits cardholder data on behalf of merchants — have their own levels, with the cut-off for Level 1 around three hundred thousand transactions a year. Paytia is a Level 1 service provider, which is why our customers can lean on our compliance to reduce their own scope.
Practically: if you take card payments over the phone for your own business and you're under a million annual transactions total, you almost certainly self-assess. If you're a US BPO or contact-center outsourcer handling cards for other brands, you're a service provider and the rules are stricter regardless of volume. Either way, your level is non-negotiable — it's set by your acquirer based on what you actually process — but the SAQ you fall under is very much in your control.
The SAQ you fall under is the biggest single cost lever#
There are nine SAQs and they exist precisely because PCI's cost can't be one-size-fits-all. SAQ A is around 22 questions and applies when you've fully outsourced card-data handling — typically e-commerce merchants using a hosted payment page. SAQ A-EP is around 190 questions and applies to e-commerce merchants whose own site touches the payment page even indirectly. SAQ D-Merchant is around 329 questions and applies when card data passes through your environment at all.
Each question in your SAQ equates to a control you have to evidence — and probably implement. Every additional question is more engineering, more documentation, more annual proof. The cost gap between filling in SAQ A and filling in SAQ D, for the same business, is the difference between a quiet week of paperwork and a six-figure compliance program.
Most US contact centers taking phone payments default to SAQ D because their network touches card data. They could be on SAQ A with the right architecture — that move, and the rest of the v4.0.1 picture for call centers, sits in our PCI DSS v4.0 call center guide. That's where the descoping conversation starts — and it's the move that dwarfs every other cost optimization. Our guide to what "descoped" actually means walks through the mechanic in plain English.
What it actually costs in the US in 2026#
Honest US ranges, working from what we and our customers actually pay and what the Approved Scanning Vendor market quotes.
ASV scans for the external-facing IPs in your cardholder data environment run around $300 to $4,000 a year, scaling with how many IPs you have to scan and how often you want re-scans for failed findings. A small contact center with two or three IPs sits at the bottom of that range. A multi-site retailer with dozens of public IPs sits near the top.
QSA day rates in the US currently run around $2,000 to $4,000 a day, with most full RoC engagements taking anywhere from ten to thirty days of QSA effort plus your team's time. A small Level 1 service provider's annual RoC tends to be $35,000 to $80,000 of QSA fees alone; a large complex one runs into six figures. None of that includes the remediation it surfaces. The audit walkthrough covers what those days actually buy you.
Internal staff time is the line that always blows the budget. For a small merchant the SAQ alone is roughly 80 to 300 hours a year, including evidence collection and the trail of small fixes the SAQ exposes. For a contact center with phone payments still in scope, double that. At a fully loaded internal cost of $75 to $150 an hour, you're at $6,000 to $45,000 of time on the SAQ that nobody invoices for.
Tooling ranges from "you already have it" to a couple of dollars per user per month for an MFA provider, plus log management licenses your CISO probably already has running. The trap here is buying a PCI-branded version of a tool you already own — log management is log management, and Splunk doesn't get more compliant when you label the dashboard "PCI."
Add it up for a typical US SMB contact center stuck on SAQ D with phone payments in scope, and you're looking at $40,000 to $100,000 a year all-in. Move the same business to SAQ A by descoping the phone channel, and the same total drops below $15,000 — including the cost of the descoping tooling itself.
Where most merchants over-pay#
Three patterns come up again and again when we look at what customers were spending before they descoped.
The first is renewing the same SAQ shape year after year. A business outsources its e-commerce checkout in March, gets DTMF masking on the phones in June, decommissions a legacy POS in September — and still files SAQ D in January because that's what it filed last year. The SAQ should follow your architecture. If it doesn't, you're paying SAQ D's controls bill for an SAQ A reality.
The second is doubling up on tooling that overlaps with what's already in the stack. Most enterprises already run something covering Requirement 10 (centralized logging) and Requirement 8 (MFA). Buying a "PCI suite" on top of those is paying twice for the same control. A QSA will accept your existing tooling as long as it covers the requirement; what they care about is that the requirement is met, not which logo's on the dashboard.
The third is hiring a QSA when an Internal Security Assessor would do. ISAs are PCI Council-certified individuals on your own staff who can sign off on most things a QSA can — except the formal Report on Compliance for Level 1 merchants. For everyone else, an ISA does the same work without the consulting day rate. The QSA exam isn't trivial but it's a fraction of a year's QSA fees.
How to drop the bill without dropping standards#
Two moves compound: descope, and outsource the surfaces you can't descope.
Descoping means removing card data from parts of your environment that don't strictly need it. The single biggest descoping move for any US business that takes phone payments is putting DTMF masking between the customer's keypad and everything else — the agent's screen, the call recording, the network. Card numbers reach the payment provider directly; the contact-center side of the network never sees them.
That single architectural change can move a contact center from SAQ D to SAQ A and cut the annual compliance bill by an order of magnitude. The wider mechanism — and the reasons it usually pays for itself within months — is covered in our guide to PCI compliance on phone payments, and there's a 2026 checklist if you want the short version.
Outsourcing means using a Level 1 service provider for the surfaces you genuinely can't descope. Card capture, payment links, IVR payments, tokenization — all of these can be handed to a provider whose Attestation of Compliance covers the work, leaving your own SAQ scope narrower and your costs lower. Our overview of how Paytia helps with PCI compliance walks through which surfaces are descopable and which aren't.
One newer line item we can take off the table entirely for SAQ A and SAQ A-EP merchants: the SAQ paperwork itself. A free SAQ app works through every requirement of every SAQ in plain English, captures the evidence on your phone, and exports the completed PDF for your acquirer or QSA. The spreadsheet-and-Word-doc tax — usually a few hundred to a few thousand dollars of internal time a year — drops to zero. We built it because the SAQ itself shouldn't be the expensive part.
The honest summary#
PCI compliance cost ranges from a few hundred dollars a year for a tiny e-commerce merchant on SAQ A through to seven-figure programs for global Level 1 acquirers. For the typical US contact center taking phone payments — the most common Paytia customer — the realistic range is $40,000 to $100,000 a year if the phone channel is still in scope, and well under $15,000 a year once it's been properly descoped.
The single biggest move is the one most teams put off: change the architecture so the SAQ changes with it. Everything else is variations on a theme.
Frequently Asked Questions#
Is there a single number for PCI compliance cost?
No. The honest range is wide — from a few hundred dollars a year for a fully outsourced SAQ A e-commerce merchant to hundreds of thousands for a Level 1 acquirer. The number you actually care about is yours, which depends on your merchant level, your SAQ, and your architecture.
Is PCI compliance free for very small US merchants?
No, but the tooling cost can be close to zero. SAQ A merchants don't need a QSA, don't always need an ASV scan, and can often satisfy every control using tools they already own. The cost you still pay is internal time. Free SAQ checklist apps take that down further.
Do I have to pay a Qualified Security Assessor?
Only if you're a Level 1 merchant or service provider. Everyone else can self-assess. Many Level 2 merchants choose to bring in a QSA for an annual review even when they don't have to, because it cuts the risk of getting the SAQ wrong — but it's a choice, not a requirement.
What's the cheapest legal path to PCI compliance?
Descope the cardholder data environment until you fall under a simpler SAQ. Every requirement you don't have to evidence is a saving. The DTMF masking layer is the single biggest descoping move for any US business with phone payments.
Does PCI compliance cost ever go down year-on-year?
Yes, after descoping work pays back. Year one is usually expensive — the architecture changes, the new tooling, the SAQ moves down. Year two and beyond the controls are smaller, the audit is shorter, and the internal time falls. Customers who do this seriously see the bill drop in absolute dollars each year for two or three years before leveling off.
Related reading#
- What Is PCI DSS? A Plain-English Guide
- The 12 PCI DSS Requirements
- Consequences of PCI DSS Non-Compliance
- PCI Compliance and Call Recording
- What Is DTMF?
Want to see this working in your setup? Book a working-demo call — we'll wire up your actual phone system and show you a live capture.
