PCI Compliance Fees: What They Are, When They're Legitimate, When They're Junk

PCI-DSS (Payment Card Industry Data Security Standard) is the security standard that any business accepting credit or debit cards must follow. The card networks (Visa, Mastercard, Discover, American Express) created and maintain it through the PCI Security Standards Council. The standard applies whether you process one card per month or one million; there is no minimum-volume exemption.

The standard covers twelve high-level requirements grouped into six control objectives. They cover building a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing access controls, monitoring and testing networks, and maintaining an information security policy. The specifics inside each requirement are technical, covering things like firewall configuration, encryption of stored cardholder data, and access restrictions. The framework is straightforward at the level most SMBs need to understand.

For most small and medium merchants, compliance is satisfied by completing an annual Self-Assessment Questionnaire (SAQ). The SAQ is a checklist that confirms the merchant follows the requirements that apply to their setup. The relevant SAQ depends on how the merchant accepts cards. A merchant using only a hosted payment page (Stripe Checkout, Square Online) completes a short SAQ A. A merchant with their own card-handling website completes the longer SAQ A-EP or SAQ D. A merchant using an in-store terminal completes SAQ B or SAQ C.

Larger merchants processing over six million transactions per year are Level 1 and require an external auditor instead of self-assessment. Most SMBs are Level 4 and complete the SAQ themselves.

A legitimate PCI compliance fee bundles real services the merchant uses or could draw on. The four most common are vulnerability scanning, attestation tooling, SAQ completion support, and a breach insurance rider.

Vulnerability scanning is an automated test of the merchant's payment environment for known security weaknesses. PCI-DSS requires quarterly external scans for many merchant configurations, run by an Approved Scanning Vendor (ASV) certified by the PCI Security Standards Council. The processor passes the scan vendor's cost through to the merchant via the PCI fee. A real scan produces a report showing what was tested and what failed. If the merchant never receives a report, the fee is not paying for scanning.

Attestation tooling is the software that walks the merchant through the SAQ. The merchant logs into a portal, answers the questionnaire, and the tool generates the Attestation of Compliance the processor needs on file. Some processors include this; others charge separately or not at all.

SAQ completion support is access to a help desk or compliance specialist who can answer questions during the questionnaire. Useful for first-time merchants; less useful in subsequent years.

A breach insurance rider is a limited policy that covers part of the cost of a card-data breach. Common riders include $50,000 to $100,000 in breach-related expenses and assessments.

A fair price for a fee bundling real versions of these services is $5 to $15 per month. Above $15 without a deliverable, the fee is paying for nothing.

The most common single junk fee on small-business processing statements is the "PCI Non-Compliance" fee. It is structurally a penalty: a separate monthly charge that the processor adds when the merchant has not completed the annual SAQ on file. Typical amounts range from $20 to $40 per month.

The mechanism is straightforward. The processor's compliance system marks the account as non-compliant if the SAQ has not been completed by the deadline. As long as that flag is set, a non-compliance fee accrues every month. The fee is usually disclosed in the merchant agreement, but the disclosure is buried, and most merchants discover the fee only by reading their statement carefully.

The trap is that the fee is often retained even after the merchant becomes compliant. The merchant completes the SAQ, the processor receives it, and the non-compliance flag should clear. In practice, processor systems often fail to clear the flag automatically. The merchant continues to pay the penalty for months or years after they actually became compliant, simply because no one inside the processor flipped the switch.

A merchant who has paid a non-compliance fee while compliant is often able to recover the back payments. Processors are not legally required to refund retroactively in every case, but most will refund some portion when challenged with documentation showing the SAQ was completed and the flag should have cleared. Recovery is rarely automatic; the merchant has to pull records, write the request, and follow through.

The diagnostic test for a PCI fee is the deliverable test. Every legitimate fee buys a specific service, and every specific service produces a deliverable the merchant can ask for. If the processor cannot produce the deliverable, the fee is junk.

Start by asking the processor what specific PCI service the fee pays for. The phrasing matters. A vague question gets a vague answer ("it's for compliance"). A specific question gets a specific answer or no answer at all. The merchant should send the question in writing and ask for the response in writing.

Then ask for the deliverable. For vulnerability scanning, request the most recent scan report. For attestation tooling, request login credentials and a copy of the most recent Attestation of Compliance. For SAQ support, request contact information for the compliance specialist. For a breach insurance rider, request the policy document and coverage cap.

Check the merchant's records against the response. Has the merchant ever received a scan report? Logged into the attestation portal? Spoken to the compliance specialist? Seen the breach insurance policy? If the answer to all of those is no, the fee is paying for services the merchant has not received.

Most processors who charge a junk PCI fee cannot produce the deliverables when asked. The fee functions as a recurring revenue line rather than a service charge. The diagnostic test forces the question and gives the merchant something to act on.

Once the diagnostic has identified a junk PCI fee, the challenge is the next step. The process is simple, and processors rarely defend a junk fee aggressively because the merchant has already documented that the service is not being delivered.

Pull statements going back twelve months and total the PCI fee charges. That total is the recovery target. A merchant paying $25 per month has $300 to recover over the year.

Submit a written request to the processor's customer service or compliance team. The request should specify the fee, the months it has been charged, the service it is supposed to cover, and the deliverables the merchant never received (no scan reports, no portal access, no policy on file). Ask for the fee to be removed going forward and refunded for the months already paid.

If customer service does not resolve it, escalate to retention. Retention departments have authority frontline support does not, and the threat of switching processors moves the conversation. Keep the request in writing throughout.

The fee often vanishes when challenged. Processors who cannot defend the charge with a deliverable usually remove it rather than risk the merchant switching.

Not every PCI fee on a merchant statement is junk. Some processors bundle real PCI services into the fee and deliver them in full. Merchants on those processors are paying for something they actually receive.

A fair PCI fee shows up alongside evidence the service exists. The merchant receives quarterly scan reports from an Approved Scanning Vendor. The merchant has working credentials to an attestation portal. The compliance team responds to questions and produces documentation when asked. A breach insurance rider exists with a written policy and a coverage cap.

When all of those conditions are met, $5 to $15 per month is a fair price for the bundle. Above $15 with all services delivered is on the higher end, but not unreasonable depending on coverage cap and the level of compliance support.

Auditing a statement is not about removing every PCI fee. It is about distinguishing the fees that buy something from the fees that do not, and recovering only the latter. A merchant who challenges a legitimate fee by mistake either gets nowhere or loses access to a service they actually rely on. The diagnostic test handles both cases: it confirms the fee is real, or it confirms the gap.