Digital security lock representing PCI DSS compliance requirements for small business merchants

PCI compliance is required for every business that accepts cards — but it should cost far less than your processor charges.

Home › Resources › PCI Compliance Guide
Compliance Guide

PCI Compliance: What It Is, What It Costs, and Why You're Probably Overpaying

PCI compliance is required for every business that accepts credit cards. But the monthly fees processors charge for it are often wildly inflated. Here's what you actually need to know — and do.

In This Guide
  1. What Is PCI Compliance?
  2. Who Needs to Be Compliant?
  3. The Self-Assessment Questionnaire (SAQ)
  4. Understanding PCI Fees on Your Statement
  5. How to Get Compliant — Step by Step
  6. What Happens If You're Not Compliant?

What Is PCI Compliance?

PCI DSS stands for Payment Card Industry Data Security Standard. It's a set of security requirements created by the major card networks — Visa, Mastercard, American Express, Discover, and JCB — to protect cardholder data and reduce payment card fraud.

Any business that accepts, stores, transmits, or processes credit or debit card data must comply with PCI DSS. This isn't optional — it's a contractual requirement in your merchant agreement. However, the process of achieving compliance is far simpler than most business owners realize, especially for small businesses.

📌 Key point: PCI compliance is not a government regulation. It's an industry standard enforced through your merchant agreement. The card networks and your processor set the rules — and how those rules are enforced (and billed) varies significantly by processor.

Who Needs to Be Compliant?

Every business that accepts credit or debit cards — regardless of size, volume, or industry. If you take a credit card payment, PCI compliance applies to you.

Businesses are divided into four "merchant levels" based on annual transaction volume. The vast majority of small businesses fall into Level 4 — fewer than 20,000 Visa e-commerce transactions and up to 1 million total Visa transactions per year. Level 4 merchants have the simplest compliance requirements.

At Level 4, compliance typically consists of completing an annual Self-Assessment Questionnaire (SAQ) and ensuring your network passes a quarterly vulnerability scan if you accept payments online or over an IP-connected terminal. For many retail businesses with a standard card terminal, no network scan is required at all.

The Self-Assessment Questionnaire (SAQ)

The SAQ is the primary compliance tool for small businesses. It's a self-administered checklist of security questions covering how you handle cardholder data. There are several versions — the one that applies to your business depends on how you accept payments.

SAQ A
For: Card-not-present businesses that outsource all payment processing
The simplest questionnaire — only 22 questions. Applies to businesses that use a fully hosted payment page (like Shopify Payments or Square Online) where cardholder data never touches your systems. If you sell online and use a hosted checkout, this is likely your form.
SAQ B
For: Merchants with standalone dial-up or standalone IP terminals
For brick-and-mortar businesses using a standard countertop terminal that connects via phone line or cellular. If your terminal isn't connected to your business network or internet — just a phone line — SAQ-B applies. About 41 questions.
SAQ B-IP
For: Merchants using IP-connected point-of-interaction (POI) devices
Similar to SAQ-B but for terminals that connect via your internet or business network. If your terminal connects through your router, this is your form. Approximately 83 questions, some network-related.
SAQ C
For: Merchants whose payment application connects to the internet
For businesses using payment applications (like a POS system) that connect to the internet for payment processing. More comprehensive — about 160 questions — but still manageable for most small businesses with some IT support.
✅ Bottom line for most small businesses: If you have a standard countertop terminal at your register and don't store cardholder data, you almost certainly qualify for SAQ-A or SAQ-B — the simplest questionnaires, taking 15–30 minutes to complete, once per year, at no cost.

Understanding PCI Fees on Your Statement

This is where it gets frustrating. Processors have turned PCI compliance into a significant revenue stream, charging fees that bear little relationship to the actual cost of compliance administration. Here's what to look for:

PCI Compliance Fee ($5–$15/month — Sometimes Reasonable)

Some processors charge a modest monthly fee that covers access to their online compliance portal, the SAQ submission process, and basic support. If the fee is $5–$15/month and you actively use their compliance tools, this may be reasonable. Ask your processor exactly what this fee covers.

PCI Non-Compliance Fee ($19–$99/month — Almost Never Justified)

This is the big one. If you haven't completed your annual SAQ, your processor charges a monthly penalty — sometimes as high as $99/month — until you do. This fee compounds month after month until the questionnaire is complete. Many merchants pay this fee for years without knowing why or how to stop it.

The fix takes 15 minutes and is free. Log into your processor's merchant portal and complete the SAQ. The non-compliance fee disappears on your next statement.

PCI Security Fee / Security Program Fee ($9–$29/month — Often Unnecessary)

Some processors enroll merchants in third-party security programs or breach insurance coverage and charge monthly fees for these services. While breach protection can have value, these programs are often sold without clear disclosure and priced above market alternatives. Review exactly what you're enrolled in and what you're getting for the fee.

🚨 Important: If your statement shows both a "PCI Compliance Fee" AND a "PCI Non-Compliance Fee" in the same month, you have a billing error. You cannot be simultaneously compliant and non-compliant. Contact your processor and request an immediate correction and refund.

How to Get Compliant — Step by Step

1
Log into your processor's merchant portal
Find the login link in your original welcome email or on your processor's website. If you've forgotten your login, use the password reset option or call your processor's merchant support line.
2
Find the PCI compliance section
Look for a tab or menu item labeled "PCI Compliance," "Security," or "Compliance Center." Most processors host this through a third-party provider like Trustwave, SecurityMetrics, or ControlScan.
3
Identify your SAQ type
Answer a few questions about how you accept payments. The system will direct you to the correct SAQ version for your business. Most retail businesses with standard terminals end up on SAQ-A or SAQ-B.
4
Complete the questionnaire
Answer each question honestly. If you're unsure of an answer, err on the side of caution and consult a basic IT guide or your processor's support line. Most questions for SAQ-A and B are straightforward yes/no questions about how you handle card data.
5
Submit and save your compliance certificate
Once submitted, download your compliance certificate and keep it on file. Set a calendar reminder to complete the SAQ again in 12 months. The non-compliance fee on your next statement should disappear.
6
Request a refund of recent non-compliance fees
If you've been charged non-compliance fees for months while not knowing about the SAQ, it's worth calling your processor and requesting a credit. Many will refund 2–3 months as a goodwill gesture, especially long-term customers. Some will refund more.

What Happens If You're Not Compliant?

Beyond the monthly non-compliance fee your processor charges, there are broader consequences for failing to maintain PCI compliance:

Data breach liability: If your business suffers a data breach and you were not PCI compliant at the time, you face significantly increased liability — including fines from the card networks, the cost of forensic investigation, and potential liability for fraudulent charges made with stolen card data.

Increased fines from card networks: In a breach scenario, non-compliant merchants can face fines of $5,000–$100,000 per month from card networks until compliance is achieved, plus assessments for fraud losses.

Account termination: Processors can terminate your merchant account for persistent non-compliance, especially in the event of a breach.

The good news: for small businesses operating with standard terminals and following basic security practices (not writing down card numbers, using a chip-capable terminal, keeping terminal software updated), achieving and maintaining PCI compliance is straightforward — and the monthly fees your processor charges to "help" you do it are rarely worth the cost.

Paying PCI Fees You Shouldn't Be?

Submit your merchant statement and we'll identify every PCI-related charge, tell you whether it's legitimate, and show you how much you could eliminate immediately.

📄 Get My Free Audit →