PCI DSS Compliance Cost by Merchant Level
Your PCI compliance obligations — and costs — depend on your transaction volume. Here's what each level requires and what it costs.
Level 4 — Small Merchant
Most CommonAnnual Cost
$1,000–$5,000/year
Time to Compliance
4–12 weeks
Non-Compliance Fine
$5k–$100k/mo
Who qualifies
Fewer than 20,000 e-commerce transactions OR up to 1 million other card-present transactions per year. Most small businesses, retail stores, restaurants.
Example merchants
- Local restaurant with POS terminal
- Small online shop using Stripe/PayPal hosted payments
- Service business using Square
What's required
- SAQ A, A-EP, B, C, or D (depending on how you accept cards)
- Quarterly external vulnerability scan by an ASV (if applicable)
- Annual self-assessment questionnaire
- No QSA required — self-certified
Key risk: Most Level 4 merchants still face $5k–$100k/month fines if non-compliant — size doesn't provide immunity.
Level 3 — Mid-Market E-commerce
E-commerce FocusAnnual Cost
$5,000–$20,000/year
Time to Compliance
8–24 weeks
Non-Compliance Fine
$5k–$100k/mo
Who qualifies
Between 20,000 and 1 million e-commerce transactions per year. Typically growing online retailers and SaaS companies that process cards directly.
Example merchants
- Mid-size e-commerce retailer
- SaaS platform with subscription billing
- Regional service business with online booking
What's required
- SAQ D or SAQ C (most common for this tier)
- Quarterly ASV external scanning
- Annual penetration test (required under PCI DSS 4.0)
- Written security policies and procedures
- No QSA required unless acquiring bank mandates it
Key risk: E-commerce adds scope — payment page code must be reviewed; any JavaScript compromise can expose card data.
Level 2 — Large Merchant
QSA Often RequiredAnnual Cost
$10,000–$50,000/year
Time to Compliance
12–36 weeks
Non-Compliance Fine
$5k–$100k/mo
Who qualifies
Between 1 million and 6 million total transactions per year (any channel) for Visa/Mastercard. May include annual QSA audit or ISA program.
Example merchants
- Regional retail chain
- Franchise group
- Mid-size healthcare provider with card payments
What's required
- SAQ D or annual QSA Report on Compliance (ROC) — acquiring bank may require full audit
- Quarterly internal and external vulnerability scans
- Annual penetration testing (internal + external)
- File integrity monitoring on all cardholder data systems
- Intrusion detection/prevention system (IDS/IPS)
- Security awareness training for all relevant staff
Key risk: Many Level 2 merchants are surprised when their acquiring bank requires a full QSA — this pushes costs to the Level 1 range.
Level 1 — Enterprise
Full QSA RequiredAnnual Cost
$50,000–$500,000+/year
Time to Compliance
24–52 weeks (initial), 12–24 weeks (renewal)
Non-Compliance Fine
$5k–$100k/mo
Who qualifies
More than 6 million Visa or Mastercard transactions per year, OR any merchant that has experienced a breach affecting card data, OR any merchant Visa/Mastercard designates as Level 1.
Example merchants
- National retail chain
- Major e-commerce platform
- Payment processor or gateway
- Any merchant after a card-data breach
What's required
- Annual on-site assessment by a Qualified Security Assessor (QSA)
- Report on Compliance (ROC) submitted to acquirer
- Quarterly internal and external vulnerability scans
- Annual penetration testing (segmentation test if using network segmentation)
- Quarterly internal vulnerability assessment
- SIEM / log management covering all cardholder data environment systems
- Formal incident response plan
- Executive sign-off on security policies
Key risk: Level 1 is a year-round programme. QSA assessment alone typically costs $40k–$200k. Add staff time, tooling, and remediation and annual spend exceeds $500k at large enterprises.
Not sure which level applies to you?
Use the calculator on the home page to estimate your compliance cost, or get a free assessment from Digital Signet.