PCI DSS cost · explained plainly

How much does PCI DSS compliance cost? From nothing to many thousands, depending on your SAQ.

There is no single sticker price for PCI, and any firm that quotes one before knowing how you accept cards is guessing. What you actually pay comes down to three things: your SAQ, your environment, and who does the work. Here is the honest breakdown.

Free SAQ check · then a fixed $1,495 analysis

Short version: completing a Self-Assessment Questionnaire yourself costs nothing but your time. A consultant or QSA-led gap assessment runs into the thousands. A full QSA audit and Report on Compliance, for the highest-volume merchants, runs much higher. Our fixed $1,495 PCI DSS v4.0 Readiness & Gap Analysis sits deliberately in the middle: no quote, no sales call, a PDF in your inbox within hours.

Why “how much does PCI cost” has no one answer

PCI DSS is not a single product you buy. It is a security standard you validate against, and the amount of work involved swings widely from one merchant to the next. A tiny online store that has fully outsourced card handling to a validated processor is in a very different world from a business that stores card numbers on its own systems.

That is why cost lives on a range, not a price tag. Three factors move you along that range:

Your SAQ is the biggest cost lever

Merchants do not all fill out the same PCI paperwork. The PCI Security Standards Council defines several Self-Assessment Questionnaires, each scoped to a way of accepting cards. The right one for you determines how much of PCI DSS you are on the hook for.

At one end, SAQ A is the shortest path: it is for card-not-present merchants who have fully outsourced all cardholder-data functions to validated third parties, so their own systems never store, process, or transmit card data. Fewer requirements apply, so there is less to assess and less to remediate.

At the other end, SAQ D covers the full set of PCI DSS requirements. Storing cardholder data electronically generally puts you here. More requirements in scope means more work, and more cost, however you get it done.

So before you can even estimate cost, you need to know which SAQ applies to you. That is a question you can answer for free, right now.

Your SAQ drives your cost. Find it free.

Answer a few questions about how you accept cards and get your likely SAQ type on screen, plus a directional read on five baseline PCI controls. No account, no card, nothing to install. It is the fastest way to see where on the cost range you sit.

The four ways people get to PCI compliance, and what each tends to cost

Once you know your SAQ, the second question is who does the work. Here is how the common paths compare. Only our own price is fixed and public; the others depend entirely on your scope, so treat them as directional.

PathWhat it costsWhat you actually get
Do-it-yourself SAQ portal Free (your time) The blank questionnaire. You decide which SAQ applies, answer every requirement, and self-verify the evidence, with no analysis and no second opinion.
Consultant or QSA-led gap or readiness assessment Into the thousands A person reviews your environment and reports your gaps. Usually priced by scope and hours, and usually quoted only after a scoping call.
Our PCI DSS v4.0 Readiness & Gap Analysis $1,495, one-time Your SAQ with rationale, all 12 PCI DSS v4.0 requirements marked covered, partial, or gap, and a 30/60/90-day remediation roadmap. PDF within hours. No quote, no call.
Full QSA audit and Report on Compliance Much higher Required for the highest-volume merchants. An assessor tests your controls and issues a formal Report on Compliance.

Dollar amounts for the do-it-yourself, consultant, and QSA paths are qualitative on purpose. Real figures depend on your SAQ, your scope, and the firm you choose, which is exactly why an honest number starts with your SAQ.

Why quotes vary so much

If you have asked two firms and gotten two wildly different numbers, that is normal, not a red flag. A consultant cannot price your engagement until they understand your scope: which SAQ applies, how card data moves through your business, how many systems are in play, and how much you have already done. Hourly rates and how a firm defines scope do the rest.

The practical takeaway: the more precisely you know your SAQ and your scope going in, the tighter and fairer the quotes you will get back. Walking in blind is how merchants end up overpaying for work they did not need, or under-scoping and missing requirements.

Where our $1,495 analysis fits

We built the PCI DSS v4.0 Readiness & Gap Analysis to be the honest middle path between a free questionnaire you have to figure out alone and a scoped consulting engagement you cannot price up front. It is a fixed, public $1,495, one time, no quote and no sales call.

For that price, the analysis:

It is intake-based, so there is nothing to install and no scan to schedule. You answer a short intake, and the PDF lands in your inbox within hours. To be clear about what it is not: it is a readiness analysis, not a QSA assessment, not a completed SAQ, and not a signed Attestation of Compliance. It prepares you for those; it does not replace them.

Ready to price your gap, not guess at it?

Start free to pin down your SAQ, then run the full analysis when you want every requirement checked and a roadmap in hand.

PCI compliance cost: common questions

Is PCI compliance free if I do the SAQ myself?

The Self-Assessment Questionnaire itself costs nothing to complete. But free is not the same as easy. You still have to pick the right SAQ for how you accept cards, answer every requirement honestly, and produce the evidence behind each answer. If you self-certify a control you cannot actually evidence, you carry that risk. So the SAQ is free in dollars, and not free in effort or exposure.

Why do PCI compliance quotes vary so much?

Because two merchants can be worlds apart in scope. Your SAQ type, how card data flows through your environment, how many systems are in scope, and whether a firm bills by the hour all move the number. A consultant usually cannot quote you until they have scoped your environment, which is why the question rarely has a single answer. Knowing your SAQ first is the fastest way to narrow the range.

What does the $1,495 PCI DSS v4.0 Readiness & Gap Analysis include?

A fixed, one-time price with no quote and no sales call. You get your applicable SAQ with the rationale for it, every one of the 12 PCI DSS v4.0 requirements marked covered, partial, or gap, and a prioritized 30/60/90-day remediation roadmap with the evidence an assessor will ask for. It is intake-based, so there is nothing to install, and the PDF lands in your inbox within hours. It is a readiness analysis, not a QSA assessment, a completed SAQ, or a signed Attestation of Compliance.

Do I need a QSA audit?

Most small and mid-size merchants validate with a Self-Assessment Questionnaire, not a QSA audit. The highest-volume merchants undergo a QSA-led Report on Compliance. Your acquiring bank and the card brands assign your merchant level based on your annual transaction volume, and that level determines how you validate. If you are not sure which applies to you, confirm with your acquiring bank.

This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. Confirm your SAQ and obligations with your acquiring bank or a Qualified Security Assessor.