Open your merchant statement and look for "PCI." You'll probably find at least one line — maybe three. PCI compliance fees are one of the most misunderstood charges in payment processing, and they're a favorite tool for processors who want to pad their margin without touching the rate they quoted you.

Here's what these fees actually cover, what you should be paying, and how to tell when you're being overcharged.

What PCI compliance actually is

PCI DSS — the Payment Card Industry Data Security Standard — is a set of security requirements created by the card brands (Visa, Mastercard, Amex, Discover) to protect cardholder data. Every business that accepts credit cards has to comply, period. It's not optional, and it's not negotiable.

Compliance itself is free. You can complete a Self-Assessment Questionnaire (SAQ) at no cost, and most small merchants qualify for the simplest version (SAQ-A or SAQ-B). The actual work takes most business owners 20–60 minutes a year.

What you're actually being charged for

Processors bundle three different things into "PCI fees":

  • PCI compliance fee — a monthly charge (typically $5–$25) that's supposed to cover compliance support, portal access, and validation tracking.
  • PCI non-compliance fee — a penalty (typically $20–$40/month) for merchants who haven't completed their SAQ. This is the one processors love, because most merchants never fill out the form.
  • Breach insurance / assurance programs — bundled coverage against the cost of a data breach, sometimes called "PCI assurance" or similar.

All three can be legitimate. All three can also be grossly inflated.

The red flags

You're likely being overcharged if any of these apply to you:

  • You're paying more than $20/month for basic PCI compliance and you've never used the processor's compliance portal
  • You're being hit with a non-compliance fee, but nobody ever told you a SAQ existed
  • Your statement shows PCI fees that increased mid-contract without a notice
  • The non-compliance fee is larger than the compliance fee (it shouldn't be — it's a penalty, not a product)
  • You're paying PCI fees to more than one processor (yes, this happens)

What fair PCI pricing looks like

A reasonable processor charges something like $5–$10/month for PCI compliance, waives it entirely for merchants who complete the SAQ themselves, and either doesn't charge non-compliance fees at all or warns you three times before it hits.

If you're paying $25/month and another $35 non-compliance on top, you're spending $720 a year on a form you could fill out in under an hour.

How to fix it

Three steps, in order:

  1. Log into your processor's merchant portal and find the PCI section. If you can't find it, call support and ask where to complete your SAQ. Complete it. Most merchants qualify for SAQ-A (ecommerce using a hosted payment page) or SAQ-B (dial-up/standalone terminals).
  2. Ask your processor in writing to refund any non-compliance fees from the last 12 months once your SAQ is filed. Many will do it.
  3. Audit your monthly statement. If the PCI fee stays on after you've completed the SAQ, or if it's higher than $10/month, that's a signal to negotiate — or to shop your account.

The bigger picture

PCI compliance fees are a symptom of a bigger problem in payment processing: charges that sound official and mandatory, but that have wide latitude in how much the processor can bake in. The card brands don't set PCI fees — your processor does.

Knowing that is half the battle. The other half is actually looking at your statement.