Key Takeaways
- PCI DSS cost has 4 components: QSA assessment fees, penetration testing, remediation, and ongoing compliance management
- SAQ A (fully outsourced) costs USD 5,000-15,000; full ROC (Level 1) costs USD 30,000-100,000+ for assessment alone
- Scope reduction is the single biggest cost lever — CardIntel reduces scoping time 30-40% and finds shadow data stores
- Year 2 costs are typically 40-60% of Year 1 — the compliance infrastructure is already built
The 4 Cost Components of PCI DSS Compliance
When organisations ask "how much does PCI DSS compliance cost?", they are usually thinking about the QSA assessment fee — the invoice from the assessor. But the assessment fee is only one of four distinct cost components, and it is rarely the largest. Understanding all four components is essential for realistic budgeting.
1. QSA Assessment Fees
This is the fee paid to your Qualified Security Assessor (QSA) to conduct the assessment, validate controls, and produce the Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ). Assessment fees vary based on your SAQ type, environment complexity, number of locations, and the assessor's methodology. For Asia-Pacific, QSA fees typically range from USD 5,000 for a straightforward SAQ A to USD 100,000+ for a complex Level 1 ROC engagement.
2. Penetration Testing (PCI DSS Requirement 11.4)
PCI DSS v4.0.1 requires both internal and external penetration testing of the cardholder data environment (CDE) at least annually and after any significant change. The penetration test must be performed by a qualified tester — either an internal resource with demonstrable independence or an external firm. In Asia-Pacific, penetration testing for PCI DSS typically costs USD 8,000-30,000 depending on scope, with segmentation testing adding USD 3,000-8,000 if network segmentation is used to reduce PCI scope.
3. Remediation
Remediation is the largest and most variable cost component. It covers the technical and organisational work required to close gaps identified during the assessment or gap analysis — network segmentation, multi-factor authentication deployment, file integrity monitoring, encryption upgrades, policy development, and security awareness training. Remediation costs range from near-zero for mature environments to USD 500,000+ for organisations with significant infrastructure gaps.
4. Ongoing Compliance Management
PCI DSS is not a point-in-time certification. It requires ongoing activities: quarterly ASV scans (USD 1,000-3,000 per quarter), annual penetration testing, daily log reviews, quarterly internal vulnerability scans, annual risk assessments, annual policy reviews, and security awareness training. These recurring costs are often underestimated in Year 1 budgets but become the primary cost driver from Year 2 onward.
Total cost = sum of all four components, with remediation typically the largest. Organisations that focus only on the QSA fee underestimate total compliance cost by 50-80%.
SAQ vs ROC — Which Path and What Does Each Cost?
Your validation type — determined by your merchant level and how you handle cardholder data — is the single biggest determinant of your assessment fee. Level 1 merchants (over 6 million transactions annually) and all service providers processing, storing, or transmitting cardholder data must complete a full ROC with an on-site QSA assessment. All other merchants complete one of several SAQ types, each with different scope and cost implications.
| SAQ Type | Who | Estimated Fee Range | Pen Test Required? |
|---|---|---|---|
| SAQ A | Fully outsourced e-commerce (redirect/iframe) | USD 5,000 – 15,000 | No |
| SAQ A-EP | E-commerce with partial outsourcing (JavaScript-based) | USD 10,000 – 25,000 | Yes |
| SAQ D | All other merchants handling card data directly | USD 15,000 – 40,000 | Yes |
| ROC (Level 1) | Level 1 merchants and service providers | USD 30,000 – 100,000+ | Yes |
These ranges represent the QSA assessment fee only — they do not include penetration testing, remediation, or ongoing compliance costs. The wide ranges reflect the variability in environment complexity: a single-location e-commerce merchant with SAQ A-EP will be at the lower end, while a multi-location payment processor with complex network architecture will be at the upper end. For a full overview of our PCI DSS compliance assessment service, including our methodology and deliverables, see our service page.
What Drives Remediation Costs — and How to Control Them
Remediation is where budgets go off track. The range is enormous — from USD 10,000 for a mature environment that needs minor policy updates and configuration hardening, to USD 500,000+ for an organisation that needs to implement network segmentation, deploy MFA, build logging infrastructure, and develop an incident response capability from scratch.
The Top 5 Remediation Cost Drivers
Network segmentation: Isolating the cardholder data environment from the rest of the corporate network is often the most expensive single remediation item. It may require new firewalls, VLANs, access control lists, and potentially re-architecting portions of the network. Cost: USD 15,000-150,000+.
Multi-factor authentication (MFA): PCI DSS v4.0.1 requires MFA for all access into the CDE and for all remote access. Deploying MFA across all applicable systems — including legacy applications — typically costs USD 5,000-30,000 depending on the number of users and systems.
File integrity monitoring (FIM): Requirement 11.5 mandates FIM on critical system files. Commercial FIM solutions range from USD 5,000-25,000 depending on the number of systems monitored.
Logging and monitoring: Requirement 10 requires comprehensive audit logging with daily log reviews. Organisations without a SIEM or centralised logging platform may need to invest USD 10,000-50,000 in logging infrastructure.
Encryption: Protecting stored cardholder data (Requirement 3) and data in transit (Requirement 4) may require upgrading encryption across databases, applications, and network communications. Cost varies widely based on the data storage architecture.
Three Strategies to Control Remediation Costs
1. Reduce scope first. Every system removed from the CDE is a system that does not need to be assessed, hardened, monitored, or maintained to PCI standards. Scope reduction should be the first activity in any compliance programme — not an afterthought.
2. Fix known gaps before the assessment. A pre-assessment gap analysis identifies remediation items early, when they can be addressed on your timeline and budget rather than under the pressure of an active assessment engagement.
3. Prioritise by risk and requirement. Not all remediation items are equal. Focus first on items that are critical to passing the assessment, then address lower-risk items in subsequent cycles.
Scope Reduction — The Single Biggest Cost Lever
Every system that stores, processes, or transmits cardholder data — and every system connected to those systems — is in scope for PCI DSS. The more systems in scope, the more systems that must be assessed, the more controls that must be validated, and the higher both the assessment fee and the remediation cost.
Scope reduction works by removing systems from the cardholder data environment. The three primary methods are:
Tokenisation: Replace cardholder data with non-sensitive tokens. Systems that only handle tokens are out of scope for PCI DSS. Tokenisation is the most effective scope reduction method for merchants who do not need to retain full card numbers.
Network segmentation: Isolate systems that handle cardholder data from those that do not. Properly implemented segmentation reduces the number of systems that must be assessed and hardened to PCI standards.
Point-to-Point Encryption (P2PE): Use PCI-validated P2PE solutions at the point of interaction. P2PE encrypts card data at the terminal, meaning the merchant's environment never processes unencrypted cardholder data. This can reduce a merchant from SAQ D to SAQ P2PE — a dramatically smaller control set.
CardIntel: AI-Powered Scope Discovery
One of the most common (and expensive) problems in PCI DSS compliance is shadow data — cardholder data stored in locations the organisation does not know about. Spreadsheets, email archives, backup systems, test environments, and legacy databases frequently contain cardholder data that expands PCI scope without the organisation's awareness.
EIC's CardIntel platform uses AI-powered scanning to discover cardholder data across the entire environment — structured databases, unstructured file shares, cloud storage, and email systems. CardIntel reduces scoping time by 30-40% and routinely finds shadow data stores that manual scoping exercises miss.
The cost impact is significant. A 30% scope reduction typically translates to a 20-30% reduction in total compliance cost — across assessment fees, penetration testing, remediation, and ongoing compliance management. For a Level 1 ROC engagement, that can mean USD 25,000-75,000 in savings in Year 1 alone.
Scope reduction ROI: A 30% scope reduction typically saves 20-30% of total compliance cost. For Level 1 ROC, that is USD 25,000-75,000 in Year 1 savings — often exceeding the cost of the scope reduction exercise itself.
Annual Recertification — What Does Year 2 Cost?
Year 2 and subsequent years are significantly less expensive than Year 1 — typically 40-60% of the initial compliance investment. The reason is straightforward: the compliance infrastructure is already built. Network segmentation is in place, MFA is deployed, logging infrastructure is operational, and policies and procedures have been documented.
The recurring annual costs for PCI DSS compliance include:
Annual QSA assessment: The assessment fee is typically 70-80% of the Year 1 fee, as the assessor is validating an existing environment rather than assessing a new one. The assessor can leverage prior-year documentation and focus on changes.
Annual penetration testing: Required annually and after significant changes. The scope is usually similar to Year 1, so the cost remains comparable at USD 8,000-30,000.
Quarterly ASV scans: USD 1,000-3,000 per quarter for external vulnerability scanning by an Approved Scanning Vendor.
Ongoing compliance management: Daily log reviews, quarterly internal vulnerability scans, annual risk assessments, policy updates, and security awareness training. These activities require dedicated staff time or managed service engagement.
EIC's Complio compliance management platform reduces this ongoing overhead by 40-50% through automated evidence collection, continuous control monitoring, and automated compliance reporting. Complio tracks control status in real time, flags issues before they become findings, and generates assessment-ready evidence packages — significantly reducing the manual effort required to maintain compliance between annual assessments.
How to Budget for PCI DSS Compliance
The most reliable way to budget for PCI DSS compliance is to start with a fixed-price scoping estimate from a QSA. A scoping call — typically 60-90 minutes — allows the assessor to understand your environment, determine your SAQ type or confirm your ROC requirement, estimate the assessment fee, and identify likely remediation areas.
EIC provides a fixed-price proposal within 24 hours of a scoping call — no obligation. The proposal includes the assessment fee, estimated penetration testing cost, and a remediation cost range based on the information gathered during scoping.
Budget Ranges by Merchant Level
Level 2/3 merchants (SAQ A-EP or SAQ D): Total Year 1 compliance cost of USD 20,000-50,000, including assessment, penetration testing, and moderate remediation. Year 2 ongoing cost of USD 12,000-30,000.
Level 1 merchants and service providers (ROC): Total Year 1 compliance cost of USD 80,000-250,000, including assessment, penetration testing, and remediation. Year 2 ongoing cost of USD 40,000-120,000. Complex multi-location environments with significant remediation requirements can exceed these ranges.
These ranges are based on real engagement data from EIC's PCI DSS assessments delivered across Asia-Pacific between 2020 and 2026. Your actual cost will depend on your specific environment, and the scoping call is designed to narrow these ranges to a fixed-price proposal for your situation.
Non-compliance cost typically exceeds compliance 5-10x: card scheme fines (USD 5,000-100,000 per month), forensic investigation (USD 50,000-500,000), card reissuance costs, and reputational damage. PCI DSS compliance is an investment that protects against far greater financial exposure.
For guidance on selecting the right assessor for your engagement, see our article on how to choose a PCI DSS QSA organisation. For a detailed breakdown of PCI DSS v4.0.1 requirements, read our guide on PCI DSS v4.0.1 — what changed and what you must do now. You can also verify QSA organisations and approved products on the official PCI Security Standards Council assessors directory.