Total cost of compliance

How much does PCI DSS really cost?

Audits, segmented infrastructure, scanning, tooling and staff time add up fast. The biggest lever on the bill is how much card data you hold — and tokenization can take almost all of it out of scope.

See the ROI SAQ A vs SAQ D
Where the money goes

The six costs of PCI DSS

Compliance is rarely a single invoice. These are the recurring line items that make up your total cost.

Assessment & QSA

Self-assessment questionnaires or, at higher levels, an on-site audit by a Qualified Security Assessor.

ASV scanning

Quarterly external vulnerability scans by an Approved Scanning Vendor, plus penetration testing.

Infrastructure

Network segmentation, hardened servers, key management and secure storage for the cardholder data environment.

Security tooling

WAF, logging, intrusion detection, file integrity monitoring and anti-malware across in-scope systems.

Staff & training

Engineering hours to maintain controls, plus security awareness training and policy upkeep.

Remediation & risk

Fixing audit findings — and the cost of a breach if card data is exposed. Both scale with scope.

Scope decides the bill

The same business, two very different costs

The single biggest variable is whether card data touches your systems. Take it out of scope and the cost base collapses.

SAQ D

Card data in your environment

  • ~300 controls to implement and evidence
  • Segmented CDE, hardened infra and key management
  • Full ASV scanning and pen testing scope
  • Significant engineering and audit hours
  • Highest breach exposure
WITH TOKENIZATION

SAQ A

No card data in your systems

  • ~30 controls — a fraction of the work
  • No CDE to build or maintain
  • Minimal scanning scope
  • Far fewer engineering hours
  • Card data breach risk transferred to the vault

Read the full SAQ A vs SAQ D comparison to see exactly which requirements drop away.

Go deeper

Related reading

Everything you need to plan, budget and reduce your compliance cost.

SAQ A vs SAQ D

Which questionnaire applies and what each one demands.

Reduce PCI scope with tokenization

The mechanics of taking card data out of your environment.

PCI compliance ROI

Build the business case with real savings figures.

Tokenization & payment fees

How transparent IC++ pricing lowers your effective rate.

PCI DSS compliance

What PCI DSS requires and how we help you meet it.

PCI DSS v4 changes

What is new for European merchants under v4.
FAQ

PCI DSS cost, answered

01 How much does PCI DSS compliance cost per year?

It depends on your SAQ level and volume. Under SAQ A (no card data in scope) you may spend only a few hundred euros on questionnaires and scans. Under SAQ D, handling raw card data can cost tens of thousands once you add QSA audits, segmented infrastructure, scanning, remediation and staff time.

02 What drives the cost of PCI DSS compliance?

The size of your cardholder data environment, the SAQ type, QSA and ASV fees, security tooling, and the engineering and audit hours to maintain controls. Removing card data from scope reduces almost all of them.

03 How does tokenization reduce PCI DSS cost?

When card data lives in an external PCI DSS Level 1 vault and your systems hold only tokens, most controls no longer apply to you. Many merchants move from SAQ D (hundreds of requirements) to SAQ A (around 30), cutting audit scope, infrastructure and staff time.

Cut your compliance scope, cut your bill

See how moving card data into our certified vault drops you to SAQ A — and what that saves.

Talk to us See pricing