Learning • 11 min read

PCI Compliance Fees & Costs UK 2026: SAQ Types, Prices and How to Avoid Non-Compliance Charges

How much PCI DSS compliance costs UK businesses in 2026, what acquirers actually charge (£3–£6/month), which SAQ applies, and how to stop £15–£35 non-compliance fees.
By Card Payment Connect editorial teamReviewed by Matt McCarthy, FounderLast updated 8 July 2026

What PCI DSS compliance actually is

PCI DSS (Payment Card Industry Data Security Standard) is the security framework every business that stores, processes or transmits card data has to meet. It is maintained by the PCI Security Standards Council on behalf of Visa, Mastercard, Amex, Discover and JCB, and is enforced through your acquirer — not directly by the card schemes.

The current version, PCI DSS 4.0, replaced 3.2.1 in March 2024 and became fully mandatory in March 2025. Most UK small businesses meet compliance through a Self-Assessment Questionnaire (SAQ) rather than a full external audit.

Unsure what these charges mean on your own statement? Submit it for a free independent review.

Check If I'm Overpaying

Which SAQ applies to your business

There are nine SAQ types under PCI DSS 4.0. Which one you complete depends on how you take payments and how you handle card data. Most UK SMEs sit in one of the four below.

Common PCI DSS 4.0 SAQ types for UK small businesses
SAQWho it's forTypical UK example
SAQ AEcommerce merchants that fully outsource card handling to a PCI-compliant provider.Shopify store using Shopify Payments, Stripe Checkout or PayPal-hosted checkout.
SAQ A-EPEcommerce merchants using a payment iframe or JavaScript that runs on their own site.Custom checkout using Stripe Elements or Adyen Drop-in.
SAQ BMerchants using only standalone dial-up or IP terminals; no electronic storage of card data.Traditional PDQ machine in a shop or restaurant, not integrated with EPOS.
SAQ B-IPMerchants using only standalone IP-connected terminals.Modern Wi-Fi countertop terminal from Worldpay, Barclaycard or Global Payments.
SAQ C-VTMerchants using only a virtual terminal in a browser on a dedicated computer.Phone-order MOTO business keying transactions into a browser-based virtual terminal.
SAQ DMerchants that don't fit any other SAQ, including anyone that stores card data electronically.Larger merchants and any business handling card numbers in spreadsheets or CRM systems.
If you're unsure which SAQ applies, ask your acquirer — they must tell you and provide the correct questionnaire.

What UK acquirers actually charge for

The 'PCI fee' on your statement usually covers two things: the cost of administering the annual SAQ process (reminders, portal access, vulnerability scans where required), and the acquirer's own compliance overhead. It typically ranges from £3–£6 per month for a small business.

The non-compliance fee is separate, and is the one that hurts. If the annual SAQ isn't completed by its deadline, most UK acquirers apply a recurring monthly charge of £15–£35 until the questionnaire is submitted. On a small business processing £5,000 a month, this alone can add 40–70 basis points to the effective rate.

The four merchant levels and what they mean

Card schemes classify every merchant into one of four levels based on annual card transaction volume. The level determines what evidence you need to file, not the standard itself.

  • Level 1 — 6m+ transactions per year (per scheme). Annual on-site audit by a Qualified Security Assessor (QSA), plus quarterly network scans.
  • Level 2 — 1m–6m transactions per year. Annual SAQ signed by an officer of the business, plus quarterly scans.
  • Level 3 — 20,000–1m ecommerce transactions per year. Annual SAQ plus quarterly scans.
  • Level 4 — under 20,000 ecommerce or under 1m total per year. Annual SAQ; scanning may be required depending on SAQ type.

How to stop paying non-compliance fees

Complete the SAQ on time

Set a calendar reminder for 30 days before the annual deadline. Most acquirers give a 90-day grace period; use it.

Keep contact details current

SAQ reminders go to the email on file. If your admin email has changed since sign-up, update it before the next renewal cycle.

Use the right SAQ type

A merchant on Shopify Payments shouldn't be completing SAQ D. Ask your acquirer to switch you to the correct (usually shorter) SAQ.

Consider a P2PE solution

Point-to-point encrypted terminals dramatically reduce SAQ scope — typically down to SAQ P2PE, which is much shorter.

Escalate stale non-compliance charges

If you completed the SAQ and are still being billed, log a formal complaint quoting the submission date.

Frequently asked questions

Is PCI DSS a legal requirement in the UK?

+
PCI DSS itself isn't UK legislation, but compliance is a contractual requirement in every UK merchant services agreement. A breach affecting card data can also trigger GDPR obligations under the UK Data Protection Act 2018 and ICO reporting rules.

Do I need PCI compliance if I only take payments through Stripe or PayPal?

+
Yes — but you'll typically qualify for the shortest SAQ (SAQ A) because the payment provider handles card data on your behalf. You still need to complete the annual questionnaire and confirm compliance to your acquirer.

What is a PCI ASV scan?

+
An Approved Scanning Vendor scan is a quarterly external network vulnerability scan required for some SAQ types (notably A-EP, B-IP and D). Your acquirer usually provides access to an ASV as part of the PCI fee.

How much can non-compliance actually cost?

+
The recurring non-compliance fee itself is £15–£35 per month. In the event of a data breach, card schemes can impose penalties of £5,000–£500,000 depending on volume and severity, plus card reissue costs and potential ICO fines.

Can I use a PCI service provider?

+
Yes. Many UK acquirers partner with SecurityMetrics, Sysnet or similar to walk merchants through the SAQ. The service is usually included in the PCI fee; you don't need to buy it separately.

Key takeaways

  • Most UK small businesses complete a single annual SAQ — usually SAQ A or B-IP.
  • PCI admin fees are small; the recurring non-compliance fee is what genuinely inflates costs.
  • PCI DSS 4.0 fully replaced 3.2.1 in March 2025 — SAQ content has changed.
  • The correct SAQ depends on how you take payments, not just your business size.
  • P2PE terminals significantly reduce PCI scope and are worth considering at renewal.

Find out if you're overpaying on card fees

Two numbers — your monthly card bill and annual turnover — and we'll estimate your effective rate against the UK average. Send your statement and we'll email a full written breakdown within 30 minutes (8am–6pm, 7 days a week).

Check If I'm Overpaying

Takes 30 seconds. Statement optional.

Related reading