How much does PCI-DSS compliance cost?

PCI-DSS compliance cost varies significantly by merchant level and environment complexity. For Level 3 and Level 4 merchants, gap assessment and remediation consulting typically ranges from $8,000 to $25,000, ASV quarterly scans from $1,000 to $5,000 per quarter, annual penetration testing from $15,000 to $40,000, and ongoing program management from $2,500 to $8,000 per month. Level 1 merchants requiring a full QSA ROC assessment should budget $50,000 to $200,000 or more for the assessment alone, plus pre-assessment preparation costs. These are general market ranges, not quotes.

What is the biggest driver of PCI-DSS compliance cost?

The most significant driver of total PCI-DSS program cost is the amount of remediation required to bring the current environment into compliance before assessment — not the assessment fee itself. Organizations with flat networks, missing MFA, no centralized logging, and deferred patch management face remediation costs that dwarf the cost of the QSA assessment or SAQ preparation. Network segmentation that reduces CDE scope is consistently the highest-return investment because it reduces remediation scope, scan scope, and ongoing management burden simultaneously.

Do all merchants need an ASV scan for PCI-DSS?

Quarterly Approved Scanning Vendor (ASV) external vulnerability scans are required for merchant Levels 1, 2, and 3. Level 4 merchants are required to conduct quarterly ASV scans by most acquirers as a condition of card acceptance, though the card brand minimum is a recommendation rather than a mandate. ASV scans must be conducted by a PCI SSC-listed ASV firm — they cannot be self-conducted — and must produce passing results before an Attestation of Compliance can be signed.

How does network segmentation reduce PCI-DSS compliance cost?

Network segmentation reduces the number of system components in PCI-DSS scope, which directly reduces compliance cost across every expense category. Fewer in-scope systems mean less remediation work before assessment, a smaller surface area for ASV external scans and annual penetration testing, and reduced ongoing monitoring and management scope. For organizations with flat networks, implementing proper CDE segmentation is typically the single change that most materially reduces total program cost.

PCI-DSS Compliance

PCI-DSS Compliance Cost: What Organizations Should Budget

PCI-DSS compliance cost varies by more than an order of magnitude depending on merchant level, current control posture, cardholder data environment complexity, and whether the organization has done meaningful remediation work before beginning formal assessment. The ranges below reflect general market data by expense category — not Armorstack pricing. Every engagement is scoped individually based on what your environment actually requires, and the most significant variable is how much remediation work exists before assessment can proceed.

Start the 90-Day Proof
Talk to an Expert

The Five Cost Categories in a PCI-DSS Program

A complete PCI-DSS compliance program has five distinct cost categories. Organizations often budget for assessment and scanning while underestimating remediation, ongoing program management, and the infrastructure investments required to sustain compliance between assessments. The cost of a failed assessment — remediation work required before a report can be issued — is almost always higher than the cost of adequate preparation before the assessment begins.

1. Gap Assessment and Remediation Consulting

A gap assessment compares current control posture against all applicable PCI-DSS 4.0 requirements, identifies deficiencies by severity and requirement number, and produces a prioritized remediation roadmap with cost estimates. The assessment precedes formal compliance validation and determines how much remediation work is required before an SAQ can be completed honestly or a QSA assessment initiated without known failure points.
Market ranges for gap assessment and remediation consulting vary significantly by environment complexity:
For Level 3 and Level 4 merchants with a limited cardholder data environment — a small number of in-scope systems, a clear payment acceptance model, and no significant history of deferred security investment — gap assessments typically range from $8,000 to $25,000. For Level 2 merchants or organizations with more complex environments, multi-channel acceptance, or significant control gaps, the range typically runs $25,000 to $60,000. Level 1 merchants preparing for a full QSA ROC assessment in environments with meaningful remediation work should budget $50,000 to $150,000 or more for pre-assessment preparation consulting, depending on environment size.
The PCI-DSS 4.0 changes — particularly MFA expansion, payment page script management under Requirement 6.4, and continuous monitoring elevation — have increased pre-assessment consulting scope for organizations that have not addressed these requirements since the March 2024 mandatory effective date. See PCI-DSS 4.0 changes for detail on what the update requires.

2. QSA On-Site Assessment (Level 1 Merchants)

The annual Report on Compliance required for Level 1 merchants is produced by a Qualified Security Assessor firm following an on-site assessment. The assessment involves documentation review, configuration inspection, personnel interviews, and evidence validation across all 12 PCI-DSS requirements. QSA fees reflect the complexity of the environment assessed, the geographic scope, and the QSA firm’s market positioning.
QSA assessment market ranges for Level 1 merchants typically fall between $50,000 and $200,000 for the assessment alone, excluding remediation. Highly complex environments — multiple data centers, international operations, or significant application scope — can exceed that range. Some QSA firms package assessment, remediation support, and ongoing advisory services into annual arrangements, which can reduce per-assessment cost when amortized across a multi-year relationship.
Level 2 merchants whose acquirers require QSA involvement rather than accepting an SAQ should expect similar assessment costs, scaled somewhat by environment complexity. Understanding your merchant level and validation obligations is the starting point; see PCI-DSS merchant levels for the transaction volume thresholds that apply.

3. Approved Scanning Vendor (ASV) Quarterly Scans

All merchant levels that accept card payments across external-facing systems are required to conduct quarterly vulnerability scans of in-scope external IP addresses and domains using an Approved Scanning Vendor — an organization certified by the PCI Security Standards Council to conduct and report on external vulnerability scans. ASV scans cannot be self-conducted; they must be performed by a PCI-SSC-listed ASV and must produce a passing scan report (all vulnerabilities rated CVSS 4.0 or higher remediated and rescanned) before an Attestation of Compliance can be signed.
ASV quarterly scan costs range from approximately $1,000 to $5,000 per quarter depending on the number of in-scope IP addresses, the number of scan failures requiring remediation and rescanning, and the ASV firm. Organizations with large numbers of external-facing CDE systems or frequent scan failures due to unmanaged vulnerabilities incur costs at the higher end of this range. Effective network segmentation, which reduces the number of systems with external-facing CDE scope, directly reduces ASV scan cost and failure rate.

4. Annual Penetration Testing

PCI-DSS requires annual internal and external penetration testing of the cardholder data environment, conducted by qualified testers who are independent from the environment being tested. For organizations using network segmentation, the penetration test must also validate segmentation effectiveness — confirming that out-of-scope systems cannot reach in-scope systems through the segmentation controls. Penetration tests required under PCI-DSS 4.0 must follow a defined methodology such as NIST SP 800-115 and include both network-layer and application-layer testing for in-scope applications.
Annual penetration test costs for CDE-scoped engagements typically range from $15,000 to $40,000, depending on CDE size, the number of applications in scope, and whether segmentation validation is included. Organizations with larger CDEs, complex web applications processing payment data, or multi-site cardholder data environments should expect costs toward the upper end of or above that range. SENTRY’s managed detection and response coordinates with penetration testing engagements to ensure monitoring coverage during tests and to capture test findings in the compliance evidence record.

5. Ongoing Compliance Program Management

Sustaining PCI-DSS compliance between annual assessments requires ongoing operational investment that many organizations underestimate. The controls required by PCI-DSS — centralized log management and review, patch management and vulnerability remediation, MFA administration, access control lifecycle management, firewall rule management, and security awareness training — are not one-time implementations. They are continuous operational commitments that require staffing, tooling, and management attention every month of the year.
Market ranges for ongoing PCI-DSS compliance program management — encompassing monitoring, log management, vulnerability management, policy maintenance, and evidence collection — typically run $2,500 to $8,000 per month for organizations in the Level 3 and Level 4 range with a limited CDE. Level 2 environments with more complex monitoring and control obligations typically run $5,000 to $15,000 per month. These figures reflect the combined cost of managed security services, compliance advisory support, and evidence management tooling — not any single vendor or engagement model.

The Real Cost Driver: Remediation, Not Assessment

The most significant factor in total PCI-DSS program cost is the amount of remediation required to bring the current environment to compliance before assessment — not the assessment itself. An organization with a mature security program, proper network segmentation, continuous monitoring in place, and MFA enforced across the CDE may complete an SAQ with modest advisory support. An organization with a flat network, inconsistent patch management, no centralized logging, and missing MFA faces remediation costs that dwarf assessment fees.
Scope reduction through network segmentation is consistently the highest-return investment in a PCI-DSS program. Reducing the number of in-scope system components reduces the remediation work required before assessment, reduces the scope of the ASV scan and penetration test, and reduces the ongoing compliance management burden. See PCI-DSS network segmentation for the technical requirements and scope reduction approaches.

Cost Summary Table: Typical Market Ranges by Category

Cost Category	Typical Market Range	Primary Variables
Gap assessment and remediation consulting (Level 3–4)	$8,000 – $25,000	CDE size, number of gaps, payment channel complexity
Gap assessment and remediation consulting (Level 2)	$25,000 – $60,000	Environment complexity, multi-channel acceptance, control maturity
Pre-assessment preparation consulting (Level 1)	$50,000 – $150,000+	Environment size, remediation depth, number of data centers
QSA on-site ROC assessment (Level 1)	$50,000 – $200,000+	Environment complexity, geographic scope, QSA firm
ASV quarterly external vulnerability scans	$1,000 – $5,000 per quarter	Number of in-scope external IPs, scan failure remediation rounds
Annual penetration test (CDE scope)	$15,000 – $40,000	CDE size, application scope, segmentation validation inclusion
Ongoing compliance program management (Level 3–4)	$2,500 – $8,000 per month	Monitoring scope, log volume, policy maintenance cadence
Ongoing compliance program management (Level 2)	$5,000 – $15,000 per month	CDE complexity, number of in-scope systems, advisory intensity

These ranges reflect general market data and should not be treated as quotes. Actual program cost depends on your specific environment, current control posture, and the scope of services engaged. Contact Armorstack for a scoped engagement discussion based on your merchant level, CDE architecture, and compliance objectives.

How Armorstack Structures PCI-DSS Program Delivery

Armorstack’s approach to PCI-DSS compliance program delivery is organized to minimize total program cost by front-loading scope reduction and gap closure before validation. The VERITY advisory team begins with a scoping and gap assessment that defines the correct CDE boundary, identifies all applicable requirements based on SAQ type or QSA scope, and produces a prioritized remediation roadmap with cost estimates by category.
CORE managed IT services implements the infrastructure remediation — network segmentation design, MFA deployment, patch management cadence, firewall configuration management, and endpoint control — that closes the gaps identified in the assessment before the validation cycle begins. SENTRY managed detection and response operationalizes the continuous monitoring, log management, and ASV scan management required by Requirements 10 and 11 on an ongoing basis, eliminating the need to reconstruct compliance evidence in the weeks before each annual assessment.
For the overall PCI-DSS compliance framework and all 12 requirements, see PCI-DSS compliance. To discuss your organization’s compliance cost profile and where your highest-priority investments should be focused, talk to an Armorstack compliance expert or start the 90-Day Proof.