What Is a PCI Compliance Fee and Why Does It Appear on Your Card Machine Statement?
You open your monthly card machine statement and there it is. A line you do not quite recognise. PCI compliance fee. It might be £5, it might be £10, and if you are like most small business owners you accepted it without ever really knowing what it was for.
You are not alone. PCI fees are one of the most common mystery charges on UK card statements, and providers do not always go out of their way to explain them. This guide covers what a PCI compliance fee actually is, what it pays for, what a fair amount looks like, and the difference between a compliance fee and a non-compliance fee — which is the one you really want off your statement.
What PCI compliance actually is
PCI stands for the Payment Card Industry Data Security Standard, usually shortened to PCI DSS. It is a set of security requirements that every business taking card payments has to follow, designed to protect card data and reduce fraud.
It is maintained by the PCI Security Standards Council, the body set up by the major card networks including Visa, Mastercard, American Express, Discover and JCB. The current version of the standard is PCI DSS 4.0.1, with the most recent set of requirements having come into force during 2025. You do not need to memorise any of that. What matters for a small business is simply that taking card payments comes with a basic security obligation, and the standard is how that obligation is defined.
Why the fee appears on your statement
Staying compliant involves a bit of admin every year, and most providers package the support for that admin into a small monthly charge. That is your PCI compliance fee. Depending on the provider, it can cover your annual self assessment, any security scans your setup needs, and someone to help you complete them.
It is worth knowing the fee can hide under other names. Merchant security, security fee, regulatory fee, PCI management and similar wording all tend to describe the same thing. If you are not sure which line on your statement it is, your provider can point it out.
What is a fair amount to pay?
Around £6 a month per terminal is a fair, standard amount, and most UK providers sit somewhere between £5 and £10. This is normal industry pricing rather than anything to be alarmed by. Some providers fold it into their overall pricing and do not show a separate line at all, and a few do not charge for it.
The thing to watch is not whether you have a PCI fee, but whether it is reasonable and whether you actually get support for it. If you are being charged well above £10 a month, or you are paying a fee and still left to work out compliance entirely on your own, that is worth questioning.
Compliance fee versus non-compliance fee
This is the distinction that matters most, because the two are often confused and only one of them is worth worrying about.
| PCI compliance fee | PCI non-compliance fee | |
|---|---|---|
| What it is | A charge for the compliance programme and support that keeps you covered | A penalty for not completing your compliance, charged on top |
| Typical amount | Around £5 to £10 a month, with about £6 being standard | Around £20 to £40 a month |
| Should you pay it? | Reasonable — this is normal industry pricing | Avoidable — and the one to get rid of |
| How to deal with it | Check it is a fair amount and that you get support for it | Complete your annual SAQ and any required scans to make it stop |
In short, a compliance fee is normal. A non-compliance fee is a penalty, usually £20 to £40 a month, that gets applied when you have not completed your annual self assessment or required scans. It is pure avoidable cost. If you spot one on your statement, that is a sign your compliance has lapsed, and completing it is how you make the charge stop.
Do you need to be PCI compliant?
Yes. Any business that stores, processes or transmits card data has to comply, whatever its size. The good news is that for most small UK businesses the bar is very manageable.
Most small businesses fall into what is called Level 4, the lowest tier, which means your compliance is usually a Self Assessment Questionnaire once a year. It is an online form about how you handle card payments, and for a business using a certified terminal it can often be completed in under an hour. If your terminal connects over wifi or a wider network, you may also need a simple security scan each quarter. Your provider should prompt you when it is due and walk you through it.
How to stay compliant and keep your fees down
- Complete your annual Self Assessment Questionnaire when your provider prompts you. This alone is what keeps the non-compliance fee away.
- Run any required network scans if your terminal connects over wifi.
- Use a certified, up-to-date payment terminal rather than older or uncertified hardware.
- Never write down or store customer card details, on paper or on a computer.
- Check what your compliance fee covers, so you know you are getting support for it.
How to check you are not overpaying
A fair PCI fee is a small part of a bigger picture. The charges that quietly add up are usually spread across your whole statement, which is exactly why it is worth understanding why card machine fees can be so high and what a fair overall deal looks like. If you are choosing or reviewing a setup, our guide to the best card machine for a small business covers the wider market.
If you want to know whether your fees, PCI included, are fair, send us your latest statement. We will read it line by line, work out your true effective rate, and tell you plainly whether you are on a good deal. It is free, there is no obligation, and the report is yours to keep. Start your free statement review here.
Frequently asked questions
What is a PCI compliance fee?
It is a charge some providers add to cover the programme that keeps your business compliant with the card payment security standard. It typically covers your annual self assessment, any required scans and support to complete them. A fair amount is around £6 a month per terminal.
How much is a PCI compliance fee in the UK?
Most UK providers charge between £5 and £10 a month per terminal, and around £6 is standard. Some do not charge a separate fee at all. If you are paying well above £10, it is worth asking what the fee covers.
Do I need to be PCI compliant?
Yes. Any business taking card payments must comply, whatever its size. For most small UK businesses that means completing an annual self assessment questionnaire, usually under an hour with a certified terminal.
PCI compliance levels explained
There are four PCI compliance levels, set by how many card transactions you process a year. Almost every UK small business is Level 4, the simplest tier.
| Level | Who it applies to |
|---|---|
| Level 1 | The largest merchants, over 6 million card transactions a year |
| Level 2 | 1 to 6 million transactions a year |
| Level 3 | 20,000 to 1 million ecommerce transactions a year |
| Level 4 | Fewer than 20,000 ecommerce, or up to 1 million total, most small businesses |
As a Level 4 business your requirements are the lightest, usually an annual self assessment and a certified terminal, which is why your compliance fee should be modest and the process simple.
What is the difference between a compliance fee and a non-compliance fee?
A compliance fee covers support and is normal. A non-compliance fee is a penalty, usually £20 to £40 a month, applied when you have not completed your annual self assessment or scans. The non-compliance fee is the one to avoid, and completing your compliance removes it.
Can I avoid paying a PCI compliance fee?
Some providers do not charge one, so it is worth checking. Where it is charged, a fair fee of around £6 a month is normal and not worth switching provider over on its own. The non-compliance fee is the one you should always avoid, and you remove it by keeping your annual self assessment up to date.
How do I become PCI compliant as a small business?
Complete your annual self assessment questionnaire, run any required network scans if your terminal connects over wifi, use a certified payment terminal, and never store customer card details in writing or on a computer. Your provider should prompt you when your assessment is due and help you through it.
BoonPay is independent. If you use our free statement review, we may introduce you to a payment partner suited to your business, and we may be paid for that introduction. It never changes the advice we give.