What Is a PCI Compliance Fee and Why Does It Appear on Your Card Machine Statement?

Written By Ethan Boon

You open your monthly card machine statement and there it is. A line item you do not quite recognise. PCI compliance fee. It might be £5, it might be £10, and if you are like most small business owners, you accepted it without really knowing what you were paying for.

You are not alone. PCI compliance fees are one of the most common mystery charges on card processing statements in the UK, and providers do not always go out of their way to explain them. This guide covers exactly what a PCI compliance fee is, what it covers, what a fair amount looks like, and what the difference is between a PCI compliance fee and a PCI non-compliance fee -- which is the one you really want to avoid.

What Is PCI Compliance?

PCI compliance refers to the Payment Card Industry Data Security Standard, commonly known as PCI DSS. It is a set of security requirements developed and maintained by Visa and Mastercard to protect businesses and customers from card payment fraud and data breaches.

Any business that accepts card payments -- regardless of size, sector, or how many transactions it processes -- is required to comply with PCI DSS. This includes the pub that takes fifty card payments on a Friday night, the barber shop taking payments through a portable terminal, and the dental practice processing fees after appointments.

PCI DSS compliance is not a UK legal requirement in the same way that, say, GDPR is. However, it is effectively mandatory. Card networks can fine non-compliant businesses, and in serious cases can withdraw the right to accept card payments altogether. Every reputable payment provider expects its merchants to be compliant.

What Are the Four Levels of PCI Compliance?

PCI compliance is divided into four levels based on annual transaction volume. The level your business falls into determines what you need to do to remain compliant.

Level 1

Businesses processing more than 6 million card transactions per year. Requires an annual on-site audit by a Qualified Security Assessor (QSA) and quarterly network scans. This applies to large retailers and enterprise businesses.

Level 2

Businesses processing 1 million to 6 million transactions per year. Requires an annual Self-Assessment Questionnaire (SAQ) and quarterly network scans.

Level 3

Businesses processing 20,000 to 1 million e-commerce transactions per year. Annual SAQ and quarterly scans required.

Level 4

Businesses processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions per year. This is the level that applies to the vast majority of UK small businesses. The requirement is typically an annual Self-Assessment Questionnaire - a straightforward online process that most small business owners can complete in under an hour.

The practical reality for most small businesses is that when you use a certified payment provider with PCI-compliant terminals, much of the compliance work is handled at the provider level. Your terminals are already certified hardware. The SAQ process is straightforward and your provider should support you through it.

So What Is a PCI Compliance Fee?

A PCI compliance fee is a charge from your payment provider that covers the cost of administering your compliance. It typically includes maintaining PCI-certified terminal hardware, supporting your annual Self-Assessment Questionnaire process, running security infrastructure, and providing the tools and documentation that keep your account compliant.

It is a standard industry cost -- not an invented charge. Processing card payments securely requires ongoing infrastructure investment, and the PCI compliance fee reflects a portion of that cost being passed to the merchant.

What matters is whether the fee is reasonable and whether it is clearly shown on your statement. A fee that is buried in the small print or applied without explanation is a sign of a provider that does not prioritise transparency.

How Much Should a PCI Compliance Fee Be?

Across the UK card processing market, PCI compliance fees for small businesses typically range from around £5 to £15 per month depending on the provider and the package.

  • Traditional acquirers and merchant services providers typically charge between £5 and £10 per month as a clearly itemised PCI compliance fee.

  • Flat-rate providers like SumUp and Square do not charge a separate PCI fee. Instead the cost is absorbed into their headline transaction rate, which is one reason their percentage is higher than tiered providers. You are still paying for compliance -- it is just less visible.

  • BoonPay charges £6 per month per terminal as a clearly itemised PCI compliance fee. It appears on every monthly statement alongside your transaction fees so you always know exactly what you are paying and why.

A fee of around £5 to £8 per month is reasonable and reflects the genuine cost of maintaining compliance. If you are being charged significantly more than this, it is worth asking your provider exactly what the fee covers.

What Is a PCI Non-Compliance Fee? And Why You Want to Avoid It

A PCI non-compliance fee is completely different from a PCI compliance fee, and it is the one that can really catch businesses out.

When a business fails to complete their annual Self-Assessment Questionnaire or does not meet the compliance requirements set by their provider, some providers apply a monthly non-compliance fee on top of the standard compliance charge. This can range from £20 to £40 per month or more with some traditional acquirers.

The non-compliance fee is avoidable. It exists as a penalty for not completing the required compliance process, and it continues until the business brings their account into compliance. Many business owners only notice it when they look closely at their statement and wonder why their monthly bill is higher than expected.

With BoonPay, the compliance process is handled as part of your account setup. The £6 monthly fee covers your ongoing compliance administration and there is no non-compliance penalty charge applied.

Why Do Some Providers Not Show PCI Fees Separately?

Pay-as-you-go providers like SumUp and Square bundle compliance costs into their flat transaction rate. A business processing £20,000 per month at 1.75% pays £350 in transaction fees. A portion of that covers compliance infrastructure - but it is invisible in the headline rate.

This approach is simpler but it has a downside. When fees are bundled together you cannot see what each component actually costs, which makes it harder to compare providers fairly and harder to understand whether you are getting value for money.

A clearly itemised statement that separates transaction fees, terminal rental, and PCI compliance gives you a much clearer picture of what you are actually paying for. It is also significantly easier to reconcile against your accounts.

What Happens If a Business Is Not PCI Compliant?

Non-compliance carries real consequences, though the risk profile differs depending on your business size and the nature of any breach.

  • Monthly non-compliance fees from your payment provider, typically £20 to £40 per month until compliance is restored.

  • Higher transaction rates applied by your acquirer as a risk premium.

  • In the event of a data breach, fines from card networks can be significant and liability for fraud losses may fall on the merchant rather than the card issuer.

  • In the most serious cases, the ability to accept card payments can be suspended entirely.

For a Level 4 small business using a reputable payment provider with certified terminals, the compliance process is straightforward and the risk of a serious breach is low. The key is to complete your annual SAQ when your provider requests it and to respond to any compliance notifications promptly.

How BoonPay Handles PCI Compliance

Every BoonPay terminal is PCI-certified hardware. The devices are tested and approved under PCI DSS standards, which means the card data handled by your terminal meets the required security specifications.

The £6 monthly PCI compliance fee covers your ongoing compliance administration, SAQ support, and security infrastructure. It is clearly listed as a separate line item on every monthly statement alongside your transaction fees and terminal rental -- so you can see exactly what your total monthly cost is at a glance.

There are no non-compliance penalty charges applied on top, no surprise additions mid-contract, and no fees deducted before your takings are settled. The full breakdown of what you pay is visible every month.

Frequently Asked Questions

What is a PCI compliance fee?

A PCI compliance fee is a monthly charge from your payment provider that covers the cost of administering your PCI DSS compliance. It typically covers certified terminal hardware, Self-Assessment Questionnaire support, and ongoing security infrastructure. It is a standard industry cost and should be clearly itemised on your statement.

How much should a PCI compliance fee be for a small business?

A reasonable PCI compliance fee for a UK small business is typically between £5 and £10 per month. BoonPay charges £6 per month per terminal, clearly itemised on every statement. If you are being charged significantly more than this, it is worth asking your provider what the fee covers.

What is a PCI non-compliance fee?

A PCI non-compliance fee is a separate penalty charge applied when a business has not completed their compliance requirements, such as the annual Self-Assessment Questionnaire. It is entirely different from the standard PCI compliance fee and can range from £20 to £40 per month with some providers. It is completely avoidable by keeping your compliance up to date.

Do I need to be PCI compliant as a small business in the UK?

Yes, effectively. PCI DSS compliance is not a UK legal requirement in the same way as GDPR, but it is required by card networks Visa and Mastercard. Non-compliant businesses can face fines and in serious cases can lose the ability to accept card payments. Most small businesses using a reputable payment provider fall into Level 4 compliance, which is the most straightforward level to maintain.

Is PCI compliance included with BoonPay?

Yes. Every BoonPay terminal is PCI-certified hardware and the £6 monthly fee covers your ongoing compliance administration. This is clearly itemised on your monthly statement. There are no non-compliance penalty charges and no surprise additions to your monthly costs.

Why do some providers not charge a separate PCI fee?

Flat-rate providers like SumUp and Square bundle compliance costs into their headline transaction rate rather than showing them as a separate line item. This looks simpler but means you are still paying for compliance -- just invisibly. A clearly itemised fee gives you better visibility of your total costs and makes provider comparisons more straightforward.

What is a Self-Assessment Questionnaire?

A Self-Assessment Questionnaire is an annual online compliance check for Level 4 merchants -- the level most UK small businesses fall into. It involves answering a series of questions about how your business handles card payments and data security. Most small businesses using certified payment terminals can complete it in under an hour. Your payment provider should notify you when it is due and support you through the process.

What happens if I do not complete my PCI compliance?

If you fail to complete your annual SAQ or meet your compliance requirements, your provider may apply a monthly non-compliance fee of £20 to £40. In the event of a card data breach, liability for fraud losses and card network fines can fall on the merchant. Completing your compliance requirements is straightforward for most small businesses and the consequences of not doing so are not worth the risk.

Want to Know Exactly What You Are Paying For?

If you are reviewing your current card machine statement and want to understand every charge on it, or if you want to compare what you are currently paying against what you would pay with BoonPay, get in touch. We will give you a clear, line-by-line breakdown with no jargon and no obligation.

Visit boonpay.uk/contact to get started.