Cost of PCI Compliance

I have a small site and looked into being PCI Compliant. I was told it would cost $7,000 to $10,000 per MONTH.

I do not even GROSS that much.

How in the world do I afford it?

If you don’t gross that much , you should just be a level 4 merchant which only requires you to fill out a self-survey to be PCI-Compliant.

Also ask your PSP to take a look at the PaymentSeal implementation that can easily make their merchants PCI-Compliant.

Err… a scan does not make you PCI Compliant, it can help you identify open ports and potentially out of date software, but there is far more to PCI Compliance than passing a scan. It all depends on how you accept payments i.e. Do you use an offsite payment processor, or do you handle the card details yourself?

$7-10k/month does seem very extreme and would only be the costs for a higher end shop and should actually include the hardware as well IMHO.

If you’re a small shop, it shouldn’t cost anywhere near that, especially if you’re using an offsite payment processor.


How do you process payments? <- PCI Scans 1 year service, this will make you compliant.

I recommend as a merchant. Been using them for years.


That’s why the costs will be higher, as you’re a higher level merchant because you take the card details from the customer yourself - just because you don’t see them, doesn’t mean you can’t see them, if you follow what I mean. Still seems somewhat excessive for a 2 server setup though per month - although of course that does depend on the specs and exactly what is included in terms of management and bandwidth, software licensing etc.


Thanks Karl,

We do the scans now even before looking into PCI-DSS Compliance.

Yes the 7K to 10K includes ALL the hardware and second server for the database.

We process transactions like any other e-commerce site. Customer enters card, we send off to the Gateway. We NEVER store any more than last 4 digits of card, expiration and transaction number in case customer wants refund.

We do not even know the customer card number.

With 2 different VPS on the same physical server that will be the same as keep all eggs in the same basket.
I believe he is interested to avoid such situation.

You dont need 2 physical servers, even 2 VPS will do. And yes, McAfee offer a very reasonably priced service for PCI compliance.

Check with your payment processor to see if they have other plans that would meet your needs. In many cases you don’t need to store any credit card information at all, a customer name and receipt number is good enough to reference in case of refunds. You could match that information with your transaction record at your payment gateway and issue any refunds through their online control panel without needing to know the credit card number.