Payment Gateway Cost 2026: Verified Rates Across 30 Vendors

Over 6M tx/yr

Annual ROC + QSA + ASV scans

1M to 6M tx/yr

Annual SAQ + ASV scans

20K to 1M e-com tx/yr

Annual SAQ + ASV scans

Under 20K e-com tx/yr

Annual SAQ

Direct answer

For a Level 4 SaaS / ecommerce merchant using a fully tokenised gateway like Stripe Checkout or PayPal hosted fields, PCI compliance reduces to a SAQ-A questionnaire that the gateway typically pre-fills and the merchant attests to in minutes; direct cost ~$0. For Level 1 merchants, an annual Report on Compliance (ROC) from a Qualified Security Assessor (QSA) and quarterly Approved Scanning Vendor (ASV) scans are both quoted per engagement: QSA fees depend on cardholder-data environment scope, locations, and remediation scope, and ASV fees depend on the number of external IPs scanned. QSA and ASV companies are listed in the PCI SSC public directories rather than via a published rate card.

Levels and what is required

Feature	Annual scope	Validation
Level 1 (>6M tx)	Annual ROC by QSA	Quarterly ASV scans
Level 2 (1M-6M tx)	Annual SAQ	Quarterly ASV scans
Level 3 (20K-1M e-com)	Annual SAQ	Quarterly ASV scans
Level 4 (<20K e-com)	Annual SAQ	Acquirer-discretion ASV

Where to source a QSA or ASV

PCI SSC maintains the only authoritative live directories of qualified assessors and scanning vendors. Use these directly to scope quotes rather than relying on third-party cost ranges:

Qualified Security Assessor (QSA) companies: listings.pcisecuritystandards.org (PCI SSC official directory).
Approved Scanning Vendors (ASVs): listings.pcisecuritystandards.org/approved_scanning_vendors.
QSA and ASV firms price per engagement; we do not publish range claims because no QSA pricing dataset is consistently published year over year.

PCI non-compliance fees by gateway

Gateways that bill PCI non-compliance fees if the merchant fails to attest annually. We list only what we can verify.

Worldpay, Elavon, Fiserv (quote-only): PCI non-compliance fee may apply; the fee is set in the merchant agreement and is not published on the open web.
Authorize.net: no separate PCI fee on the $25/month plans; included.
Stripe, PayPal, Square, Braintree, Helcim: no PCI non-compliance fee passed through on flat-rate / published interchange-plus.

Quote-only vendors

Where the PCI fee usually lurks.

Methodology

How we verify gateway claims.

3DS and fraud tooling

Other compliance-adjacent costs.

Last verified June 2026. Next review September 2026. Rates change without notice; always confirm directly with the vendor before signing a contract.

PCI Compliance Cost

Levels and what is required

Where to source a QSA or ASV

PCI non-compliance fees by gateway

Related