
Somewhere on many UK card machine statements sits a line like 'PCI DSS compliance: £4.95' - and next to it, on the unlucky ones, 'PCI non-compliance: £30'. Most owners pay both for years without knowing what they are. Here's what PCI actually is, why some providers charge for it and some don't, and the ten-minute job that stops the penalty version dead.
What PCI DSS actually is
PCI DSS (Payment Card Industry Data Security Standard) is the card schemes' security rulebook - Visa and Mastercard's requirements for anyone who handles card payments, covering things like not writing card numbers down and keeping terminals physically secure. Every business taking cards has to comply with it. That part is not optional and not a scam.
For a typical small shop using a modern terminal, 'complying' mostly means answering an annual self-assessment questionnaire (SAQ) honestly - your terminal does the heavy cryptographic lifting. The standard is real; what varies wildly is whether you're charged for the paperwork.
The two fees hiding on your statement
Traditional acquirers (the contracted-terminal world: Worldpay, Barclaycard, takepayments and friends) typically charge two distinct things:
- PCI compliance fee: £2.50-£6 a month just for administering the programme - the portal, the questionnaire, sometimes scanning tools. £30-£70 a year for a form.
- PCI NON-compliance fee: £15-£40+ a month charged when you haven't completed that questionnaire. This is the expensive one - it's a penalty dressed as a service, and plenty of businesses pay it for years simply because nobody told them the form existed.
- Modern flat-rate providers (SumUp, Square, Zettle, Dojo) roll PCI into the headline rate: no separate fee, no questionnaire chasing, nothing to forget. It's one of the quiet reasons their pricing is easier to trust.
The ten-minute fix if you're being charged
First, read your last statement and find both lines - many owners discover the non-compliance fee only when they go looking. If it's there, log into your provider's PCI portal (the name is on the statement - commonly Sysnet/VikingCloud or similar), complete the SAQ, and the penalty fee stops from the next cycle. It genuinely takes about ten minutes for a standard terminal setup.
Then diarise it annually - the questionnaire expires every 12 months and the fee quietly returns when it does. If your provider charges a compliance fee AND makes the portal miserable, add it to the evidence pile for switching: our switching checklist covers exit timing, and the fee calculator will tell you whether a flat-rate provider beats your all-in cost once PCI, terminal rental and minimum monthly service charges are counted.
Can you avoid PCI fees entirely?
Yes - by using a provider that absorbs them. None of the major no-monthly-fee providers charge separate PCI fees, which changes the comparison maths more than people realise: a 'cheap' 1.2% contracted rate plus £5 PCI plus £15 terminal rental can cost a low-volume business more than a flat 1.69% with nothing else on the bill. This is exactly the hidden-fees pattern that makes headline rates so misleading.
To be clear: you can't avoid PCI compliance - handling cards safely is the deal. You can absolutely avoid paying £200 a year in fees and penalties for it. If your statement says otherwise, that's a provider choice, not an industry requirement.
FAQs
Is a PCI compliance fee a scam?
It's legal and disclosed in contracts - but it's a fee for administering a form, and plenty of providers manage without charging it. The non-compliance penalty version is the one to attack immediately: complete the SAQ and it stops.
Do SumUp, Square and Zettle charge PCI fees?
No separate PCI fees - compliance is handled within their flat rate. It's one of the genuine advantages of the no-monthly-fee providers for small businesses.
What happens if I just ignore PCI completely?
You'll pay non-compliance fees indefinitely, and if card data is ever compromised your liability is far worse without compliance in place. Ten minutes on the questionnaire is the cheap side of that trade in every scenario.
How do I know if I'm paying PCI fees now?
Check a recent monthly statement for lines containing 'PCI', 'DSS', 'compliance' or 'data security'. Contracted terminals: probably yes. Flat-rate readers: no. If you can't tell, that itself is a statement about your provider's transparency.


