NEXSYS Knowledge Base | PCI Compliance
If you've noticed an unfamiliar monthly charge on your merchant statement labeled something like "PCI Non-Compliance Fee" or "Security Non-Compliance," you're not alone. It's one of the most common — and most avoidable — charges small business owners encounter.
This article explains exactly what the fee is, why you're being charged, and the specific steps to make it stop.
A PCI non-compliance fee is a monthly charge assessed by your payment processor when your business has not completed the required annual PCI compliance validation. It is not a fine from a government agency or card brand — it is a fee your processor charges to offset the additional risk they take on by processing payments for a merchant who hasn't confirmed their security posture.
The fee is charged every month until you complete compliance validation. Some processors charge it indefinitely without proactively notifying you that you can resolve it.
⚠️ Non-compliance fees are recurring. A $40/month fee left unresolved for 12 months costs you $480 — for something that typically takes less than an hour to fix.
The fee amount varies by processor, but here's the general range:
Non-Compliant
$20–$100
Charged every month until compliance is validated
Compliant
$0–$10
Most processors charge little or nothing once validated
Some processors also charge a separate annual PCI compliance fee (typically $75–$120/year) once you are compliant — this is different from the non-compliance fee and covers access to the compliance portal and scan tools.
There are a few common reasons merchants end up with a non-compliance fee:
In most cases, you can clear a non-compliance fee in under an hour by following these steps:
1Log into your compliance portal
Most processors provide access to a PCI compliance portal (such as ControlScan, Trustwave, or Sysnet). Check your original merchant welcome email or contact NEXSYS for your portal login.
2Identify your SAQ type
The portal will walk you through a series of questions to determine which SAQ applies to your business. If you're unsure, refer to our article on SAQ types or contact your NEXSYS representative.
3Complete and submit your SAQ
Answer the questionnaire honestly and thoroughly. Most SAQ types for small businesses (particularly SAQ A and SAQ B-IP) are straightforward and take 15–30 minutes.
4Run any required vulnerability scans
If your SAQ type requires an ASV (Approved Scanning Vendor) scan, initiate it through the portal. Scans typically complete within a few hours. If a scan fails, the portal will provide guidance on remediation.
5Confirm your compliant status
Once your SAQ is submitted and any required scans pass, your status should update to "Compliant" in the portal. Allow 1–2 billing cycles for the non-compliance fee to stop appearing on your statement.
✓ Once you're marked compliant, set a reminder to renew before your annual expiration date — typically 12 months from submission. This prevents the fee from reappearing next year.
In some cases, yes. If you can demonstrate that you were actually compliant during the period fees were charged — or if you complete compliance quickly after being notified — it's worth contacting your processor to request a courtesy credit. Results vary by processor, but it doesn't hurt to ask.
NEXSYS can help advocate on your behalf if you've been charged fees and need assistance resolving them.
If the fee continues after your compliance status is confirmed, check the following:
Need help completing your PCI compliance or disputing a non-compliance fee? Contact your NEXSYS representative or reach us at support@nexsyspros.com.