How Long Does PCI DSS Compliance Take?

April 14, 2026
Posted by: Gradeon
Category: Compliance

How long PCI DSS compliance takes depends primarily on your merchant level, the size of your cardholder data environment, and how much of the required security infrastructure is already in place. For most UK SMEs at Level 3 or Level 4, achieving initial compliance takes 6 to 12 weeks. For Level 1 merchants requiring a full QSA-led Report on Compliance, a realistic timeline is 20 to 24 weeks.

The single most important factor is not your business size — it is your starting security posture and whether you have invested time in reducing your PCI DSS scope before the compliance programme begins.

PCI DSS Compliance Timeline by Merchant Level

Merchant Level	Transactions	Validation Route	Realistic Timeline
Level 4	Under 20,000	SAQ plus quarterly scans	4 to 8 weeks
Level 3	20,000 to 1 million (eCommerce)	SAQ A-EP or SAQ D plus testing	6 to 12 weeks
Level 2	1 million to 6 million	SAQ or QSA depending on acquirer	8 to 16 weeks
Level 1	Over 6 million	Full QSA audit, Report on Compliance	20 to 24 weeks

These timelines assume a well-resourced programme with clear ownership. Organisations that are starting from a low security baseline, have complex or poorly documented environments, or are waiting on third-party remediation consistently take longer.

The Four Phases of PCI DSS Compliance and How Long Each Takes

Phase 1: Scoping and Gap Analysis — 2 to 4 weeks

Before any compliance work begins, you need to define exactly which systems, people, and processes are in scope. This is your Cardholder Data Environment. A gap analysis then compares your current controls against PCI DSS requirements and produces a prioritised list of what needs to be fixed.

Getting scope right at this stage is critical. Businesses that overestimate their scope spend more time and money on compliance than necessary. Businesses that underestimate it fail their assessment. Understanding what PCI DSS compliance costs UK businesses at each merchant level starts with understanding your scope, because scope size determines everything that follows.

Phase 2: Remediation — 4 to 16 weeks

Remediation is the phase that most commonly overruns. This is where technical gaps are fixed implementing multi-factor authentication, updating network segmentation, patching systems, configuring logging and monitoring, and building the policy documentation required by PCI DSS.

The time required depends entirely on what the gap analysis found. A business with modern infrastructure, existing MFA, and documented policies may need 4 to 6 weeks. A business with a flat network, no patch management process, and no formal security policies may need 12 to 16 weeks or more before it is ready for assessment.

Phase 3: Assessment and Testing — 2 to 8 weeks

For SAQ-level merchants, this phase involves completing the correct questionnaire, running quarterly ASV vulnerability scans, and arranging annual penetration testing. For Level 1 merchants, this is the formal QSA assessment, which typically involves multiple site visits or remote testing sessions before the Report on Compliance is drafted.

A typical QSA assessment for a mid-sized UK business takes 4 to 8 weeks from initial scoping to delivery of the final report. Whether you need a QSA or qualify for the self-assessment route has a significant impact on total programme time, as the two routes carry very different documentation and testing requirements.

Phase 4: Certification and Ongoing Compliance — Continuous

Once assessment is complete and any findings remediated, your Attestation of Compliance is issued. For Level 1 merchants, this accompanies the Report on Compliance. For SAQ merchants, it accompanies the completed questionnaire.

Compliance is then renewed annually. Quarterly ASV scans must run throughout the year. Penetration testing is required annually and after significant changes to the environment. PCI DSS is not a one-time project — it is an ongoing operational discipline.

What Causes PCI DSS Compliance to Take Longer Than Expected

Discovering unexpected scope during gap analysis. Cardholder data found in systems where it should not exist legacy databases, email archives, unmonitored logs immediately expands the remediation workload.

Third-party delays. Many UK businesses rely on payment providers, hosting companies, or software vendors to make changes to shared systems. Waiting on third parties is one of the most common causes of compliance programme delays.

Choosing the wrong SAQ type. Starting a compliance programme with the wrong SAQ means redoing work. A business that begins with SAQ D and later realises it qualifies for SAQ A has wasted weeks.

Insufficient internal resources. PCI DSS requires significant internal involvement from IT, security, legal, and operations teams. Businesses that understaff their compliance programme consistently run over time and budget.

How to Reduce Your PCI DSS Compliance Timeline

The fastest way to shorten your compliance timeline is to start with scope reduction. Reducing your PCI DSS scope before the compliance programme begins removes systems, people, and processes from the compliance obligation before remediation work starts. Fewer in-scope systems means fewer gaps to close, less testing required, and a faster path to your Attestation of Compliance.

If your business has not yet mapped its card data flows, this is where to begin. Every hour spent on scope reduction at the start saves multiple hours in remediation later.

Frequently Asked Questions

How long does PCI DSS compliance take for a small UK business?

Most UK Level 4 merchants with simple payment environments achieve initial compliance in 4 to 8 weeks, including gap analysis, remediation, and SAQ completion.

How long does a PCI QSA audit take?

A typical QSA assessment for a mid-sized UK business takes 4 to 8 weeks from scoping to final Report on Compliance delivery.

Does PCI DSS compliance need to be renewed every year?

Yes. Annual SAQ or QSA assessment, quarterly ASV scans, and annual penetration testing are all required to maintain compliance.

What causes PCI DSS compliance to take longer than planned?

The most common causes are unexpected scope discovered during gap analysis, third-party delays, and insufficient internal resource allocation.

Can PCI DSS compliance be achieved faster with external help?

Yes. Experienced PCI consultants reduce timeline by identifying correct scope, selecting the right SAQ, and directing remediation in priority order from the start.

Does the size of our payment environment affect the timeline?

Yes significantly. Businesses with fewer systems in scope, outsourced payment processing, or existing security controls consistently achieve compliance faster than those without.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_XJTBGPGZEW	2 years	This cookie is installed by Google Analytics.
_gat_UA-202583883-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 2 months 11 days 22 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.