Credit Card Payment Processing Rules and Laws You Need to Know About

What are credit card processing laws?

Credit card processing laws are payment regulations designed to protect consumers and businesses from fraud and data security issues. 

“Credit card processing laws are essentially guidelines and rules that businesses need to follow in order to accept, store and process payments from cards safely,” said Alexander Persidsky, head of operations at PayDo. “Laws vary by location, but they all share one mission: safeguard customer information, prevent fraud and provide secure transactions.”

The PCI Data Security Standard (PCI DSS)

The PCI DSS is a global standard that applies to all businesses that accept credit cards. It is designed to protect cardholder data and reduce the risk of credit card fraud.

How to ensure PCI DSS compliance

To comply with the PCI DSS, you must follow these 12 requirements designed to protect cardholders’ data from theft via data breaches: 

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt the transmission of cardholder data across open, public networks.
5. Use and regularly update antivirus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data on a business need-to-know basis.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain, publish and enforce a security policy for all personnel.

“The key to staying compliant is to make security and regulation a part of your daily business, not just treat it like a periodic audit,” Persidsky said. “Start with the fundamentals: adhere to the PCI DSS standards — encrypt sensitive data, restrict access and scan your systems regularly.”

What are the four levels of PCI compliance?

There are four levels of PCI compliance based on your company’s annual volume of credit, debit or prepaid card transactions, each with its own validation requirements.

PCI Level 1

This applies to businesses that process more than 6 million transactions annually. Requirements include:

• Annual Report on Compliance completed by a Qualified Security Assessor or a certified internal auditor
• Quarterly network scans conducted by an Approved Scanning Vendor (ASV)
• AOC form submitted to your acquiring bank

PCI Level 2

This applies to businesses that process 1 million to 6 million transactions annually. Requirements include:

• Annual Self-Assessment Questionnaire
• Quarterly network scans conducted by an ASV
• AOC form submitted to your acquiring bank

PCI Level 3

Applies to businesses processing 20,000 to 1 million e-commerce transactions annually. Requirements include:

• Annual SAQ (typically required by acquiring banks)
• Quarterly network scans conducted by an ASV
• AOC form submitted to your acquiring bank

PCI Level 4

Applies to businesses processing fewer than 20,000 e-commerce transactions or up to 1 million transactions via other channels annually. Requirements include:

• Annual SAQ 
• Quarterly network scans conducted by an ASV, if applicable
• Compliance validation requirements as determined by your merchant/acquiring bank

Alternatives to managing your own PCI compliance

If the idea of handling PCI compliance on your own feels overwhelming, there’s good news: many of the best credit card processors offer full PCI compliance as part of their service. 

PCI-compliant credit card processors

Other credit card processing regulators

The PCI SSC isn’t the only organization involved in regulating payment processing. Some rules are issued by industry groups, while others come from federal law.

Card Association Network

The Card Association Network includes the four major credit card brands — Visa, Mastercard, Discover and American Express. This group sets interchange rates, purchase percentages and per-transaction fees that businesses pay to accept credit card payments.

Your business won’t interact with the network directly, but its fees are passed down to you through your credit card processor, merchant account provider or payment gateway.

Nacha

Nacha governs automated clearing house (ACH) transactions and the network through which they move. This includes direct deposits and direct payments made from customer bank and credit union accounts, such as recurring billing or online bill pay.

U.S. government

The federal government plays a regulatory role in several ways:

• The IRS requires businesses to report credit card transactions for tax purposes.
• Congress passed legislation that limits interchange fees charged by the Card Association Network, which can directly affect your processing costs.

Additional credit card processing rules and laws

Business owners should also be aware of other key laws and regulations that affect credit card processing.

Durbin Amendment

The Durbin Amendment is part of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which Congress passed in 2010. Its goal is to protect consumers by lowering interchange fees on debit card transactions. According to lawmakers, debit card transactions carry a lower risk of fraud and should cost less for merchants to process.

IRS mandate

The IRS requires a clear record of all sales to support its business income tax collection efforts. To that end, the IRS established Section 6050W, also known as the IRS mandate, which requires merchant services providers to report the annual gross transactions their clients process via credit cards, debit cards and third-party payment networks.

To facilitate this reporting, businesses must provide their merchant services provider with a valid tax identification number (TIN). If you fail to do so — or if the IRS identifies a mismatch between your reported income and the income reported by your processor — the provider is required to withhold taxes from your future credit card revenue.

Nacha regulations

Nacha regulations primarily affect e-commerce businesses, as many online merchants accept ACH payments in addition to credit cards. Key requirements include:

• Using only secure web forms and encrypted email to transmit sensitive information.
• Safely storing physical copies that contain customer banking data.
• Validating customers’ routing numbers.
• Verifying customers’ identities by checking driver’s licenses using a third-party verification service, depositing test amounts into customers’ bank accounts or requiring customers to log in with a user ID and password.

Federal Trade Commission (FTC)

The FTC enforces data protection laws surrounding businesses that handle payment information. It investigates companies that aren’t properly safeguarding sensitive customer data, including credit card information and can issue severe fines for consumer privacy violations.

“Government agencies such as the FTC are increasing efforts to address inadequate data protection,” Persidsky said. “If a business improperly handles credit card data or suffers a breach due to lax security measures, it is more than a reputational problem; it can also result in significant fines and restrictions.”

State laws

In addition to federal regulations, some states have their own laws that govern credit card processing — particularly when it comes to credit card surcharges. Research the requirements in the state(s) in which you operate and discuss your legal obligations with an attorney to be sure your business is compliant with all applicable state laws.

Danielle Bauter contributed to this article.