Business.com aims to help business owners make informed decisions to support and grow their companies. We research and recommend products and services suitable for various business types, investing thousands of hours each year in this process.
As a business, we need to generate revenue to sustain our content. We have financial relationships with some companies we cover, earning commissions when readers purchase from our partners or share information about their needs. These relationships do not dictate our advice and recommendations. Our editorial team independently evaluates and recommends products and services based on their research and expertise. Learn more about our process and partners here.
Your sales will increase if you allow customers to use credit cards, but it's crucial to understand all regulations.
Before you begin accepting credit cards and digital payment methods, you’ll need to understand the legal requirements that apply to your business. These rules help protect your customers’ sensitive information, reduce your risk of costly penalties and help build trust in your brand.
Editor’s note: Looking for the right credit card processor for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
Credit card processing laws are payment regulations designed to protect consumers and businesses from fraud and data security issues.
“Credit card processing laws are essentially guidelines and rules that businesses need to follow in order to accept, store and process payments from cards safely,” said Alexander Persidsky, head of operations at PayDo. “Laws vary by location, but they all share one mission: safeguard customer information, prevent fraud and provide secure transactions.”
The PCI DSS is a global standard that applies to all businesses that accept credit cards. It is designed to protect cardholder data and reduce the risk of credit card fraud.
To comply with the PCI DSS, you must follow these 12 requirements designed to protect cardholders’ data from theft via data breaches:
“The key to staying compliant is to make security and regulation a part of your daily business, not just treat it like a periodic audit,” Persidsky said. “Start with the fundamentals: adhere to the PCI DSS standards — encrypt sensitive data, restrict access and scan your systems regularly.”
There are four levels of PCI compliance based on your company’s annual volume of credit, debit or prepaid card transactions, each with its own validation requirements.
This applies to businesses that process more than 6 million transactions annually. Requirements include:
This applies to businesses that process 1 million to 6 million transactions annually. Requirements include:
Applies to businesses processing 20,000 to 1 million e-commerce transactions annually. Requirements include:
Applies to businesses processing fewer than 20,000 e-commerce transactions or up to 1 million transactions via other channels annually. Requirements include:
If the idea of handling PCI compliance on your own feels overwhelming, there’s good news: many of the best credit card processors offer full PCI compliance as part of their service.
Payment processor | Added cost | Review |
---|---|---|
Merchant One | Included in monthly fee | |
Helcim | Included in monthly fee | |
National Processing | $10 per month | |
Payment Depot | Included at no extra charge |
The PCI SSC isn’t the only organization involved in regulating payment processing. Some rules are issued by industry groups, while others come from federal law.
The Card Association Network includes the four major credit card brands — Visa, Mastercard, Discover and American Express. This group sets interchange rates, purchase percentages and per-transaction fees that businesses pay to accept credit card payments.
Your business won’t interact with the network directly, but its fees are passed down to you through your credit card processor, merchant account provider or payment gateway.
Nacha governs automated clearing house (ACH) transactions and the network through which they move. This includes direct deposits and direct payments made from customer bank and credit union accounts, such as recurring billing or online bill pay.
The federal government plays a regulatory role in several ways:
Business owners should also be aware of other key laws and regulations that affect credit card processing.
The Durbin Amendment is part of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which Congress passed in 2010. Its goal is to protect consumers by lowering interchange fees on debit card transactions. According to lawmakers, debit card transactions carry a lower risk of fraud and should cost less for merchants to process.
The IRS requires a clear record of all sales to support its business income tax collection efforts. To that end, the IRS established Section 6050W, also known as the IRS mandate, which requires merchant services providers to report the annual gross transactions their clients process via credit cards, debit cards and third-party payment networks.
To facilitate this reporting, businesses must provide their merchant services provider with a valid tax identification number (TIN). If you fail to do so — or if the IRS identifies a mismatch between your reported income and the income reported by your processor — the provider is required to withhold taxes from your future credit card revenue.
Nacha regulations primarily affect e-commerce businesses, as many online merchants accept ACH payments in addition to credit cards. Key requirements include:
The FTC enforces data protection laws surrounding businesses that handle payment information. It investigates companies that aren’t properly safeguarding sensitive customer data, including credit card information and can issue severe fines for consumer privacy violations.
“Government agencies such as the FTC are increasing efforts to address inadequate data protection,” Persidsky said. “If a business improperly handles credit card data or suffers a breach due to lax security measures, it is more than a reputational problem; it can also result in significant fines and restrictions.”
In addition to federal regulations, some states have their own laws that govern credit card processing — particularly when it comes to credit card surcharges. Research the requirements in the state(s) in which you operate and discuss your legal obligations with an attorney to be sure your business is compliant with all applicable state laws.
Danielle Bauter contributed to this article.