Credit Card Payment Processing Rules and Laws You Need to Know About

What are credit card processing laws?

Credit card processing laws are regulations designed to protect consumers and businesses from fraud and data security issues. 

“Credit card processing laws are essentially guidelines and rules that businesses need to follow in order to accept, store and process payments from cards safely,” explained Alexander Persidsky, head of operations at PayDo. “Laws vary by location, but they all share one mission: safeguard customer information, prevent fraud and provide secure transactions.”

The PCI Data Security Standard (PCI DSS)

The PCI DSS is arguably the most important regulation to understand when it comes to credit card processing. This global standard applies to all businesses that accept credit cards — regardless of size — and is designed to protect cardholder data and reduce the risk of credit card fraud.

A related regulation, the Payment Application Data Security Standard (PA-DSS), works alongside PCI DSS to ensure payment software security. The PCI Security Standards Council, an independent organization created by major credit card companies, enforces both standards.

Under PA-DSS, all point-of-sale (POS) systems and terminals must meet PCI DSS standards. The good news is that if you’re using a compliant POS system, much of your PCI compliance is likely built into your hardware.

How to ensure PCI DSS compliance

“The key to staying compliant is to make security and regulation a part of your daily business, not just treat it like a periodic audit,” Persidsky advised. “Start with the fundamentals: adhere to the PCI DSS standards — encrypt sensitive data, restrict access and scan your systems regularly.”

As of March 2024, the PCI Security Standards Council (PCI SSC) implemented version 4.0 of the PCI DSS to improve security, protect sensitive information, reduce data breaches and build trust in electronic payments.

“These standards are mandatory [as of] March 31, 2025,” Hurley noted. “They increase the focus on security and expand the scope of payment processing strategies, such as mobile payments. The new requirements include enhanced risk assessments, analysis and management of third-party service providers and changes to the Self-Assessment questionnaires.”

To comply with the PCI DSS, you must follow these 12 requirements designed to protect cardholders’ data from theft via data breaches: 

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt the transmission of cardholder data across open, public networks.
5. Use and regularly update antivirus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data on a business need-to-know basis.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain, publish and enforce a security policy for all personnel.

These requirements reflect fundamental cybersecurity and risk management practices. To stay PCI-compliant, they must be met continuously and properly documented.

Shane Hurley, CEO of RedFynn Technologies, recommends conducting a cybersecurity risk assessment at least once a year to maintain PCI compliance. “You simply complete a [self-assessment] questionnaire and determine which PCI standard you should meet,” Hurley explained. “Depending on your setup, you may also need to complete a vulnerability scan through a PCI-approved scanning vendor. Then, you submit the Attestation of Compliance [AoC] and any required documentation to your acquiring bank.”

What are the four levels of PCI compliance?

There are four levels of PCI compliance based on your company’s annual volume of credit, debit or prepaid card transactions, each with its own validation requirements.

PCI Level 1

This applies to businesses that process more than 6 million transactions annually. Requirements include:

• Annual Report on Compliance completed by a Qualified Security Assessor or a certified internal auditor
• Quarterly network scans conducted by an Approved Scanning Vendor (ASV)
• AOC form submitted to your acquiring bank

PCI Level 2

This applies to businesses that process 1 million to 6 million transactions annually. Requirements include:

• Annual Self-Assessment Questionnaire
• Quarterly network scans conducted by an ASV
• AOC form submitted to your acquiring bank

PCI Level 3

Applies to businesses processing 20,000 to 1 million e-commerce transactions annually. Requirements include:

• Annual SAQ (typically required by acquiring banks)
• Quarterly network scans conducted by an ASV
• AOC form submitted to your acquiring bank

PCI Level 4

Applies to businesses processing fewer than 20,000 e-commerce transactions or up to 1 million transactions via other channels annually. Requirements include:

• Annual SAQ 
• Quarterly network scans conducted by an ASV, if applicable
• Compliance validation requirements as determined by your merchant/acquiring bank

Alternatives to managing your own PCI compliance

If the idea of handling PCI compliance on your own feels overwhelming, there’s good news: many of the best credit card processors offer full PCI compliance as part of their service. While this typically comes with an additional fee — often around $100 per year — it can save you time and reduce your risk of falling out of compliance.

On the flip side, if you choose to manage compliance yourself and are found to be noncompliant, your processor may charge a monthly PCI noncompliance fee, which can be significantly more expensive over time.

PCI-compliant credit card processors

Consider the following payment processors that can effectively handle PCI compliance:

Other credit card processing regulators

The PCI SSC isn’t the only organization involved in regulating payment processing. Some rules are issued by industry groups, while others come from federal law. Here’s a breakdown of other key regulators and their roles:

Card Association Network

The Card Association Network includes the four major credit card brands — Visa, Mastercard, Discover and American Express. This group sets interchange rates, purchase percentages and per-transaction fees that businesses pay to accept credit card payments.

Although you won’t interact with the network directly, its fees are passed down to you through your credit card processor, merchant account provider or payment gateway.

Nacha

Nacha governs automated clearing house (ACH) transactions and the network through which they move. This includes direct deposits and direct payments made from customer bank and credit union accounts, such as recurring billing or online bill pay.

U.S. government

The federal government plays a regulatory role in several ways:

• The IRS requires businesses to report credit card transactions for tax purposes.
• Congress passed legislation that limits interchange fees charged by the Card Association Network, which can directly affect your processing costs.

Additional credit card processing rules and laws

Business owners should also be aware of other key laws and regulations that affect credit card processing.

Durbin Amendment

The Durbin Amendment is part of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which Congress passed in 2010. Its goal is to protect consumers by lowering interchange fees on debit card transactions. According to lawmakers, debit card transactions carry a lower risk of fraud and should cost less for merchants to process.

For example, before the Durbin Amendment, a $38 debit card purchase might have carried an interchange fee of about 44 cents. After the law was enacted, debit transaction fees were capped at 21 cents per transaction, plus 0.05 percent of the purchase price and an optional 1-cent fraud-prevention fee. For a $38 transaction, the maximum fee is now approximately 22-23 cents.

However, the law had an unintended consequence: businesses that process many small transactions often ended up paying more in fees. Before the law, interchange fees operated on a sliding scale, so smaller purchases incurred lower costs. After the cap was introduced, many card issuers began charging the maximum rate on every transaction, regardless of purchase size.

IRS mandate

Because the IRS taxes business income, it requires a clear record of all sales — not just those made by cash or check. To that end, the IRS established Section 6050W, also known as the IRS mandate, which requires merchant services providers to report the annual gross transactions their clients process via credit cards, debit cards and third-party payment networks.

To facilitate this reporting, businesses must provide their merchant services provider with a valid tax identification number (TIN). If you fail to do so — or if the IRS identifies a mismatch between your reported income and the income reported by your processor — the provider is required to withhold taxes from your future credit card revenue.

Nacha regulations

Nacha regulations primarily affect e-commerce businesses, as many online merchants accept ACH payments in addition to credit cards. However, any business that accepts ACH payments must comply with Nacha’s rules. Key requirements include:

• Using only secure web forms and encrypted email to transmit sensitive information.
• Safely storing physical copies that contain customer banking data.
• Validating customers’ routing numbers.
• Verifying customers’ identities by checking driver’s licenses using a third-party verification service, depositing test amounts into customers’ bank accounts or requiring customers to log in with a user ID and password.

In recent years, Nacha has introduced additional rules to strengthen data security and reduce fraud risks across the ACH network:

• Supplementing Data Security Rule (effective June 2021): This Nacha rule requires businesses that process 2 million or more ACH transactions per year to encrypt payment data at rest. This means it must be secured while stored on internal systems, not just during transmission. This rule applies to consumer and business ACH data as well as scanned paper authorizations with consumer payment account data.
• Fraud-Return Rule (effective October 1, 2024): This rule allows receiving financial institutions to formally return ACH entries they believe were submitted under false pretenses or as part of a fraudulent transaction. Previously, ACH returns were mostly used to correct technical issues, such as invalid or not-found account numbers. This expanded use of returns marks a shift toward stronger fraud prevention across the ACH network.

Federal Trade Commission (FTC)

The FTC may not be a credit card processor or financial regulator, but the agency does enforce data protection laws surrounding businesses that handle payment information. It investigates companies that aren’t properly safeguarding sensitive customer data, including credit card information and can issue severe fines for consumer privacy violations.

“Government agencies such as the FTC are increasing efforts to address inadequate data protection,” Persidsky explained. “If a business improperly handles credit card data or suffers a breach due to lax security measures, it is more than a reputational problem; it can also result in significant fines and restrictions.”

State laws

In addition to federal regulations, some states have their own laws that govern credit card processing — particularly when it comes to surcharging practices.

For example, it is illegal to charge consumers a surcharge to cover credit card processing fees in Connecticut, Maine, Massachusetts and Oklahoma. These states prohibit merchants from passing on any part of the processing cost to customers at the point of sale.

California takes a slightly different approach. While credit card surcharges aren’t outright banned, merchants are barred from misleading customers by hiding price differences between credit, debit and cash payments. This includes applying a surcharge at checkout without clearly informing the customer in advance.

Danielle Bauter contributed to this article.