receives compensation from some of the companies listed on this page. Advertising Disclosure

Credit Card Payment Processing Rules and Laws You Need to Know About

Updated Aug 28, 2023

Table of Contents

Open row

Accepting credit cards can make a huge difference in your sales, whether you sell in person or online. For e-commerce, 90% of purchases are made with credit cards. Since fewer people are paying with cash when shopping in stores, using a credit card is not only more convenient, it is oftentimes the only way to pay. However, there are several important rules and laws that you need to comply with once you start accepting credit cards. Here is an overview of those rules and laws, how to comply with them, and how they will affect the credit card processor you choose and your operations.

PCI Data Security Standard

What is PCI DSS?

The Payment Card Industry Data Security Standard, or PCI DSS for short, is a global data security standard required of all businesses, regardless of size, that accept credit cards. PCI DSS and the Payment Application Data Security Standard (PA-DSS) are rules designed to reduce the incidence of credit card fraud.

Both the PCI DSS and PA-DSS are enforced by the PCI Security Standards Council, an independent body created by the four major credit card brands.

Editor’s note: Looking for the right credit card processor for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.

What is PA-DSS?

PA-DSS mandates that all point-of-sale (POS) equipment and terminals meet the PCI DSS standards. That means that if you have a POS system, the lion’s share of your PCI compliance is already handled by your POS hardware.

How to ensure PCI DSS compliance

To comply with the PCI DSS, you must follow 12 requirements. The goal of those requirements is to protect the cardholder data from theft via data breaches. 

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored data.
  4. Encrypt the transmission of cardholder data across open, public networks.
  5. Use and regularly update top antivirus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data on a business need-to-know basis.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

These 12 standards must be continually met and reported to ensure compliance.

Did You Know?Did you know

If you have a traditional merchant account set up with a bank or independent company, you will usually be responsible for your own PCI compliance.

What are the four levels of PCI compliance?

There are four levels of PCI compliance based on your company’s annual volume of credit card payments, each with its own validation requirements.

PCI Level 1

This applies to businesses that process more than 6 million credit card transactions annually.

  • Annual report on compliance (ROC) by a Qualified Security Assessor (QSA) or internal auditor (external or internal trained individuals certified to review payment transaction systems and assess and validate compliance)
  • Quarterly network scan by an Approved Scanning Vendor (ASV), a company with commercial software that analyzes and performs certified vulnerability scans on business systems and networks
  • Attestation of Compliance form

PCI Level 2

This applies to businesses that process 1 million to 6 million credit card transactions annually.

  • Annual self-assessment questionnaire
  • Quarter network scan by an ASV
  • Attestation of Compliance form 

PCI Level 3

This applies to businesses that process 20,000 to 1 million credit card transactions annually.

  • Annual self-assessment questionnaire
  • Quarter network scan by an ASV
  • Attestation of Compliance form

PCI Level 4

This applies to businesses that process up to 20,000 e-commerce payments or up to 1 million payments via other channels.

  • Annual self-assessment questionnaire recommended, but not required
  • Quarter network scan by an ASV, if applicable
  • Compliance validation requirements set up by merchant bank
FYIDid you know

If you do not comply with PCI standards, your business can be assessed hefty fines.

Alternatives to managing your own PCI compliance

You may be thinking that you can’t possibly do all that, but the good news is that you have another option to stay compliant. The best credit card payment processors are entirely PCI compliant. There is usually an additional fee for this, which averages $100 per year. If you opt to do it yourself and are found to be noncompliant, many credit card processors will assess you an expensive monthly PCI noncompliance fee.

PCI-compliant credit card processors

Payment processorAdded costReview
Merchant OnePCI compliance included in monthly feeMerchant One review
HelcimPCI compliance included in monthly feeHelcim review
National ProcessingSeparate PCI compliance fee ($10 per month)National Processing review
Payment DepotPCI compliance included at no extra chargePayment Depot review

Additional credit card processing regulators

The PCI Security Standards Council is the only credit card processing regulator to be aware of. Some of the rules are made by industry organizations, while others are laws made by the federal government.

Card Association Network

The Card Association Network is an industry group that comprises the four major credit card brands: Visa, Mastercard, Discover and American Express. They set and manage the interchange rates, the purchase percentage and the per-transaction amount that you pay for the ability to accept each type of card.

The interchange rate is one of the costs involved in credit card processing, the rest of which are set and paid to your credit card processing company, merchant account provider and payment gateway provider. You will not deal directly with the Card Association Network, as their interchange fees are passed down to you via your credit card processing company.

National Automated Clearinghouse Association

The National Automated Clearinghouse Association (Nacha) is the organization that governs ACH transactions and the network they use. ACH transactions include direct deposits and direct payments from bank and credit union accounts.

U.S. government

The IRS, the federal tax collection agency, has a rule requiring businesses to report credit card payments. Congress also passed a law limiting the interchange rates charged by the Card Association Network, which affects business owners.

Additional credit card processing rules and laws

Durbin Amendment

The Durbin Amendment is part of the Dodd-Frank law passed by Congress in 2010. Its purpose is to protect consumers by lowering the interchange fees on debit card transactions, which have the lowest risk of fraud and therefore, lawmakers argued, should be much less expensive than riskier transactions. On a $38 debit transaction, the interchange fee before the Durbin Amendment was around 44 cents. With the passing of the law, debit card transaction rates were capped at 22 cents per transaction plus 0.05% of the purchase price. So, for the same $38 debit transaction, the maximum interchange fee would be around 24 cents.

However, the unintended consequence is that businesses with many smaller dollar amount transactions end up paying more in fees. Before the Durbin Amendment, card issuers based their interchange rate on a sliding scale, so merchants paid lower fees for small purchases. After the Durbin Amendment, they switched to charging the maximum amount on every transaction.

IRS mandate

Since the IRS taxes business income, it wants to keep track of all incoming sales, not just those paid by cash or check. To that end, the IRS created a rule called Section 6050W, also called the IRS mandate, which requires merchant services providers to specifically report their clients’ annual gross transactions processed with a credit or debit card or third-party network to the IRS.

Businesses are required to provide their merchant services provider with their tax identification number to facilitate reporting. If you fail to do so, or if the IRS notifies the merchant services provider that there is a discrepancy between your reported income and your actual income, the merchant services provider is required to withhold tax on your future credit card revenue.


You are most likely to be affected by Nacha regulations if you have an e-commerce business, because many online businesses accept direct payments in addition to credit cards. However, any business that accepts ACH payments must abide by these rules, which include the following:

  • Using only secure web forms and encrypted email to transmit sensitive information
  • Safely storing hard copies with sensitive customer data
  • Validating customers’ routing numbers
  • Verifying customers’ identities by checking driver’s licenses using a third-party verification service, depositing test amounts into the customer’s bank account, or requiring the customer to log in with a user ID and password

A new Nacha Supplementing Data Security Rule, which went into effect in June 2021, requires businesses that process 2 million or more ACH transactions annually to encrypt payment information on their computer systems while at rest (not being transmitted to a financial institution). Businesses with fewer than 2 million ACH transactions per year are not subject to the new rule but are encouraged to comply anyway. The rule applies to both consumer and business ACH data, as well as to scanned paper authorizations with consumer payment account data.

Jennifer Dublino
Contributing Writer at
Jennifer Dublino is a prolific researcher, writer, and editor, specializing in topical, engaging, and informative content. She has written numerous e-books, slideshows, websites, landing pages, sales pages, email campaigns, blog posts, press releases and thought leadership articles. Topics include consumer financial services, home buying and finance, general business topics, health and wellness, neuroscience and neuromarketing, and B2B industrial products.
BDC Logo

Get Weekly 5-Minute Business Advice

B. newsletter is your digest of bite-sized news, thought & brand leadership, and entertainment. All in one email.

Back to top