Accepting credit cards can make a huge difference in your sales, whether you sell in person or online. For e-commerce, 90% of purchases are made with credit cards. Since fewer people are paying with cash when shopping in stores, using a credit card is not only more convenient, it is oftentimes the only way to pay. However, there are several important rules and laws that you need to comply with once you start accepting credit cards. Here is an overview of those rules and laws, how to comply with them, and how they will affect the credit card processor you choose and your operations.
The Payment Card Industry Data Security Standard, or PCI DSS for short, is a global data security standard required of all businesses, regardless of size, that accept credit cards. PCI DSS and the Payment Application Data Security Standard (PA-DSS) are rules designed to reduce the incidence of credit card fraud.
Both the PCI DSS and PA-DSS are enforced by the PCI Security Standards Council, an independent body created by the four major credit card brands.
Editor’s note: Looking for the right credit card processor for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
PA-DSS mandates that all point-of-sale (POS) equipment and terminals meet the PCI DSS standards. That means that if you have a POS system, the lion’s share of your PCI compliance is already handled by your POS hardware.
To comply with the PCI DSS, you must follow 12 requirements. The goal of those requirements is to protect the cardholder data from theft via data breaches.
These 12 standards must be continually met and reported to ensure compliance.
If you have a traditional merchant account set up with a bank or independent company, you will usually be responsible for your own PCI compliance.
There are four levels of PCI compliance based on your company’s annual volume of credit card payments, each with its own validation requirements.
This applies to businesses that process more than 6 million credit card transactions annually.
This applies to businesses that process 1 million to 6 million credit card transactions annually.
This applies to businesses that process 20,000 to 1 million credit card transactions annually.
This applies to businesses that process up to 20,000 e-commerce payments or up to 1 million payments via other channels.
If you do not comply with PCI standards, your business can be assessed hefty fines.
You may be thinking that you can’t possibly do all that, but the good news is that you have another option to stay compliant. The best credit card payment processors are entirely PCI compliant. There is usually an additional fee for this, which averages $100 per year. If you opt to do it yourself and are found to be noncompliant, many credit card processors will assess you an expensive monthly PCI noncompliance fee.
|Payment processor||Added cost||Review|
|Merchant One||PCI compliance included in monthly fee||Merchant One review|
|Helcim||PCI compliance included in monthly fee||Helcim review|
|National Processing||Separate PCI compliance fee ($10 per month)||National Processing review|
|Payment Depot||PCI compliance included at no extra charge||Payment Depot review|
The PCI Security Standards Council is the only credit card processing regulator to be aware of. Some of the rules are made by industry organizations, while others are laws made by the federal government.
The Card Association Network is an industry group that comprises the four major credit card brands: Visa, Mastercard, Discover and American Express. They set and manage the interchange rates, the purchase percentage and the per-transaction amount that you pay for the ability to accept each type of card.
The interchange rate is one of the costs involved in credit card processing, the rest of which are set and paid to your credit card processing company, merchant account provider and payment gateway provider. You will not deal directly with the Card Association Network, as their interchange fees are passed down to you via your credit card processing company.
The National Automated Clearinghouse Association (Nacha) is the organization that governs ACH transactions and the network they use. ACH transactions include direct deposits and direct payments from bank and credit union accounts.
The IRS, the federal tax collection agency, has a rule requiring businesses to report credit card payments. Congress also passed a law limiting the interchange rates charged by the Card Association Network, which affects business owners.
The Durbin Amendment is part of the Dodd-Frank law passed by Congress in 2010. Its purpose is to protect consumers by lowering the interchange fees on debit card transactions, which have the lowest risk of fraud and therefore, lawmakers argued, should be much less expensive than riskier transactions. On a $38 debit transaction, the interchange fee before the Durbin Amendment was around 44 cents. With the passing of the law, debit card transaction rates were capped at 22 cents per transaction plus 0.05% of the purchase price. So, for the same $38 debit transaction, the maximum interchange fee would be around 24 cents.
However, the unintended consequence is that businesses with many smaller dollar amount transactions end up paying more in fees. Before the Durbin Amendment, card issuers based their interchange rate on a sliding scale, so merchants paid lower fees for small purchases. After the Durbin Amendment, they switched to charging the maximum amount on every transaction.
Since the IRS taxes business income, it wants to keep track of all incoming sales, not just those paid by cash or check. To that end, the IRS created a rule called Section 6050W, also called the IRS mandate, which requires merchant services providers to specifically report their clients’ annual gross transactions processed with a credit or debit card or third-party network to the IRS.
Businesses are required to provide their merchant services provider with their tax identification number to facilitate reporting. If you fail to do so, or if the IRS notifies the merchant services provider that there is a discrepancy between your reported income and your actual income, the merchant services provider is required to withhold tax on your future credit card revenue.
You are most likely to be affected by Nacha regulations if you have an e-commerce business, because many online businesses accept direct payments in addition to credit cards. However, any business that accepts ACH payments must abide by these rules, which include the following:
A new Nacha Supplementing Data Security Rule, which went into effect in June 2021, requires businesses that process 2 million or more ACH transactions annually to encrypt payment information on their computer systems while at rest (not being transmitted to a financial institution). Businesses with fewer than 2 million ACH transactions per year are not subject to the new rule but are encouraged to comply anyway. The rule applies to both consumer and business ACH data, as well as to scanned paper authorizations with consumer payment account data.