Credit Card Processing Rules, Regulations, and Laws

credit card processing rules

By Rob Binns | Senior Writer | Updated: 27 March 2020

Let’s read the small print together…


Accepting credit card payments at your business opens up a lot of doors. In doing so, you’ll stand to benefit from quicker, safer payments, a more streamlined sales process, and better customer service. You’ll even attract a whole new generation of increasingly cash-phobic customers.

So prepare to get acquainted with the credit card laws your business needs to know about. Whether you’re new to accepting credit card payments, or a veteran just looking to brush up on the basics, our guide is a stress-free, jargon-free route to complete credit card compliance. Scroll on to get started, or dive into the list below to jump straight to a specific section.

What you need to know:

  • PCI DSS: safeguards cardholder data when a payment is made online
  • The Durbin Amendment: changed the fees merchants must pay in an online transaction
  • IRS Mandate (Section 6050W): Mandates the reporting of sales made with a credit or debit card to the IRS
  • PA-DSS: Ensures merchant POS (point of sale) systems are compliant

PCI Compliance

If you’ve already spent a bit of time researching different merchant services providers, you’ll have seen these three letters popping up a lot. But what do they mean?

PCI: The Basics

PCI is short for ‘Payments Card Industry’. The PCI is responsible for administering a strict set of rules, known as PCI DSS (Payments Card Industry Data Security Standards). It’s an industry-wide group of guidelines dedicated to preventing fraud.

PCI DSS was set up by the Data Security Council, a body made up of the big credit card brands, including Mastercard, Visa, American Express, and Discover.
PCI compliance

PCI DSS credit card processing laws help safeguard the cardholder’s data when a transaction takes place, and all merchants, financial institutions, payment processors, and merchant services providers are responsible for upholding them.

This is known as PCI compliance.

PCI compliance doesn’t just protect your customers, though it’ll protect your business from data breaches, and help you swerve the crippling cost of fraudulent transactions. Plus, not complying with PCI standards comes with big fines meaning it’s best to get wise to them sooner rather than later.

So how do you achieve compliance?

Did You Know?

Fines for PCI non-compliance could cost your business up to $100,000 per month and around 80% of organizations are still not compliant. Don’t be one of them!

How Do You Ensure Your Business Is PCI Compliant?

How you’ll remain PCI compliant depends largely on the type of company you’ve chosen to process your credit card payments. 

Dedicated (or traditional) merchant accounts set up with a bank or independent company may require you to take PCI compliance into your own hands. This involves validating your current data security standards by filling out a Self-Assessment Questionnaire (SAQ)

The PCI has nine different forms. Which one you must fill out is based on your transaction volume, and the method you use to accept credit card payments. It’s your job to figure out (or hire someone to figure out) which form is relevant to you, and ensure it gets completed on an annual basis.

Based on how much you’re processing, you’ll be sorted into one of four ‘levels’ of compliance. Let’s take a look:

The Four Levels of PCI Compliance

PCI Level 1

  • For businesses that process more than six million payments a year
  • Most expensive
  • Comes with hardware and software costs, plus the fees involved with training an internal auditor

Validation requirements

  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or internal auditor
  • Quarterly network scan by an ASV
  • Attestation of Compliance form

PCI Level 2

  • For businesses that process between one million and six million payments a year.

Validation requirements

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

PCI Level 3

  • For businesses that take between 20,000 and one million ecommerce payments annually.

Validation requirements

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

PCI Level 4

  • For businesses that process up to 20,000 payments a year via ecommerce…
  • … or up to one million payments via other channels

Validation requirements

  • Annual SAQ recommended
  • Quarterly network scan by ASV, if applicable
  • Compliance validation requirements set by merchant bank

Jump to: Jargon Buster

PCI: The 3-Step Process

There’s a whole other bunch of stuff involved with remaining compliant, too. 

The PCI has a list of 12 standards, from mapping out your data flows and implementing firewalls, to encrypting (and tokenizing) the transmission of sensitive cardholder information.

It’s also important to note that PCI compliance is an ongoing process; complying isn’t a one-time thing, but a constant cycle of assessment and reporting.

PCI’s ‘3-Step Process’ serves as a good guide to get going with:

ASSESS: Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.

REMEDIATE: Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.

REPORT: Compiling and submitting required reports to the appropriate acquiring bank and card brands.

Source: How to Secure With the PCI Data Security Standard

Basically, it’s all very complicated – particularly for small businesses just starting out. Plus, though PCI DSS sets out important standards for merchants, it’s not necessarily enough – i.e., it won’t provide adequate protection for all payment environments. Is there an easier way?

Yes, there is. That’s why we recommend opting for a payment service provider that’s completely PCI compliant

Providers such as Square, iZettle, and Heartland Payment Systems provide you with payments infrastructure that already meets the PCI’s strict standards, helping ease the burden of compliance. Sure, some merchant account providers may charge for the privilege of a PCI compliant solution, but trust us – in the long run, it’s worth it. And it’s better than a hefty fine!

As PCI expert Mike Dahn of Stripe says:

“Moving to a safer card acceptance method is a much more effective way to protect your organization. The long-standing benefit this provides is that you don’t need to rely on industry baseline standards, or worry about the potential failure of security controls. 

“This approach provides agile businesses a way to mitigate a potential data breach, and avoid the emotional, time-consuming, and costly historical approach to PCI validation.”

The bottom line? Ensure you understand exactly what your obligations are before signing a contract with a merchant services provider. Your payment service provider should always be able to talk you through which elements of PCI compliance are handled by them, and what (if anything) you’ll need to do on your end.

How do credit card processing brands remain PCI compliant?

Before selecting a credit card processing company, you should first ensure you understand exactly what PCI compliance responsibilities will be required of you, and what's handled by the provider.

Take a look at how three online payment providers approach PCI compliance below.

Square

Square’s card readers are equipped with end-to-end encryption, while Square’s handles PCI compliance for all of its software on an ongoing basis. Square also deals with the banks and credit card processing institutions on your behalf, and advocates for your business in case of disputes. Most importantly, Square’s networks, policies, and processes all adhere to PCI regulations – meaning your business’ transactions are always covered, and at no extra cost to you.

Sage Pay

Sage Pay has the highest level of PCI compliance (Level 1). While this can reduce your own compliance requirements, that doesn't mean Sage Pay will take care of PCI for you. Rather, Sage Pay recommends you speak to your merchant account provider (also known as an acquirer) to be referred to a QSA. At the very least, you’ll have to fill out an SAQ to assess your own business’ PCI requirements.

Helcim

Like Square, Helcim’s platform is completely PCI compliant. You’ll pay no PCI fees, and nothing for non-compliance, either. Better still, Helcim allows you to generate your own PCI compliance certificate at no cost, helping you to remain secure and safe in the eyes of the (credit card processing) law.


The Durbin Amendment

The Durbin Amendment, part of the Dodd-Frank law of 2010, slashed the amount that card associations were legally allowed to charge for interchange fees on debit card transactions.

The idea was to lower retailer’s costs, and ultimately drive down costs for the consumer, too. 

Interchange fees, which averaged out at around $0.44 per transaction, were slashed more or less in half, being capped at $0.22 + 5% per sale. Awesome, right?

Well… not exactly. While it drove down fees, The Durbin Amendment had unintended consequences for small businesses. Because, while the interchange rate was halved, the transaction fee was more than doubled. The result? Merchants averaging sales of $15 or less actually ended up paying more fees than they did before the Durbin Amendment came into force.

Basically, what The Durbin Amendment means for merchants is that you’ll actually stand to save money if you process a lot of card transactions, or deal mainly in higher value sales. For businesses with a lower average debit card transaction value, it may end up costing you more.

What is good, though, is that The Durbin Amendment didn’t affect smaller banks and credit unions, which got to sidestep the loss of revenue the big banks faced. This allowed smaller banks to keep fees low – ideal for new merchants looking to jumpstart their business with low credit card processing rates.

So, how much does it really cost to accept credit and debit card payments? Explore our complete guide to credit card processing fees in the US to find out.

IRS Mandate (Section 6050W)

We couldn’t get through an article about rules and regulations without mentioning the IRS (Inland Revenue Service), now could we? 

Nope. And here’s where Section 6050W comes in. According to the IRS…

“Section 6050W requires information returns to be made for each calendar year by merchant acquiring entities and third party settlement organizations with respect to payments made in settlement of payment card transactions and third party payment network transactions occurring in that calendar year.”

Bleurgh.

In plain English, this means merchants need to report their yearly gross transactions processed with a credit, debit, or co-branded card to their merchant services provider.

This is then passed along to the IRS. It’s kind of like a tax return, but for merchants accepting credit card payments.


PA-DSS

PA-DSS (Payment Application Data Security Standards) is another credit card processing law you’ll want to know about.

It’s a rule mandating that any POS (Point of Sale) equipment or terminals must meet the PCI’s set of standards.

There are two reasons why PA-DSS is good news for merchants. First, PA-DSS compliant POS equipment helps you remain PCI compliant. Second? Meeting PA-DSS standards is entirely the POS system technology supplier’s responsibility – not the merchant’s.


Next Steps

Like many of the best things in life, credit card processing comes with rules, regulations, and laws. But you shouldn’t see these as barriers to your business, or as restrictions dragging you down. Rather, they’re there to keep your business and your customers safe – to prevent fraud, reassure your patrons, and help you avoid big fines. 

It’s also important to remember that credit card processing regulations and rules aren’t just a box to be ticked, then you’re done. Nope – fraudsters are constantly evolving, so the laws have to as well. That means you’ll need to examine your own cardholder data practices on an ongoing basis, to ensure that you’re doing right by your customers.

Talk to your payment service provider about what PCI requirements – if any – fall under the scope of your business’ responsibilities. And again, if you’re in the process of choosing a merchant services provider, make sure you know exactly how PCI compliance is being handled, and what the costs involved will be.


Jargon Buster

OK, so our guide wasn’t completely jargon-free. No matter – you’ll find all the industry’s most important (and most baffling!) acronyms below.

ASV (Approved Scanning Vendor): an organization which validates DSS requirements.

PA-QSA (Payment Application Qualified Security Assessor): organizations qualified by the Council to have their employees assess compliance.

PCI (Payments Card Industry Data Security Standard): Better start again!

PFI (PCI Forensic Investigator): establishes, then maintains rules and requirements regarding PCI eligibility.

QIRs (Qualified Integrators and Resellers): provide opportunity for eligible professionals of qualifying organizations to receive training and qualifications on secure installation security.

QSA (Qualified Security Assessor): employees of an organization qualified by the Council.

SAQ (Self-Assessment Questionnaire): a checklist provided by the PCI Security Standards Council for validating your own adherence to PCI requirements.

Rob Binns
Rob Binns Senior Writer

Rob writes mainly about the payments industry, but also brings to the table industry-specific knowledge of CRM software, business loans, fulfilment, and invoice finance. When not exasperating his editor with bad puns, he can be found relaxing in a sunny (socially-distanced) corner, with a beer and a battered copy of Dostoevsky.

Now Read