Credit Card Processing Rules, Regulations, and Laws

credit card processing rules

By Rob Binns | Senior Writer | 27 March, 2020

Let’s read the small print together…

Accepting credit card payments at your business opens up a lot of doors. In doing so, you’ll stand to benefit from quicker, safer payments, a more streamlined sales process, and better customer service. You’ll even attract a whole new generation of increasingly cash-phobic customers.

There’s little room for argument. Credit card processing is a potent, powerful way of elevating your business to the next level.

Yet with great power comes great responsibility. As a merchant, you are required to know exactly what’s expected of you when it comes to the rules and regulations of the payments industry. And we won’t sugarcoat it there are a lot of them.

So prepare to get acquainted with the credit card laws your business needs to know about. Whether you’re new to accepting credit card payments, or a veteran just looking to brush up on the basics, our guide is a stress-free, jargon-free route to complete credit card compliance. Scroll on to get started, or dive into the list below to jump straight to a specific section.

PCI Compliance

If you’ve already spent a bit of time researching different merchant services providers, you’ll have seen these three letters popping up a lot. But what do they mean?

PCI: The Basics

PCI is short for ‘Payments Card Industry’. The PCI is responsible for administering a strict set of rules, known as PCI DSS (Payments Card Industry Data Security Standards). It’s an industry-wide group of guidelines dedicated to preventing fraud.

PCI DSS was set up by the Data Security Council, a body made up of the big credit card brands, including Mastercard, Visa, American Express, and Discover.
PCI compliance
PCI DSS credit card processing laws help safeguard the cardholder’s data when a transaction takes place, and all merchants, financial institutions, payment processors, and merchant services providers are responsible for upholding them. This is known as PCI compliance.

PCI compliance doesn’t just protect your customers, though it’ll protect your business from data breaches, and help you swerve the crippling cost of fraudulent transactions. Plus, not complying with PCI standards comes with big fines meaning it’s best to get wise to them sooner rather than later.

So how do you achieve compliance?

Did You Know?

Fines for PCI non-compliance could cost your business up to $100,000 per month and around 80% of organizations are still not compliant. Don’t be one of them!

How Do You Ensure Your Business Is PCI Compliant?

How you’ll remain PCI compliant depends largely on the type of company you’ve chosen to process your credit card payments. 

Dedicated (or traditional) merchant accounts set up with a bank or independent company may require you to take PCI compliance into your own hands. This involves validating your current data security standards by filling out a Self-Assessment Questionnaire (SAQ)

The PCI has nine different forms. Which one you must fill out is based on your transaction volume, and the method you use to accept credit card payments. It’s your job to figure out (or hire someone to figure out) which form is relevant to you, and ensure it gets completed on an annual basis.

Based on how much you’re processing, you’ll be sorted into one of four ‘levels’ of compliance. Let’s take a look:

The Four Levels of PCI Compliance

PCI Level 1

Level 1 is for businesses that process more than six million payments a year, so it’s basically just for large companies. As you can imagine, this level of PCI compliance is the most expensive; it comes with extra hardware and software costs to meet the standard, plus the fees involved with training an internal auditor.

To comply, businesses must complete an annual self-assessment questionnaire, and face quarterly scans via a PCI-approved ASV (Approved Scan Vendor).

Validation requirements

  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or internal auditor
  • Quarterly network scan by an ASV
  • Attestation of Compliance form

PCI Level 2

Level 2 is for businesses processing between one million and six million payments a year. To comply, merchants must complete an annual self-assessment. They also get a quarterly ASV scan, plus an on-site assessment.

Validation requirements

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

PCI Level 3

Level 3 refers to businesses that take between 20,000 and one million ecommerce payments annually. Level 3 compliance involves an annual self-assessment, as well as a quarterly ASV security scan.

Validation requirements

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

PCI Level 4

Level 4 refers to businesses that process up to 20,000 payments a year via ecommerce, or up to one million payments via other channels.

Validation requirements

  • Annual SAQ recommended
  • Quarterly network scan by ASV, if applicable
  • Compliance validation requirements set by merchant bank

Jump to: Jargon Buster

PCI: The 3-Step Process

There’s a whole other bunch of stuff involved with remaining compliant, too. 

The PCI has a list of 12 standards, from mapping out your data flows and implementing firewalls, to encrypting (and tokenizing) the transmission of sensitive cardholder information.

It’s also important to note that PCI compliance is an ongoing process; complying isn’t a one-time thing, but a constant cycle of assessment and reporting. PCI’s ‘3-Step Process’ serves as a good guide to get going with:

ASSESS: Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.

REMEDIATE: Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.

REPORT: Compiling and submitting required reports to the appropriate acquiring bank and card brands.

Source: How to Secure With the PCI Data Security Standard

Basically, it’s all very complicated – particularly for small businesses just starting out. Plus, though PCI DSS sets out important standards for merchants, it’s not necessarily enough – i.e., it won’t provide adequate protection for all payment environments. Is there an easier way?

Yes, there is. That’s why we recommend opting for a payment service provider that’s completely PCI compliant

Providers such as Square, iZettle, and Heartland Payment Systems provide you with payments infrastructure that already meets the PCI’s strict standards, helping ease the burden of compliance. Sure, some merchant account providers may charge for the privilege of a PCI compliant solution, but trust us – in the long run, it’s worth it. And it’s better than a hefty fine!

As PCI expert Mike Dahn of Stripe says:

“Moving to a safer card acceptance method is a much more effective way to protect your organization. The long-standing benefit this provides is that you don’t need to rely on industry baseline standards, or worry about the potential failure of security controls. 

“This approach provides agile businesses a way to mitigate a potential data breach, and avoid the emotional, time-consuming, and costly historical approach to PCI validation.”

The bottom line? Ensure you understand exactly what your obligations are before signing a contract with a merchant services provider. Your payment service provider should always be able to talk you through which elements of PCI compliance are handled by them, and what (if anything) you’ll need to do on your end.

For ultimate ease when it comes to PCI compliance, we recommend Square.

The Durbin Amendment

The Durbin Amendment, part of the Dodd-Frank law of 2010, slashed the amount that card associations were legally allowed to charge for interchange fees on debit card transactions. The idea was to lower retailer’s costs, and ultimately drive down costs for the consumer, too. 

Interchange fees, which averaged out at around $0.44 per transaction, were slashed more or less in half, being capped at $0.22 + 5% per sale. Awesome, right?

Well… not exactly. While it drove down fees, The Durbin Amendment had unintended consequences for small businesses. Because, while the interchange rate was halved, the transaction fee was more than doubled. The result? Merchants averaging sales of $15 or less actually ended up paying more fees than they did before the Durbin Amendment came into force.

Basically, what The Durbin Amendment means for merchants is that you’ll actually stand to save money if you process a lot of card transactions, or deal mainly in higher value sales. For businesses with a lower average debit card transaction value, it may end up costing you more.

What is good, though, is that The Durbin Amendment didn’t affect smaller banks and credit unions, which got to sidestep the loss of revenue the big banks faced. This allowed smaller banks to keep fees low – ideal for new merchants looking to jumpstart their business with low credit card processing rates.

So, how much does it really cost to accept credit and debit card payments? Explore our complete guide to credit card processing fees in the US to find out.

IRS Mandate (Section 6050W)

We couldn’t get through an article about rules and regulations without mentioning the IRS (Inland Revenue Service), now could we? 

Nope. And here’s where Section 6050W comes in. According to the IRS…

“Section 6050W requires information returns to be made for each calendar year by merchant acquiring entities and third party settlement organizations with respect to payments made in settlement of payment card transactions and third party payment network transactions occurring in that calendar year.”

Bleurgh. In plain English, this means merchants need to report their yearly gross transactions processed with a credit, debit, or co-branded card to their merchant services provider. This is then passed along to the IRS. It’s kind of like a tax return, but for merchants accepting credit card payments.


PA-DSS (Payment Application Data Security Standards) is another credit card processing law you’ll want to know about. It’s a rule mandating that any POS (Point of Sale) equipment or terminals must meet the PCI’s set of standards.

There are two reasons why PA-DSS is good news for merchants. First, PA-DSS compliant POS equipment helps you remain PCI compliant. Second? Meeting PA-DSS standards is entirely the POS system technology supplier’s responsibility – not the merchant’s.

Next Steps

Like many of the best things in life, credit card processing comes with rules, regulations, and laws. But you shouldn’t see these as barriers to your business, or as restrictions dragging you down. Rather, they’re there to keep your business and your customers safe – to prevent fraud, reassure your patrons, and help you avoid big fines. 

It’s also important to remember that credit card processing regulations and rules aren’t just a box to be ticked, then you’re done. Nope – fraudsters are constantly evolving, so the laws have to as well. That means you’ll need to examine your own cardholder data practices on an ongoing basis, to ensure that you’re doing right by your customers.

Talk to your payment service provider about what PCI requirements – if any – fall under the scope of your business’ responsibilities. And again, if you’re in the process of choosing a merchant services provider, make sure you know exactly how PCI compliance is being handled, and what the costs involved will be.

Jargon Buster

OK, so our guide wasn’t completely jargon-free. No matter – you’ll find all the industry’s most important (and most baffling!) acronyms below.

ASV (Approved Scanning Vendor): an organization which validates DSS requirements.

PA-QSA (Payment Application Qualified Security Assessor): organizations qualified by the Council to have their employees assess compliance.

PCI (Payments Card Industry Data Security Standard): Better start again!

PFI (PCI Forensic Investigator): establishes, then maintains rules and requirements regarding PCI eligibility.

QIRs (Qualified Integrators and Resellers): provide opportunity for eligible professionals of qualifying organizations to receive training and qualifications on secure installation security.

QSA (Qualified Security Assessor): employees of an organization qualified by the Council.

SAQ (Self-Assessment Questionnaire): a checklist provided by the PCI Security Standards Council for validating your own adherence to PCI requirements.

Rob Binns
Rob Binns Senior Writer

Rob writes mainly about the payments industry, but also brings industry-specific knowledge of CRM software, social media monitoring, and invoice finance. When not exasperating his editor with bad puns, he can be found relaxing in a sunny corner, with a beer and a battered copy of Dostoevsky.

Now Read