Credit card processing companies, including Acquirers, Merchant Service Providers, Payment Gateways, and Payment Facilitators are regulated by a variety of organizations and regulatory bodies. The Card Brands, the Payment Card Industry Data Security Standard (PCI DSS), the National Automated Clearing House (NACHA), sponsor banks, and federal and state governments all play a role in overseeing the credit card processing standards.
Below we outline how each player is involved, what they regulate and, most importantly, how to spot unethical practices from some providers.
Credit Card Processing Company Regulators
Card Association Network (formerly Card Associations)
There are four major Card Brands: Visa, Mastercard, Discover and American Express. Each has its own set of rules and best practices for accepting and managing payments. They also set transaction pricing, called Interchange rates based on a variety of factors including, but not limited to, merchant industry segment, type of card presented, and if the transaction takes place in person or online. There are more than 300 Interchange rates in the US alone. Each Card Brand dictates the rates and regulations that credit card processing companies and merchants must abide by, and they publish updates twice a year, in April and October.
Most business owners never directly work with the networks. Your Merchant Service Provider is responsible for ensuring that you understand and follow the rules of the respective brand networks.
The PCI DSS was established by the Data Security Council, which is also made up of major credit card brands including Visa, Mastercard, Discover and American Express. PCI DSS was created to initiate an industry-wide standard to mitigate data security breaches and related fraud. They also mandate or enforce EMV compliance or the implementation policies for issuers, merchants, and acquirers.
Any company that wants to process, store or transmit credit card data must follow the PCI DSS standards. While this typically applies to Merchant Service Providers, it too can apply to businesses or third-party vendors if their payment practices fall within PCI scope. Any PCI issues are reported directly to the Data Security Council for review.
Because most credit card processing companies also process ACH transactions, it’s important to include this regulator. NACHA manages the development, administration and governance of the ACH Network, ensures that payment processing companies are up-to-date on ACH payment requirements, and sets the ACH industry rules.
Also called acquiring banks, these banks are members of the Card Brand Networks and have agreements with credit card processing companies to accept deposits via credit card transactions.
Processing companies are required to report everything to their respective sponsor banks (except for PCI issues) and undergo comprehensive annual compliance audits to ensure the integrity of their card processing programs. Sponsor banks then communicate this information to the networks.
Federal and State Governments
While most of the payment industry rules are handled “in house,” there is one regulation that was established by the federal government: The Durbin Amendment. This amendment, part of the Dodd-Frank Law, requires the Federal Reserve to limit fees charged to businesses processing debit card transactions.
Some credit card acceptance practices are set by states, such as whether cash discounting or surcharging are supported. It is important to work with your Merchant Services Provider to understand these laws, especially if you operate across a regional or national footprint.
What Isn’t Regulated?
While Interchange rates are set and regulated by the Card Brands, the actual rate—often referred to as the “discount rate”—that Merchant Services Providers charge merchants is not. Providers that offer Interchange-plus pricing associate every transaction with actual Interchange costs. However, Tiered and Flat pricing plans take a blended approach to pricing, which groups Interchange categories and generates more profit for the provider. This is the typical approach for most Payment Facilitators.
Additionally, there is no entity that owns and regulates the miscellaneous fees credit card processing companies may charge. As an industry expert and advocate for fair billing, we’ve uncovered over 20 unnecessary fees other providers commonly charge to educate businesses processing credit cards.
Want to learn even more about credit card processing?
Were you surprised by what is and isn’t regulated? Ask us your questions below, we’re happy to answer them.
Editor's Note: This post was originally published in September 2018 and has been updated for comprehensiveness and accuracy.