Proper regulation of credit card processing is incredibly important, especially as the process of accepting credit card payments requires sensitive customer data that is often under attack from malicious parties. This data needs to be carefully protected, which is why credit card processing companies, including Acquirers, Merchant Service Providers, Payment Gateways, and Payment Facilitators are all regulated by a variety of credit card governing bodies.
Currently, the regulation of payment processors in the USA is a joint effort between the card brands, the Payment Card Industry Data Security Standard (PCI DSS), the National Automated Clearing House (NACHA), sponsor banks, and federal and state governments. Below we outline how each player is involved, what they regulate, and, most importantly, how this information could help you spot red flags with credit card processors and ensure compliance if you are responsible for processing credit card payments.
Payment Processing Demo
Schedule 15 minutes with a payments expert
Get a customized PayJunction product walk-through
Understand requirements and pricing
Determine your SAVINGS!
Credit Card Payment Governing Bodies and Regulators
Card Association Network (formerly Card Associations)
There are four major card brands: Visa, Mastercard, Discover and American Express. Each has its own set of rules and best practices for accepting and managing payments. These major credit card companies also set transaction pricing, called Interchange rates based on a variety of factors including, but not limited to, merchant industry segment, type of card presented, and if the financial transaction takes place in person or online. There are more than 300 interchange rates in the US alone. Each card brand dictates the rates and regulations that credit card processing companies and merchants must abide by and they publish updates twice a year, in April and October.
Most business owners never directly work with the networks. Your Payment Service Provider is responsible for ensuring that you understand and follow the rules of the respective brand networks.
PCI DSS
The PCI DSS (Payment Card Industry Data Security Standards) was established by PCI SSC (Security Standards Council) and made up of the major credit card brands Visa, Mastercard, Discover, JCB, and American Express. PCI DSS was created to initiate an industry-wide standard to mitigate data security breaches and related fraud. They also mandate or enforce EMV compliance or the implementation policies for issuers, merchants, and acquirers.
Any company that wants to process, store or transmit credit card data must follow PCI DSS standards. While this typically applies to Merchant Service Providers, it can also apply to businesses or third-party vendors if their payment practices fall within PCI scope (any part of your business that directly handles or stores sensitive cardholder data is within PCI DSS scope). Any PCI DSS compliance issues are reported directly to the Data Security Council for review. If PCI compliance standards are not met, companies may be subject to fines of increasing severity or even, in extreme cases, lose the ability to accept credit card payments at all.
NACHA
Because most credit card processing companies also process ACH transactions, it’s important to include this regulator. NACHA manages the development, administration and governance of the ACH Network, ensures that payment processing companies are up-to-date on ACH payment requirements, and sets the ACH industry rules.
Sponsor Banks
Also called acquiring banks, these banks are members of the card brand networks and have agreements with credit card processing companies to accept deposits via credit card transactions.
Processing companies are required to report everything to their respective sponsor banks (except for PCI issues) and undergo comprehensive annual compliance audits to ensure the integrity of their card processing programs. Sponsor banks then communicate this information to the networks.
Federal and State Governments
While most of the payment industry rules are handled “in house,” there is one regulation that was established by the federal government: The Durbin Amendment. This amendment, part of the Dodd-Frank Law, requires the Federal Reserve to limit fees charged to businesses processing debit card transactions.
Some credit card acceptance practices are set by states, such as whether cash discounting or surcharging are supported. It is important to work with your Merchant Services Provider to understand these laws, especially if you operate across a regional or national footprint.
What Isn't Regulated by Governing Bodies?
While interchange rates are set and regulated by the card brands, the actual rate—often referred to as the “discount rate”—that Merchant Services Providers charge merchants is not. Providers that offer Interchange-plus pricing associate every transaction with actual Interchange costs. However, Tiered and Flat pricing plans take a blended approach to pricing, which groups Interchange categories and generates more profit for the provider. This is the typical approach for most Payment Facilitators.
Additionally, there is no entity that owns and regulates the miscellaneous fees credit card processing companies may charge. As an industry expert and advocate for fair billing, we've uncovered over 7 unnecessary fees other providers commonly charge to educate businesses and empower them to reduce their credit card payment processing costs.
Why Regulations Matter: Cardholder Data Protection and Business Reputation
Financial institutions and payment processors are responsible for safeguarding cardholder data by maintaining secure systems at every point of the payment transaction lifecycle. Protecting cardholder data requires strict adherence to security protocols, many of which are outlined by the PCI DSS framework.
Card Industry Data Security Basics
Many safeguards exist to protect cardholder data and fill the diverse security and compliance needs of various payment entities. A few of the most common technologies and processes that responsible financial institutions and merchants currently use include:
- End-to-End Encryption (E2EE): Encrypting payment data from the point of sale all the way to the payment processor ensures sensitive information is unreadable even if intercepted.
- Tokenization: Replacing cardholder data with unique, random tokens minimizes the storage of sensitive information within merchant systems.
- Regular Security Testing and Monitoring: Ongoing vulnerability scans, penetration testing, and network monitoring help institutions detect and prevent potential breaches before they occur.
- Limited Data Retention: Only storing necessary data for the minimum time required reduces exposure in the event of a security incident.
- Staff Training and Secure Access Controls: Ensuring employees understand security best practices and limiting access to sensitive data for only essential personnel further tightens data protection.
Failure to implement these security measures can have devastating consequences. Data breaches not only expose cardholder information, but also result in heavy fines, reputational damage, loss of customer trust, and, in severe cases, the revocation of the ability to process card payments altogether. Even a single breach can cost businesses millions of dollars in direct and indirect expenses.
At the heart of it all, maintaining compliance and investing in strong security practices isn’t just about checking a box: it’s about protecting your customers, your reputation, and your business’s future.
Understanding the Compliance Process for Credit Card Transactions
PCI compliance is one of the most important, and complicated, compliance processes for many merchants. This is because PCI DSS compliance for credit card transactions is not a one-time event, it’s an ongoing process that ensures businesses securely accept and handle card payments according to industry regulations. Here's an overview of what the compliance process typically involves:
- Assessment: Businesses determine their PCI DSS compliance level based on annual transaction volume, which defines their requirements.
- Self-Assessment Questionnaire (SAQ): Most businesses complete an annual SAQ to review their payment security practices. The version used depends on how payments are processed.
- Security Scans: Some businesses must undergo quarterly vulnerability scans and annual penetration tests to ensure systems are secure.
- Remediation and Reporting: Any security issues must be promptly addressed. Businesses then submit their SAQ and compliance documents to their sponsor bank or payment processor.
- Ongoing Monitoring: Compliance requires continuous attention including: updating systems, monitoring for threats, and maintaining strong security practices year-round.
PCI non-compliance can be costly. In the event of a data breach, businesses found to be non-compliant can face fines, higher financial transaction fees, loss of processing privileges, and irreparable reputational harm. Working with a payment service provider that offers proactive PCI assistance, free PCI tools, and secure technology that supports your efforts to protect cardholder data can make a huge difference. A true payment partner will help your business protect credit card data and maintain your ability to accept credit card payments with confidence.
Red Flags to Watch for With Credit Card Processors
Choosing the right payment processor isn’t just about pricing: it’s about trust, compliance, and long-term support. Unfortunately, some providers engage in practices that can harm your business. Here are key red flags to watch for when evaluating payment processors or working with a payment service provider:
- Unethical Billing Practices: Look out for hidden fees, sudden rate increases, non-transparent pricing models (especially tiered or bundled pricing), and penalties for contract termination. Ethical providers will offer clear, written explanations of all fees upfront.
- Lack of Compliance Support: A reliable processor should proactively help your business stay PCI DSS compliant, including offering secure payment solutions, PCI toolkits, and expert guidance. If a provider downplays compliance or leaves you to navigate it alone, it’s a major warning sign.
- Poor Customer Support: Payment issues can happen anytime, and delays can cost you customers. Make sure your provider offers fast and knowledgeable support. This support will ideally have assistance available in less than a minute to ensure serious issues are handled quickly. If you experience repeated trouble reaching support or resolving issues, it’s time to reconsider your partner.
- Non-Disclosure of Contract Terms: If the provider won’t provide complete contract terms before signing, or if they pressure you into multi-year agreements with heavy early termination fees, it’s best to walk away.
- No Regular Compliance Audits: Reputable payment processors submit to annual audits by sponsor banks and industry regulators. If a provider cannot verify that they complete regular compliance checks, they may be exposing you to serious risk.
By being aware of these red flags, you can better protect your business from costly mistakes, unexpected fees, or even compliance violations that could lead to larger problems down the road.
Are you surprised by what is and isn't regulated when it comes to credit card payments, or all of the different credit card governing bodies that exist? Ask us your questions below, or schedule a call with one of our payment experts, we would love to learn more about your business.
Interested in chatting about payment processing compliance with an expert?
Editor's Note: This post was originally published in September 2018 and has been updated for comprehensiveness and accuracy.