Credit card processing companies, including Acquirers, Merchant Service Providers, Payment Gateways, and Payment Facilitators are regulated by a variety of credit card governing bodies. The regulation of payment processors in the USA is a joint effort between the card brands, the Payment Card Industry Data Security Standard (PCI DSS), the National Automated Clearing House (NACHA), sponsor banks, and federal and state governments.
Below we outline how each player is involved, what they regulate and, most importantly, how this information could help you spot and deal with red flags with a credit card processor.
Payment Processing Demo
Schedule 15 minutes with a payments expert
Get a customized PayJunction product walk-through
Understand requirements and pricing
Determine your SAVINGS!
Credit Card Governing Bodies and Regulators
Card Association Network (formerly Card Associations)
There are four major card brands: Visa, Mastercard, Discover and American Express. Each has its own set of rules and best practices for accepting and managing payments. They also set transaction pricing, called Interchange rates based on a variety of factors including, but not limited to, merchant industry segment, type of card presented, and if the transaction takes place in person or online. There are more than 300 Interchange rates in the US alone. Each card brand dictates the rates and regulations that credit card processing companies and merchants must abide by, and they publish updates twice a year, in April and October.
Most business owners never directly work with the networks. Your Merchant Service Provider is responsible for ensuring that you understand and follow the rules of the respective brand networks.
PCI DSS
The PCI DSS (Payment Card Industry Data Security Standards) was established by PCI SSC (Security Standards Council) made up of the major credit card brands Visa, Mastercard, Discover, JCB, and American Express. PCI DSS was created to initiate an industry-wide standard to mitigate data security breaches and related fraud. They also mandate or enforce EMV compliance or the implementation policies for issuers, merchants, and acquirers.
Any company that wants to process, store or transmit credit card data must follow the PCI DSS standards. While this typically applies to Merchant Service Providers, it can also apply to businesses or third-party vendors if their payment practices fall within PCI scope (any part of your business that directly handles or stores sensitive cardholder data is within PCI DSS scope). Any PCI issues are reported directly to the Data Security Council for review. If PCI DSS standards are not met, companies may be subject to fines of increasing severity or even, in extreme cases, lose the ability to accept credit card payments at all.
NACHA
Because most credit card processing companies also process ACH transactions, it’s important to include this regulator. NACHA manages the development, administration and governance of the ACH Network, ensures that payment processing companies are up-to-date on ACH payment requirements, and sets the ACH industry rules.
Sponsor Banks
Also called acquiring banks, these banks are members of the card brand networks and have agreements with credit card processing companies to accept deposits via credit card transactions.
Processing companies are required to report everything to their respective sponsor banks (except for PCI issues) and undergo comprehensive annual compliance audits to ensure the integrity of their card processing programs. Sponsor banks then communicate this information to the networks.
Federal and State Governments
While most of the payment industry rules are handled “in house,” there is one regulation that was established by the federal government: The Durbin Amendment. This amendment, part of the Dodd-Frank Law, requires the Federal Reserve to limit fees charged to businesses processing debit card transactions.
Some credit card acceptance practices are set by states, such as whether cash discounting or surcharging are supported. It is important to work with your Merchant Services Provider to understand these laws, especially if you operate across a regional or national footprint.
What Isn't Regulated by Governing Bodies?
While Interchange rates are set and regulated by the card brands, the actual rate—often referred to as the “discount rate”—that Merchant Services Providers charge merchants is not. Providers that offer Interchange-plus pricing associate every transaction with actual Interchange costs. However, Tiered and Flat pricing plans take a blended approach to pricing, which groups Interchange categories and generates more profit for the provider. This is the typical approach for most Payment Facilitators.
Additionally, there is no entity that owns and regulates the miscellaneous fees credit card processing companies may charge. As an industry expert and advocate for fair billing, we’ve uncovered over 7 unnecessary fees other providers commonly charge to educate businesses and empower them to reduce their payment processing costs.
Are you surprised by what is and isn’t regulated, or all of the different credit card governing bodies that exist? Ask us your questions below, or schedule a call with one of our payment experts, we would love to learn more about your business.
Interested in chatting about payment processing compliance with an expert?
Editor's Note: This post was originally published in September 2018 and has been updated for comprehensiveness and accuracy.
