Accepting credit cards can make a huge difference in your sales, whether you sell in person or online. For e-commerce, 90% of purchases are made by credit card. Since fewer people pay cash when shopping in stores, using a credit card is not only more convenient, it is often the only way to pay. However, there are several important rules and laws that you must follow once you start accepting credit cards. Here’s an overview of those rules and laws, how to comply with them, and how they will affect your chosen credit card processor and your operations.

PCI Data Security Standard

What is PCI DSS?

The Payment Card Industry Data Security Standard, or PCI DSS for short, is a global data security standard required of all businesses, regardless of size, that accept credit cards. PCI DSS and the Payment Application Data Security Standard (PA-DSS) are rules designed to reduce the incidence of credit card fraud.

PCI DSS and PA-DSS are enforced by the PCI Security Standards Council, an independent body created by the four major credit card brands.

Editor’s Note: Looking for the right credit card processor for your business? Complete the questionnaire below to have our supplier partners contact you regarding your needs.

What is PA-DSS?

PA-DSS requires that all point of sale (POS) equipment and terminals comply with PCI DSS standards. This means that if you have a point of sale system, the lion’s share of your PCI compliance is already handled by your point of sale hardware.

How to ensure PCI DSS compliance

To comply with PCI DSS, you must meet 12 requirements. The purpose of these requirements is to protect cardholder data from theft through data breaches.

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security settings.
  3. Protect stored data.
  4. Encrypt transmission of cardholder data over open public networks.
  5. Use and regularly update the best antivirus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Limit access to cardholder data based on business needs.
  8. Assign a unique identifier to each person who has access to the computer.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all staff.

These 12 standards must be continuously met and reported to ensure compliance.

Did you know? If you have a traditional merchant account opened with a bank or independent business, you will generally be responsible for your own PCI compliance.

What are the four levels of PCI compliance?

There are four PCI compliance levels based on your company’s annual credit card payment volume, each with their own validation requirements.

PCI level 1

This applies to businesses that process over 6 million credit card transactions per year.

  • Annual Compliance Report (ROC) by Qualified Security Assessor (QSA) or Internal Auditor (external or internal trained individuals certified to review payment transaction systems and assess and validate compliance)
  • Quarterly network scan by an Authorized Analysis Provider (ASV), a company with commercial software that scans and performs certified vulnerability scans on company systems and networks
  • Certificate of compliance form

PCI level 2

This applies to businesses that process 1 to 6 million credit card transactions per year.

  • Annual self-assessment questionnaire
  • Quarter network scan by an ASV
  • Certificate of compliance form

PCI level 3

This applies to businesses that process 20,000 to 1 million credit card transactions per year.

  • Annual self-assessment questionnaire
  • Quarter network scan by an ASV
  • Certificate of compliance form

PCI level 4

This applies to businesses that process up to 20,000 e-commerce payments or up to 1 million payments through other channels.

  • Annual self-assessment questionnaire recommended, but not mandatory
  • Quarter network scan by an ASV, if applicable
  • Compliance validation requirements put in place by the investment bank

for your informationFOR YOUR INFORMATION: If you fail to comply with PCI standards, your business can face hefty fines.

Alternatives to managing your own PCI compliance

You might think you can’t do all of this, but the good news is, you have another option to stay compliant. The best credit card payment processors are fully PCI compliant. There is usually an additional charge for this, which averages out at $ 100 per year. If you choose to do it yourself and it turns out to be non-compliant, many credit card processors will charge you expensive monthly PCI non-compliance fees.

PCI Compliant Credit Card Processors

Additional credit card processing regulators

The PCI Security Standards Council is the only credit card processing regulator you know about. Some of the rules are developed by industry organizations, while others are laws passed by the federal government.

Network of card associations

The Card Association Network is an industry group that includes the four major brands of credit cards: Visa, Mastercard, Discover and American Express. They set and manage the interchange rates, the purchase percentage and the amount per transaction you pay to be able to accept each type of card.

The interchange rate is one of the costs involved in processing credit cards, with the remainder set and paid to your credit card processing company, merchant account provider, and payment gateway provider. You will not be dealing directly with the Card Association Network, as their interchange fees are passed to you through your credit card processing company.

National Association of Automated Clearing Houses

The National Automated Clearinghouse Association (Nacha) is the organization that governs ACH transactions and the network they use. ACH transactions include direct deposits and direct payments from bank accounts and credit unions.

Government of the United States

The IRS, the federal tax collection agency, has a rule requiring businesses to report credit card payments. Congress also passed legislation limiting the interchange rates charged by the Card Association Network, which affects business owners.

Additional Credit Card Processing Rules and Laws

Durbin Amendment

The Durbin Amendment is part of the Dodd-Frank Act passed by Congress in 2010. Its purpose is to protect consumers by reducing interchange fees on debit card transactions, which present the lowest risk of fraud. and, therefore, according to lawmakers, should be much less expensive than riskier transactions. On a $ 38 debit transaction, the interchange fee before the Durbin Amendment was around 44 cents. With the passage of the law, debit card transaction rates were capped at 22 cents per transaction plus 0.05% of the purchase price. So for the same $ 38 debit transaction, the maximum interchange fee would be around 24 cents.

However, the unintended consequence is that companies with many smaller transactions end up paying more fees. Prior to the Durbin Amendment, card issuers based their interchange rate on a sliding scale, so merchants paid lower fees for small purchases. After the Durbin Amendment, they moved on to charging the maximum amount on each transaction.

IRS Mandate

Since the IRS taxes business income, it wants to keep track of all inbound sales, not just those paid in cash or by check. To this end, the IRS created a rule called Section 6050W, also known as IRS Mandate, which requires merchant service providers to specifically report to the IRS their clients’ annual gross transactions processed with a credit or debit card. or a third-party network.

Businesses are required to provide their merchant service provider with their tax identification number to facilitate reporting. If you do not, or if the IRS informs the merchant service provider that there is a discrepancy between your reported income and your actual income, the merchant service provider is required to withhold tax on your future income from. credit card.


You are most likely to be affected by Nacha regulations if you have an e-commerce business, as many online businesses accept direct payments in addition to credit cards. However, any business that accepts ACH payments must adhere to these rules, which include the following:

  • Use only secure web forms and encrypted emails to transmit sensitive information
  • Securely store hard copies with sensitive customer data
  • Validation of customer routing numbers
  • Verify the identity of customers by verifying driver’s licenses using a third-party verification service, depositing test amounts into the customer’s bank account, or asking the customer to log in with a username and password outmoded

A new Nacha supplemental data security rule, which took effect in June 2021, requires companies that process 2 million or more ACH transactions per year to encrypt payment information on their IT systems at rest (not transmitted to a financial institution). ). Businesses with less than 2 million ACH transactions per year are not subject to the new rule but are encouraged to comply anyway. The rule applies to both consumer and business ACH data, as well as paper authorizations scanned with consumer payment account data.

About The Author

Related Posts