MENU
Accepting credit cards can make a huge difference in your sales, whether you sell in person or online. For e-commerce, 90 percent of purchases are made with credit cards. And because fewer people are paying with cash when shopping in stores, credit cards are not only more convenient; they’re often the only way to pay.
However, there are several important rules and laws that you must comply with once you start accepting credit cards. Here is an overview of those rules and laws, how to comply with them, and how they affect the credit card processor you choose and your operations.
The Payment Card Industry Data Security Standard (PCI DSS) is a global data security standard required of all businesses, regardless of their size, that accept credit cards. PCI DSS and the Payment Application Data Security Standard (PA-DSS) are rules designed to reduce the incidence of credit card fraud.
Both the PCI DSS and the PA-DSS are enforced by the PCI Security Standards Council, an independent body created by the major credit card companies.
Editor’s note: Looking for the right credit card processor for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
PA-DSS mandates that all point-of-sale (POS) equipment and terminals meet the PCI DSS standards. That means that if you have a POS system, most of your PCI compliance is already handled by your POS hardware. [Read related: The Best POS Systems]
To comply with the PCI DSS, you must follow these 12 requirements designed to protect cardholders’ data from theft via data breaches:
These 12 standards must be continually met and reported to ensure compliance.
If you have a traditional merchant account set up with a bank or independent company, you will usually be responsible for your own PCI compliance.
There are four levels of PCI compliance based on your company’s annual volume of credit card payments, and each has its own validation requirements.
This applies to businesses that process more than 6 million credit card transactions annually.
This applies to businesses that process 1 million to 6 million credit card transactions annually.
This applies to businesses that process 20,000 to 1 million credit card transactions annually.
This applies to businesses that process up to 20,000 e-commerce payments or up to 1 million payments via other channels.
If you do not comply with PCI standards, your business can face hefty fines.
You may be thinking that you can’t possibly do all that, but the good news is that you have another option to stay compliant. The best credit card payment processors are entirely PCI compliant. There is usually an additional fee for this, which averages $100 per year. If you opt to do it yourself and are found to be noncompliant, many credit card processors will assess an expensive monthly PCI noncompliance fee.
Payment processor | Added cost | Review |
---|---|---|
Merchant One | PCI compliance included in monthly fee | |
Helcim | PCI compliance included in monthly fee | |
National Processing | Separate PCI compliance fee ($10 per month) | |
Payment Depot | PCI compliance included at no extra charge |
Make sure your payment processing company is using version 4.0 of the PCI DSS; version 3.21 is no longer accepted as of September 2023.
The PCI Security Standards Council is the only credit card processing regulator to be aware of. Some of the rules are made by industry organizations, while others are laws enacted by the federal government.
The Card Association Network is an industry group that comprises the four major credit card brands: Visa, Mastercard, Discover and American Express. They set and manage the interchange rates, the purchase percentage and the per-transaction amount that you pay for the ability to accept each type of card.
The interchange rate is one of the costs involved in credit card processing; the rest are set and paid to your credit card processing company, merchant account provider and payment gateway provider. You will not deal directly with the Card Association Network, as its interchange fees are passed down to you via your credit card processing company.
The National Automated Clearinghouse Association (Nacha) is the organization that governs ACH transactions and the network they use. ACH transactions include direct deposits and direct payments from bank and credit union accounts.
The IRS requires businesses to report credit card payments. Congress also passed a law limiting the interchange rates charged by the Card Association Network, which affects business owners.
Additional credit card processing rules and laws
In addition, business owners should be aware of the following credit card processing regulations.
The Durbin Amendment is part of the Dodd-Frank Act, passed by Congress in 2010. Its purpose is to protect consumers by lowering the interchange fees on debit card transactions, which have the lowest risk of fraud and, therefore, should be much less expensive than riskier transactions, lawmakers argued. For example, on a $38 debit transaction, the interchange fee before the Durbin Amendment was around 44 cents. With the passing of the law, debit card transaction rates were capped at 22 cents per transaction plus 0.05 percent of the purchase price. So, for the same $38 debit transaction, the maximum interchange fee would be around 24 cents.
However, the unintended consequence is that businesses with many smaller transactions end up paying more in fees. Before the Durbin Amendment, card issuers based their interchange rate on a sliding scale, so merchants paid lower fees for small purchases. After the Durbin Amendment, they switched to charging the maximum amount on every transaction.
The proposed Credit Card Competition Act of 2023 would require banks to name an additional network other than Visa or Mastercard to process credit card transactions. If passed, it would lower interchange rates for Visa and Mastercard by providing competition with other card brands.
Because the IRS taxes business income, the agency wants to keep track of all incoming sales, not just those paid by cash or check. To that end, the IRS created a rule called Section 6050W, also called the IRS mandate, which requires merchant services providers to specifically report their clients’ annual gross transactions processed with a credit or debit card or third-party network to the IRS. [Read related: Best Merchant Account Services]
Businesses are required to provide their merchant services provider with their tax identification number to facilitate reporting. If you fail to do so, or if the IRS notifies the merchant services provider that there is a discrepancy between your reported income and your actual income, the merchant services provider is required to withhold tax on your future credit card revenue.
You are most likely to be affected by Nacha regulations if you have an e-commerce business, because many online businesses accept direct payments in addition to credit cards. However, any business that accepts ACH payments must abide by these rules, which include the following:
A new Nacha Supplementing Data Security Rule, which went into effect in June 2021, requires businesses that process 2 million or more ACH transactions annually to encrypt payment information on their computer systems while at rest (not being transmitted to a financial institution). Businesses with fewer than 2 million ACH transactions per year are not subject to the new rule but are encouraged to comply anyway. The rule applies to both consumer and business ACH data, as well as to scanned paper authorizations with consumer payment account data.
In addition to the federal laws regulating credit card processing, some states impose other requirements. For example, charging consumers a surcharge to fully or partially pay for the credit card processing fee on their purchases is illegal in Connecticut, Massachusetts and Puerto Rico. In California, merchants are barred from misleading customers by hiding differences between the credit card, debit card and cash prices, including charging surcharges at the point of sale without informing customers.