Payments Compliance Guide for Merchants

February 17, 2022


Modern payment solutions allow merchants to reach target markets, expand into new regions, and accept payments from anywhere in the world more easily than ever before.

When selling products and services online, businesses must comply with numerous local and international payment processing regulations and data protection laws.

Merchants need to work with payment service providers, banks, and card networks to ensure that their business practices and technical solutions meet all relevant rules and standards.

Learn about essential payment compliance regulations and how they impact your business.

A guide leading a group of merchants.

Payments Compliance and Merchants

Laws, regulations, and payment industry standards prevent illegal activities and protect sensitive customer data. They also define the rights and obligations of the participants in the payment process.

Depending on the payment processing compliance rule and regulation in question, merchants may be required to:  

  • Hire additional technical and administrative staff.
  • Buy sophisticated software solutions.
  • Implement new payment authentication methods and tools.
  • Introduce robust data protection policies.
  • Redesign websites or even revise their business model.

Business owners often see these requirements as unnecessary red tape that stifles innovation and increases operating costs. However, online payments are associated with many risks, and a well-regulated payments industry is a prerequisite for a predictable and safe business environment.

Payment Processing Compliance Regulations

The regulations and standards merchants need to comply with depend on the country or region where their business is registered. Other important factors include:

  • The location of the customer's bank (issuer).
  • The location of the merchant's bank (acquirer).
  • The payment methods the merchant wants to accept.
  • The types of products and services they sell.

New regulations are introduced all the time, while existing regulations are continuously updated and revised. Merchants would struggle to keep track of and meet all compliance requirements without support from banks, PSPs, and card brands.

Using the services of a payment processor helps merchants reduce their exposure to regulatory requirements and decreases overhead costs associated with payment compliance.

Note: This article provides a high-level overview of payment compliance regulations. It is not intended to serve as a comprehensive guide for complying with the listed regulations.

PCI Compliance

Organizations that collect, handle, or store cardholder information must follow payment card industry (PCI) data security standards (DSS).

PCI DSS is a comprehensive set of operational and technical guidelines for protecting card owners and card issuers from data theft and different types of payment fraud.

Different types of cardholder data.

Businesses that do not meet the 12 PCI DSS requirements and do not pass a compliance assessment cannot process major debit or credit card brand transactions.

Merchants need to choose a payment processor that meets all PCI requirements. Those who have a processing account with a payment service provider (PSP) often do not handle cardholder or authentication data. The customer completes the payment on a hosted payment page located on the PSP's servers.

Payment Services Directive (PSD2)

The Revised Payment Services Directive, or PSD2, is a legal act that regulates electronic payments in the European Economic Area (EEA).

EU regulators instituted PSD2 to:

  • Make electronic payments more secure - Banks and other payment card issuers in the EEA must use Strong Customer Authentication (SCA) to verify the customer's identity before approving a transaction. Certain transactions like small-amount payments, recurring transactions, and corporate transfers are exempt from SCA.
  • Encourage innovation in the financial and payments industry - Financial institutions are required to give third-party providers (TPPs) access to their APIs and share customer financial data. Fintech companies like Payment Initiation Service Providers (PISP) and Account Information Service Providers (AISP) can use this data to develop automated solutions and deliver innovative financial services to customers.
  • Give customers more say on how their data is used - Customers have the right to choose which TPPs have access to their data, to what extent, and how that data is going to be utilized.

PSD2 has a far-reaching effect on European card issuers, customers, and businesses.

Strong Customer Authentication (SCA)

Multi-factor authentication is one of the most effective ways to counter payment fraud and protect customer data integrity. Strong Customer Authentication is also an essential PSD2 requirement.

When making a payment, customers are required to confirm their identity by providing at least two authentication factors. In general, each factor needs to be obtained from one of three different categories:

  • Knowledge - Information known only to the customer. Usually, the customer is asked to enter a PIN or one-time password.
  • Inherence - A physical trait unique to the customer. This includes advanced biometric solutions such as fingerprint and retina scans, voice recognition, etc.
  • Possession - Typically, this is the item the customer uses to initiate the payment, such as a payment card, smart device, USB token, etc.

Implementing SCA improves website security, but it can also disrupt the payment flow.

The decision to implement an SCA solution depends on where your business is registered and if you plan to sell products and services on the European market.

European merchants who want to accept card payments from EU customers are required to support multi-factor authentication in their payment flows.

Non-European merchants are not required to adopt SCA but are highly recommended to do so. The number of countries introducing SCA rules and regulations is increasing, while more and more banks are starting to take the initiative and use SCA to verify high-risk transactions.

3D Secure

The 3D Secure protocol is not a prerequisite for accepting online payments. However, it is a cost-effective and easy-to-implement SCA method.

Established PSPs offer payment forms with built-in 3DS authentication as part of their service.

Merchants who want to accept credit card payments from EU customers can implement 3DS as their SCA solution.

Typically, a payment flow that includes 3DS authentication asks customers to enter a one-time password (OTP) to confirm their identity. For example:

  1. A customer enters their payment details on the payment form.
  2. If 3DS authentication is required, a pop-up screen appears and asks the customer to enter an OTP.
  3. The OTP is delivered to the phone number connected with the customer’s bank account. The OTP is valid only for a limited period and cannot be used for other transactions.
  4. Once the customer enters the OTP, the customer's bank approves or denies the transaction based on SCA results.
  5. The transaction is approved only if the OTP is correct.

3DS is a strong customer authentication method because customers need to enter their card details (knowledge) and have access to the SIM card associated with their phone number to receive an OTP (possession).


Know Your Customer (KYC) and Know Your Business (KYB) regulations compel financial institutions to establish the identity of their clients.

KYB and KYC processes aim to prevent money laundering, tax evasion, identity theft, and other financial fraud.

Organizations that provide business-to-business (B2B) services need to perform due diligence and confirm the identity of the company's owner or legal representative before accepting their business.

KYC compliance is essential for financial institutions.

Merchants usually encounter KYB or KYC when opening a bank account or a merchant account with a payment service provider. PSPs must follow and fulfill KYB and KYC requirements during onboarding and ask merchants to provide valid documentation to prove their identity.

The acceptable forms of identification typically include:

  • The business owner's or legal representative's ID or passport.
  • A business license or articles of incorporation.
  • Tax returns.
  • Other documents that prove that the business is registered with a government agency.

Merchants who sell products and services to the general public, like ecommerce merchants, authenticate customers during the payment process. Customers do not need to go through an additional KYC process.


The General Data Protection Regulation (GDPR) is an EU data security and privacy law. GDPR grants EU citizens and residents extensive privacy rights, introduces strict rules for organizations that collect personal data, and imposes penalties for non-compliance with those rules.

GDPR does not apply only to businesses from the EU. Regardless of where it is headquartered, a company that offers goods and services to customers in the EU or collects and handles data that belongs to EU citizens must meet GDPR requirements.

Key elements of GDPR.

Among other requirements, GDPR compels businesses to clearly, concisely, and accurately state which data they plan to collect and how that data will be utilized. Customers need to understand what they are consenting to before they agree to share their personal information.  

Merchants should keep in mind that customers who feel that their data is not being handled according to GDPR may submit a formal complaint to the EU Information Commissioner's Office (ICO).

Note: Learn more about GDPR by referring to our article GDPR and Online Payments.


The California Consumer Privacy Act (CCPA) is a state law that imposes privacy and data protection rules for businesses that collect data from California residents.

CCPA mandates businesses to inform customers about what personal data is being collected, how it is being used, and to what extent it is going to be shared with third parties.

This law only applies to large organizations that handle substantial volumes of customer data:

  • The organization collects, sells, or purchases personal information from more than 50,000 customers.
  • It has annual gross revenue of over 25 million dollars.
  • More than half of the company's annual revenue comes from selling personal customer data.

CCPA gives Californians more control over their personal information. For example, they have the right to opt out of the sale of their data or request the data be deleted.

Businesses cannot discriminate or penalize customers for exercising their CCPA rights.


Nacha (National Automated Clearing House Association) is a US-based association that regulates account-to-account transfers initiated through the ACH network. ACH payment processing is considered to be an exceptionally reliable and safe electronic payment method.

Businesses and government institutions use ACH transfers to directly deposit funds to an individual's bank account. Customers can choose to pay for products and services by making direct one-time or recurring ACH payments to the merchant's bank account.

High-level overview of ACH payment flow.

Nacha Operating Rules and Guidelines are rigorous, extensive, and continuously updated. Organizations that accept ACH payments need to secure customer bank information in a way that complies with US customer data protection and privacy laws.

Opening a processing account with a PSP that accepts ACH payments is the fastest way to comply with Nacha requirements.

When choosing a payment gateway, search for a solution that has multiple payment methods, in addition to ACH, on the same payment form.

AML Laws and Regulations

Individuals who sell illegal goods, engage in corruption, tax evasion, and other criminal activities try to hide the origin of their income by injecting their earnings into legal financial flows.

Financial institutions must comply with AML (Anti-Money Laundering) laws and regulations to detect funds obtained from criminal activities and prevent them from entering the financial system.

Companies that handle sizeable one-time transactions or a large volume of small individual payments are at a higher risk of being a target for money laundering schemes. Industries that need to perform AML checks include real estate sales, gaming/gambling websites, casinos, insurance companies, payment service providers, etc.

Ecommerce merchants using a third-party payment processor are not required to conduct AML checks. This is the responsibility of banks and payment processors, who utilize internal, national, and international databases and systems to scrutinize businesses and individuals.

Fiscal Compliance and Tax Regulations

Governments enforce taxation to fund public spending and provide essential public services. However, tax policies vary depending on region, country, or even state.

Consumption and sales taxes are a part of doing business. Merchants need to devote time and resources to understanding and complying with tax regulations in their target markets.

Using the services of a PSP, third-party ecommerce solution, or ecommerce accounting platform helps merchants comply with relevant tax rules and file appropriate documentation.

Payment service providers in the United States must report transaction information to the Internal Revenue Service (IRS). For example, CCBill files Form 1099-K for US merchants that sell products and services using CCBill's payment solutions.

The form is automatically filed for merchants who meet the following criteria:

  • They are based in the United States.
  • The annual gross processing volume is in excess of $20,000.
  • They have more than 200 transactions in a given tax year.

Many countries in Europe and Asia use the Value Added Tax (VAT) system. VAT is a consumption tax imposed on B2C (business-to-customer) transactions. The tax is ultimately paid by the end customer, who typically sees the final product price with the VAT already included.

An example of an receipt VAT included.

Every country has its VAT rate and specific exceptions to those rates. Merchants may find it challenging to keep track of different rates across several countries without utilizing an automated solution.


Running an online business and meeting all technical and regulatory requirements in a global environment is an immense challenge.

Learning about various laws and regulations is only the first step. Most merchants need assistance to implement the best authentication tools, password policies, and solutions that protect against cyber threats.

Opening a merchant account with a PSP is a quick and straightforward way to comply with most requirements and saves both time and money.

About the author
Vladimir Kaplarevic
Vladimir is a resident Tech Writer at CCBill. He has more than 8 years of experience in implementing e-commerce and online payment solutions with various global IT services providers. His engaging writing style provides practical advice and aims to spark curiosity for innovative technologies.
Talk to a Merchant Support Specialist