Credit Card Payment Processing Rules and Laws You Need to Know About

PCI Data Security Standard

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a global data security standard required of all businesses, regardless of their size, that accept credit cards. PCI DSS and the Payment Application Data Security Standard (PA-DSS) are rules designed to reduce the incidence of credit card fraud.

Both the PCI DSS and the PA-DSS are enforced by the PCI Security Standards Council, an independent body created by the major credit card companies.

Editor’s note: Looking for the right credit card processor for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.

What is PA-DSS?

PA-DSS mandates that all point-of-sale (POS) equipment and terminals meet the PCI DSS standards. That means that if you have a POS system, most of your PCI compliance is already handled by your POS hardware. [Read related: The Best POS Systems]

How to ensure PCI DSS compliance

To comply with the PCI DSS, you must follow these 12 requirements designed to protect cardholders’ data from theft via data breaches: 

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt the transmission of cardholder data across open, public networks.
5. Use and regularly update top antivirus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data on a business need-to-know basis.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain, publish and enforce a policy that addresses information security for all personnel.

These 12 standards must be continually met and reported to ensure compliance.

What are the four levels of PCI compliance?

There are four levels of PCI compliance based on your company’s annual volume of credit card payments, and each has its own validation requirements.

PCI Level 1

This applies to businesses that process more than 6 million credit card transactions annually.

• Annual report on compliance by a Qualified Security Assessor or internal auditor (external or internal trained individuals certified to review payment transaction systems and assess and validate compliance)
• Quarterly network scan by an Approved Scanning Vendor (ASV), a company with commercial software that analyzes and performs certified vulnerability scans on business systems and networks
• Attestation of Compliance form

PCI Level 2

This applies to businesses that process 1 million to 6 million credit card transactions annually.

• Annual self-assessment questionnaire
• Quarter network scan by an ASV
• Attestation of Compliance form 

PCI Level 3

This applies to businesses that process 20,000 to 1 million credit card transactions annually.

• Annual self-assessment questionnaire
• Quarter network scan by an ASV
• Attestation of Compliance form

PCI Level 4

This applies to businesses that process up to 20,000 e-commerce payments or up to 1 million payments via other channels.

• Annual self-assessment questionnaire recommended but not required
• Quarter network scan by an ASV, if applicable
• Compliance validation requirements set up by a merchant bank

Alternatives to managing your own PCI compliance

You may be thinking that you can’t possibly do all that, but the good news is that you have another option to stay compliant. The best credit card payment processors are entirely PCI compliant. There is usually an additional fee for this, which averages $100 per year. If you opt to do it yourself and are found to be noncompliant, many credit card processors will assess an expensive monthly PCI noncompliance fee.

PCI-compliant credit card processors

Additional credit card processing regulators

The PCI Security Standards Council is the only credit card processing regulator to be aware of. Some of the rules are made by industry organizations, while others are laws enacted by the federal government.

Card Association Network

The Card Association Network is an industry group that comprises the four major credit card brands: Visa, Mastercard, Discover and American Express. They set and manage the interchange rates, the purchase percentage and the per-transaction amount that you pay for the ability to accept each type of card.

The interchange rate is one of the costs involved in credit card processing; the rest are set and paid to your credit card processing company, merchant account provider and payment gateway provider. You will not deal directly with the Card Association Network, as its interchange fees are passed down to you via your credit card processing company.

National Automated Clearinghouse Association

The National Automated Clearinghouse Association (Nacha) is the organization that governs ACH transactions and the network they use. ACH transactions include direct deposits and direct payments from bank and credit union accounts.

U.S. government

The IRS requires businesses to report credit card payments. Congress also passed a law limiting the interchange rates charged by the Card Association Network, which affects business owners.

Additional credit card processing rules and laws

In addition, business owners should be aware of the following credit card processing regulations.

Durbin Amendment

The Durbin Amendment is part of the Dodd-Frank Act, passed by Congress in 2010. Its purpose is to protect consumers by lowering the interchange fees on debit card transactions, which have the lowest risk of fraud and, therefore, should be much less expensive than riskier transactions, lawmakers argued. For example, on a $38 debit transaction, the interchange fee before the Durbin Amendment was around 44 cents. With the passing of the law, debit card transaction rates were capped at 22 cents per transaction plus 0.05 percent of the purchase price. So, for the same $38 debit transaction, the maximum interchange fee would be around 24 cents.

However, the unintended consequence is that businesses with many smaller transactions end up paying more in fees. Before the Durbin Amendment, card issuers based their interchange rate on a sliding scale, so merchants paid lower fees for small purchases. After the Durbin Amendment, they switched to charging the maximum amount on every transaction.

IRS mandate

Because the IRS taxes business income, the agency wants to keep track of all incoming sales, not just those paid by cash or check. To that end, the IRS created a rule called Section 6050W, also called the IRS mandate, which requires merchant services providers to specifically report their clients’ annual gross transactions processed with a credit or debit card or third-party network to the IRS. [Read related: Best Merchant Account Services]

Businesses are required to provide their merchant services provider with their tax identification number to facilitate reporting. If you fail to do so, or if the IRS notifies the merchant services provider that there is a discrepancy between your reported income and your actual income, the merchant services provider is required to withhold tax on your future credit card revenue.

Nacha

You are most likely to be affected by Nacha regulations if you have an e-commerce business, because many online businesses accept direct payments in addition to credit cards. However, any business that accepts ACH payments must abide by these rules, which include the following:

• Using only secure web forms and encrypted email to transmit sensitive information
• Safely storing hard copies with sensitive customer data
• Validating customers’ routing numbers
• Verifying customers’ identities by checking driver’s licenses using a third-party verification service, depositing test amounts into customers’ bank accounts or requiring customers to log in with a user ID and password

A new Nacha Supplementing Data Security Rule, which went into effect in June 2021, requires businesses that process 2 million or more ACH transactions annually to encrypt payment information on their computer systems while at rest (not being transmitted to a financial institution). Businesses with fewer than 2 million ACH transactions per year are not subject to the new rule but are encouraged to comply anyway. The rule applies to both consumer and business ACH data, as well as to scanned paper authorizations with consumer payment account data.

State laws

In addition to the federal laws regulating credit card processing, some states impose other requirements. For example, charging consumers a surcharge to fully or partially pay for the credit card processing fee on their purchases is illegal in Connecticut, Massachusetts and Puerto Rico. In California, merchants are barred from misleading customers by hiding differences between the credit card, debit card and cash prices, including charging surcharges at the point of sale without informing customers.