Business.com aims to help business owners make informed decisions to support and grow their companies. We research and recommend products and services suitable for various business types, investing thousands of hours each year in this process.
As a business, we need to generate revenue to sustain our content. We have financial relationships with some companies we cover, earning commissions when readers purchase from our partners or share information about their needs. These relationships do not dictate our advice and recommendations. Our editorial team independently evaluates and recommends products and services based on their research and expertise. Learn more about our process and partners here.
Credit Card Payment Processing Rules and Laws You Need to Know About
Accepting credit cards can help you drive sales, so long as you’re compliant with regulations.
Table of Contents
Before you begin accepting credit cards and digital payment methods, you’ll need to understand the legal requirements that apply to your business. These rules help protect your customers’ sensitive information, reduce your risk of costly penalties, and help build trust in your brand.
Editor’s note: Looking for the right credit card processor for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
Key payment processing regulations and agencies
Credit card processing laws are payment regulations designed to protect consumers and businesses from fraud and data security issues. There are several important regulations and governing agencies to consider.
“Credit card processing laws are essentially guidelines and rules that businesses need to follow in order to accept, store and process payments from cards safely,” said Alexander Persidsky, head of operations at PayDo. “Laws vary by location, but they all share one mission: safeguard customer information, prevent fraud and provide secure transactions.”
Regulation | Who It Applies To | Requirements | Merchant Implications |
|---|---|---|---|
PCI DSS | All card-accepting merchants | 500+ requirements, annual assessments | Hardware/software costs, regular audits |
Durbin | Debit card-accepting merchants | Fee caps, routing mandates | Possible cost reductions |
NACHA | ACH network participants | Annual risk checks, audits | Needs for secure storage/verifications |
FTC | Merchants handling payment data | Data security, breach notification | Fines, compliance program necessities |
CFPB | Large processors/apps | Examinations, data transparency | Expanded reporting, privacy obligations |
PCI DSS (Payment Card Industry Data Security Standard)
The PCI DSS is a global standard that applies to all businesses that accept credit cards. It is designed to protect cardholder data and reduce the risk of credit card fraud.
There are four levels of PCI compliance based on your company’s annual volume of credit, debit, or prepaid card transactions:
- PCI Level 1: More than 6 million transactions annually. Requires annual Report on Compliance by a Qualified Security Assessor or certified internal auditor, quarterly network scans by an Approved Scanning Vendor (ASV) and AOC form submission to your acquiring bank.
- PCI Level 2: 1 to 6 million transactions annually. Requires annual Self-Assessment Questionnaire, quarterly network scans and AOC form.
- PCI Level 3: 20,000 to 1 million ecommerce transactions annually. Typically requires annual SAQ, quarterly scans and AOC form.
- PCI Level 4: Fewer than 20,000 ecommerce transactions or up to 1 million via other channels. Requires annual SAQ, quarterly scans if applicable and bank-determined validation.
The most recent version, PCI DSS v4.0.1, includes expanded password protocols, annual assessments, network segmentation and vulnerability scanning requirements. Passwords must now include at least 12 characters, and businesses are required to update access controls and encryption protections regularly.
Durbin Amendment
The Durbin Amendment, part of the Dodd-Frank Act passed in 2010, caps interchange fees for debit card transactions. The goal of the regulation was to lower merchant costs, thereby avoiding them passing these fees on to consumers. The Durbin Amendment requires merchants to track fee structure changes, maintain up-to-date disclosures and adhere to regulatory routing for debit transactions.
Nacha Regulations
Nacha governs automated clearing house (ACH) transactions and the network through which they move, including direct deposits and direct payments from customer accounts. Nacha’s latest update to the rules requires annual ACH compliance audits, enhanced risk assessments, agreements for third-party senders and phased fraud monitoring rules through 2026.
Under Nacha’s rules, merchants must:
- Use secure web forms and encrypted communications to transmit sensitive info.
- Store physical copies containing customer banking data safely.
- Validate customers’ routing numbers.
- Verify customer identities (third-party checks, test deposits, secure login).
FTC Consumer Protections
The FTC enforces federal laws around payment and consumer data security, investigating breaches, issuing sizable fines, and mandating adequate breach notifications. Enforcement actions in 2024 increased privacy and disclosure obligations, requiring companies to implement reasonable data retention, breach notification and truthful data collection practices.
“Government agencies such as the FTC are increasing efforts to address inadequate data protection,” Persidsky said. “If a business improperly handles credit card data or suffers a breach due to lax security measures, it is more than a reputational problem; it can also result in significant fines and restrictions.”
CFPB Oversight
In 2025, the Consumer Financial Protection Bureau (CFPB) expanded supervision to large digital payment app providers, defined as those with at least 50 million transactions annually. Oversight now includes consumer privacy, fraud prevention, junk fee disclosures, and broader transparency mandates for payment platforms.
State surcharge laws
Surcharging rules vary widely by state and card network. Always research requirements in the state(s) in which you operate and consult your legal advisor for compliance.
State | Surcharging Allowed | Key Requirements |
|---|---|---|
California | No | Prohibited; exceptions repealed in 2024 |
Texas | No | Prohibited |
Connecticut | No | Prohibited |
Maine | No | Prohibited |
Massachusetts | No | Prohibited |
Colorado | Yes (2% cap) | Max 2% or merchant cost; robust disclosure |
New York | Yes | Actual cost only; disclosure required |
New Jersey | Yes | Actual cost only; clear checkout notice |
Minnesota | Yes (5% cap) | Max 5%; posted disclosure |
How to ensure PCI DSS compliance
To comply with PCI DSS, you must follow these 12 requirements designed to protect cardholder data from theft via data breaches:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data on a business need-to-know basis.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain, publish, and enforce a security policy for all personnel.
“The key to staying compliant is to make security and regulation a part of your daily business, not just treat it like a periodic audit,” Persidsky said. “Start with the fundamentals: adhere to the PCI DSS standards — encrypt sensitive data, restrict access and scan your systems regularly.”
Alternatives to managing PCI compliance
If managing PCI compliance alone feels daunting, many of the best credit card processors offer full PCI compliance as part of their service.
Payment processor | Added cost | Review |
|---|---|---|
Clover | Cost varies | |
Merchant One | None | |
Helcim | None | |
Stax | None | |
Stripe | None | |
North Payments | $145 annually | |
Square | None |
Merchant compliance checklist
Follow these steps to protect your business:
- Implement all PCI DSS requirements, including secure passwords (≥12 characters), restricting access, and annual audits.
- Review debit routing and fee caps under the Durbin Amendment.
- Complete required ACH risk assessments and agreements for NACHA.
- Maintain robust cybersecurity, transparent disclosures and breach notification per FTC and CFPB.
- Only apply surcharges if allowed in your state, not exceeding actual processing cost. Provide clear disclosures at checkout.
- Keep all fee amounts publicly listed and regularly updated.
FAQs
- A Guide to Restaurant Payment Processing
- How to Accept Credit Card Payments Using Your Phone
- Stripe vs. Square Credit Card Processing Comparison
- Square vs. PayPal
- How to Apply (and Get Approved) for a Business Loan
- The Best Credit Card Processors for Restaurants in 2025
