Payment Processing Laws and Regulations

Key payment processing regulations and agencies

Credit card processing laws are a mix of legal requirements, security standards and industry rules designed to protect consumers and businesses from fraud, data breaches and other payment security risks. Before you begin accepting card payments, it’s important to understand the key regulations, oversight agencies and compliance frameworks that shape how payment data is collected, stored and processed.

“Credit card processing laws are essentially guidelines and rules that businesses need to follow in order to accept, store and process payments from cards safely,” said Alexander Persidsky, head of operations at PayDo. “Laws vary by location, but they all share one mission: safeguard customer information, prevent fraud and provide secure transactions.”

The chart below highlights some of the most important payment regulations and governing bodies, followed by a closer look at what each one does.

PCI DSS (Payment Card Industry Data Security Standard)

The PCI DSS is a global security standard that applies to businesses that store, process or transmit credit card data. It is designed to protect cardholder information and reduce the risk of credit card fraud.

There are four PCI compliance levels based on your company’s annual volume of credit, debit and prepaid card transactions:

• PCI Level 1: More than 6 million transactions annually. Requires annual Report on Compliance by a Qualified Security Assessor or certified internal auditor, quarterly network scans by an Approved Scanning Vendor (ASV) and AOC form submission to your acquiring bank.
• PCI Level 2: 1 to 6 million transactions annually. Requires annual Self-Assessment Questionnaire, quarterly network scans and an AOC form.
• PCI Level 3: 20,000 to 1 million e-commerce transactions annually. Typically requires an annual SAQ, quarterly scans and an AOC form.
• PCI Level 4: Fewer than 20,000 e-commerce transactions annually or up to 1 million through other channels. Requires an annual SAQ, quarterly scans if applicable and bank-determined validation.

The most recent version, PCI DSS v4.0.1, was published in June 2024 and became the only active version on January 1, 2025, after PCI DSS v4.0 was retired. PCI DSS v4 introduced stronger authentication requirements, including broader use of multifactor authentication, expanded password protocols and more rigorous vulnerability management standards. As of March 31, 2025, all future-dated PCI DSS v4 requirements became mandatory, including stricter e-commerce website security controls, expanded access protections and enhanced vulnerability monitoring.

Durbin Amendment

The Durbin Amendment, part of the Dodd-Frank Wall Street Reform and Consumer Protection Act passed in 2010, caps interchange fees on certain debit card transactions and gives merchants more flexibility in how those payments are routed. The goal was to lower payment processing costs for businesses and, ideally, reduce the need to pass those costs on to consumers.

For merchants, this often shows up as lower debit processing costs and more routing flexibility, while your payment processor or acquiring bank handles much of the compliance work behind the scenes.

The Durbin Amendment remains in effect in 2026, although its long-term future is getting a closer look. In August 2025, a federal court challenged parts of Regulation II — the Federal Reserve rule that governs debit interchange fee caps — but the decision was paused pending appeal. For now, the existing debit fee caps and routing rules remain in place, so businesses can keep processing debit card payments under the current framework while the case moves forward.

Nacha regulations

Nacha sets the operating rules for automated clearing house (ACH) payments, the network behind direct deposits and bank-to-bank payments pulled from customer accounts. If your business accepts ACH payments, those rules affect everything from how account details are collected to how payment data is protected, who can send payments on your behalf and what records you may need to keep on file.

Recent Nacha rule changes put fraud monitoring in the spotlight. Starting in 2026, those requirements rolled out in phases, first for banks and high-volume ACH originators, then for businesses of all sizes. Even smaller companies that originate ACH payments may now need stronger fraud controls in place.

FTC consumer protections

The Federal Trade Commission (FTC) enforces federal consumer protection laws related to payment security, privacy and how businesses collect, store and share customer data. The agency investigates data breaches, deceptive security claims and privacy practices that may put sensitive consumer information at risk.

In recent years, many FTC enforcement actions have focused on businesses whose real-world data practices don’t match what they promise customers in privacy policies, security disclosures or marketing materials. That means it’s not enough to say your business follows strong security standards: You need policies, safeguards and employee practices that back those claims up.

“Government agencies such as the FTC are increasing efforts to address inadequate data protection,” Persidsky said. “If a business improperly handles credit card data or suffers a breach due to lax security measures, it is more than a reputational problem; it can also result in significant fines and restrictions.”

CFPB oversight

If your business accepts digital payments, the Consumer Financial Protection Bureau (CFPB) is one of the federal agencies worth keeping an eye on. The agency helps enforce consumer financial protection laws tied to payment apps, fee disclosures, fraud safeguards and how financial companies collect, use and share customer data.

That oversight nearly expanded in a big way. In late 2024, the CFPB moved to bring large digital payment platforms — including providers handling at least 50 million consumer transactions a year — under closer supervision. Congress overturned that rule in 2025, so for now, the agency’s role in directly overseeing payment apps and digital wallets is still being worked out.

For businesses, the message hasn’t really changed: Protect customer data, be upfront about fees and make sure your real-world security practices match what you promise customers.

State surcharge laws

Credit card surcharging rules can look very different depending on where your business operates and which card networks you accept. Some states prohibit surcharges altogether, while others allow them with caps, disclosure requirements or pricing restrictions. 

The chart below offers a quick snapshot of how several states currently approach credit card surcharging. However, note that even in states that allow surcharging, card networks like Visa and Mastercard may impose their own fee caps, notice requirements and disclosure rules.

How to ensure PCI DSS compliance

To comply with PCI DSS, you must follow these 12 requirements designed to help protect cardholder data from breaches, fraud and unauthorized access:

• Install and maintain a firewall configuration to protect cardholder data.
• Do not use vendor-supplied defaults for system passwords and other security parameters.
• Protect stored data.
• Encrypt transmission of cardholder data across open, public networks.
• Use and regularly update antivirus software and other anti-malware tools.
• Develop and maintain secure systems and applications.
• Restrict access to cardholder data on a business need-to-know basis.
• Assign a unique ID to each person with computer access.
• Restrict physical access to cardholder data.
• Track and monitor all access to network resources and cardholder data.
• Regularly test security systems and processes.
• Maintain, publish and enforce a security policy for all personnel.

“The key to staying compliant is to make security and regulation a part of your daily business, not just treat it like a periodic audit,” Persidsky said. “Start with the fundamentals: adhere to the PCI DSS standards — encrypt sensitive data, restrict access and scan your systems regularly.”

Alternatives to managing PCI compliance

If managing PCI compliance on your own feels daunting, many of the best credit card processors offer tools, support and built-in security features that can make compliance easier. Consider the following options:

Merchant compliance checklist

Use this checklist as a practical starting point to keep your business protected and on the right side of payment regulations:

1. Implement your applicable PCI DSS requirements, including strong password controls, restricted system access and annual validation or self-assessments where required.
2. Review debit routing and fee caps under the Durbin Amendment.
3. Complete any required ACH risk reviews, fraud-monitoring processes and third-party agreements under Nacha rules.
4. Maintain strong cybersecurity practices, accurate privacy disclosures and customer-facing policies that match how your business actually handles payment data.
5. If your state and card networks allow surcharging, make sure the fee never exceeds what you’re actually paying to process the transaction. Customers should know about any surcharge before they reach checkout.
6. Make sure advertised fees, payment terms and pricing disclosures stay current anywhere customers may see them.