Selling online may seem like the easiest thing from the buyer’s seat, but in reality, there are a lot of regulations and procedures merchants need to follow to be able to offer this seamless experience.
With the entire transaction occurring online and with funds being transferred from one party to the other, online payments regulations are critical, both as a means to protect buyers and sellers, and as a way to guarantee eCommerce fiscal compliance.
In this article we will go over the main regulations that govern online businesses in accepting online payments and review the fiscal landscape that enables these transactions to happen. You’ll find up-to-date information on what is needed for eCommerce fiscal compliance and tips on how to manage these seemingly complex aspects.
Card network regulations
In order to accept card payments online, you must abide by card network regulations. These card-not-present scenarios involve extra layers of security that authenticate users and ensure the payment instruments are used righteously and by their intended owners.
To ensure security throughout their network, Visa, Mastercard and American Express request that processors and merchant employ tactics like:
- Requesting information on the parties involved in the payment: cardholder name, number, email address, and three-letter CVS code on the card
- Using additional verification tools, such as Address Verification Service
- Monitoring their order details and state of transactions
Card networks are periodically updating and enhancing their policies in place, in an effort to keep the online payment landscape safe. As a merchant, you need to stay on top of updates to ensure your store’s compliance — a professional payment processor can outsource a lot of the work to guarantee your ongoing compliance.
PCI DSS compliance
PCI Data Security Standards are established by the PCI Security Standards Council, with the role of ensuring the integrity of online payments. Any online business that stores or processes cardholder data needs to comply with PCI regulations. It is worth noting that while the PCI standards are managed by the Security Standards Council, they are not enforced by this authority — it is the card networks, individual payment brands, or acquiring banks who advocate for the enforcements of these standards.
There are 4 levels to PCI compliance, validated through Self-Assessment Questionnaire (SAQ) or through third-party environment audits.
Several of the objectives that the PCI DSS address include:
- Network and systems security. Firewalls should be employed when collecting user payment data and authentication data, such as passwords or PINs, and the eCommerce store should not resort to default value stored by the merchant.
- Cardholder data protection. All personal user data, identifying or payment, must be secured through encryption and transmitted via encrypted protocols.
- Vulnerability management programs and network tracking. In order to safeguard data against malicious attempts, merchants should employ security programs (anti-spyware, anti-malware), monitor vulnerabilities and their corresponding level of threat, and, overall, instill a security- enabled software development culture in their organization.
- Controlled and restricted access to system information. Cardholder data needs to be protected electronically or physically, access to data must be tightly controlled, and all systems linked to the system must have unique identification names or numbers.
- Use of an information security policy. Merchants need to have a security policy in place, accessible to all parties involved in an online transaction.
Know Your Customer Processes
Know Your Customer (or KYC) is a process which have been around for over twenty years, used by businesses to verify the identity of their customers, especially online, through Customer Identification Programs (CIP). As online payment regulations go, KYC is not enforced by one authority, but rather takes on different forms as set by banks, government agencies, or industry bodies. One example of a KYC regulation was launched in the US, in 2018, by the Financial Crimes Enforcement Network (FinCEN), setting in effect the Customer Due Diligence requirements for Financial Institutions (CDD) rule.
All KYC policies have several common aspects, usually requiring merchants and/or their payment processors to enforce procedures for:
- Customer identification procedures
- Transaction monitoring
- Risk management
KYC or eKYC also often refers to anti-money laundering (AML) procedures, with the goal of identifying the customer precisely, to better assess the risk the merchant and his bank are taking when entering into an online payment transaction with the prospect.
AML laws and regulations target criminal activities including market manipulation, trade in illegal goods, corruption of public funds, and tax evasion, as well as the methods used to conceal these crimes and the money derived from them. They are intended to prevent criminals from disguising illegally obtained funds as legitimate income.
NACHA Operating Rules
All transactions made through the Automated Clearing House (ACH) are subject to NACHA operating rules. NACHA is the association of stakeholders who govern the smooth and secure running of payments made through ACH, by setting roles, responsibilities, and obligations for financial institutions who transact this payment method.
NACHA rules are continuously updating, so merchants who accept ACH payments need to ensure they follow the latest regulations. Some of the most recent NACHA updates from 2020 include:
- The per-day transaction dollar limit for same-day ACH transactions was increased to $100,000 from $25,000 per transaction, effective since March, 2020.
- Better differentiation for unauthorized return reasons, with the introduction of new reason return codes, effective since April, 2020.
- Additional data security requirements, for non-financial institution originators to encrypt deposit account information, when stored electronically, effective since June, 2020.
Payment Service Directive 2 (PSD2) requirements
The role of PSD2 regulation is to guarantee the security of online card payments made in the EU. This happens by the mandatory enforcing Strong Customer Authentication (SCA) mechanism for online transactions made with debit or credit cards.
Merchants who want to accept online payments from European shoppers need to meet SCA requirements, by integrating at least two of the following authentication mechanisms:
- Knowledge — something the customer knows, such as a password or a PIN.
- Ownership — something the customer has, for example a token or a mobile device
- Identity — something the customer is, for example their fingerprint or face recognition
These regulations are a must for all customer-initiated transaction that happen in Europe, and they cover online payments and bank transfers.
The most widely employed protocol for enforcing PSD2 is 3D Secure-2. 3DS-2 aims to create frictionless authentication for payments by running a more thorough risk analysis on transaction data points, while authenticating a payment.
Some notable exemptions from the Strong Customer Authentication mechanism include:
- Low volume transactions, under €30. If the online payment transaction value is lower than this amount, then the transaction is exempt from SCA verification. However, if a specific customer has had five previous transactions without SCA verification, or if the sum of recent transactions without a SCA challenge has reached €100, then the sixth transaction or the next one in line will have to undergo SCA verification by default.
- Fixed-amount subscriptions. In case of subscriptions which incur a fixed price for each billing interval, then only the first transaction must be SCA verified, and subsequent ones are exempt.
- Merchant-initiated transactions. Some cases, when the merchant has the card on file and initiates the transaction, are exempt from the SCA challenge. These are called use cases where the issuer decides on the application of the exemption. This may apply to recurring subscriptions (even of variable amounts, such as in pay-per-use models) or to buy-now, pay-later models, but even in these cases the card has to be authenticated either when it is stored or during the first payment.
Beyond online payment regulations that provide for how user or payment data should be authenticated, stored, and processed, merchants need to follow each of their market’s tax regulations. If you’re selling cross border, chances are you will have to pay taxes, either in the form of Value Added Tax (VAT) or sales tax (sometimes known as GST).
The rules and regulations of when these taxes are collected and how they should be shown on a business’ site vary from country to country — and even from state to state within a country! — so merchants need to allot considerable effort to attaining fiscal compliance in all markets. Usually, a professional payment processing partner can offload a lot of this compliance effort through its automated systems.
VAT is applied to most goods and services sold in Europe and in some parts of Asia. All online sellers who reach a certain threshold of sales sold in a country where VAT is applied need to register for VAT collection. Each country has its own VAT rate, as well as special lower rates or zero rates for certain categories of products (often, these exemptions or lower rates deal specifically with digital goods, so it’s in your best interest to get acquainted with these). In Europe, each country’s current VAT ruling can be reviewed on National Tax Websites for the authorities regulating these aspects.
VAT is generally levied for B2C online transactions, because B2B service transactions do not involve VAT payment, as this is paid by the business customer themselves at their country’s rate, via the reverse charge procedure.
It is common when shopping in online stores based in Europe to see the final price for the product or service already including the VAT rate.
At present, most of the world uses the VAT system, including, Europe, China, and India, and many South Eastern Asian countries have introduced or are in the process of introducing VAT (Philippines, Indonesia, Malaysia, Singapore, Thailand, Vietnam).
By contrast to VAT, sales tax in the United States is only charged at the final point of sale, which means that resellers and even wholesalers are exempt from this tax. In the US, retailers don’t usually showcase the price with taxes, until the user reaches the checkout, when taxes are added depending on where they are shopping from.
Selling in the US involves abiding by each state’s tax regulations and registering for tax collections in regions where the tax collection threshold is reached. For a comprehensive list of all currently applicable sales tax rates in American states, check out our Knowledge Center article on the piece.
Accepting online payments may seem like the most effortless action from the outside, but this piece has shown us that merchants actually go through a lot of hurdles and compliance work in order to sell globally.
The more markets a merchant targets, the more complexity that comes with online payment regulations. With the right payment provider, however, merchants are able to outsource a lot of this regulatory work to a seasoned partner.
2Checkout has full capabilities to help merchants around the world 1) comply with regulations that govern the usage and security of online payment methods, and 2) address the complexity of fiscal compliance, via dedicated global tax and financial services for our merchants of record. Engage with our advisory team today to find out how 2Checkout could be handling online payment regulations and compliance for you.