Online Payments Regulations and Fiscal Compliance

Card network regulations

In order to accept card payments online, you must abide by card network regulations. These card-not-present scenarios involve extra layers of security that authenticate users and ensure the payment instruments are used righteously and by their intended owners.

  • Requesting information on the parties involved in the payment: cardholder name, number, email address, and three-letter CVS code on the card
  • Using additional verification tools, such as Address Verification Service
  • Monitoring their order details and state of transactions
Card network regulations

PCI DSS compliance

PCI Data Security Standards are established by the PCI Security Standards Council, with the role of ensuring the integrity of online payments. Any online business that stores or processes cardholder data needs to comply with PCI regulations. It is worth noting that while the PCI standards are managed by the Security Standards Council, they are not enforced by this authority — it is the card networks, individual payment brands, or acquiring banks who advocate for the enforcements of these standards.

4 levels to PCI compliance
  • Network and systems security. Firewalls should be employed when collecting user payment data and authentication data, such as passwords or PINs, and the eCommerce store should not resort to default value stored by the merchant.
  • Cardholder data protection. All personal user data, identifying or payment, must be secured through encryption and transmitted via encrypted protocols.
  • Vulnerability management programs and network tracking. In order to safeguard data against malicious attempts, merchants should employ security programs (anti-spyware, anti-malware), monitor vulnerabilities and their corresponding level of threat, and, overall, instill a security- enabled software development culture in their organization.
  • Controlled and restricted access to system information. Cardholder data needs to be protected electronically or physically, access to data must be tightly controlled, and all systems linked to the system must have unique identification names or numbers.
  • Use of an information security policy. Merchants need to have a security policy in place, accessible to all parties involved in an online transaction.

Know Your Customer Processes

Know Your Customer (or KYC) is a process which have been around for over twenty years, used by businesses to verify the identity of their customers, especially online, through Customer Identification Programs (CIP). As online payment regulations go, KYC is not enforced by one authority, but rather takes on different forms as set by banks, government agencies, or industry bodies. One example of a KYC regulation was launched in the US, in 2018, by the Financial Crimes Enforcement Network (FinCEN), setting in effect the Customer Due Diligence requirements for Financial Institutions (CDD) rule.

Know Your Customer Processes
  • Customer identification procedures
  • Transaction monitoring
  • Risk management

Anti-Money Laundering

AML laws and regulations target criminal activities including market manipulation, trade in illegal goods, corruption of public funds, and tax evasion, as well as the methods used to conceal these crimes and the money derived from them. They are intended to prevent criminals from disguising illegally obtained funds as legitimate income.

NACHA Operating Rules

All transactions made through the Automated Clearing House (ACH) are subject to NACHA operating rules. NACHA is the association of stakeholders who govern the smooth and secure running of payments made through ACH, by setting roles, responsibilities, and obligations for financial institutions who transact this payment method.

  • The per-day transaction dollar limit for same-day ACH transactions was increased to $100,000 from $25,000 per transaction, effective since March, 2020.
  • Better differentiation for unauthorized return reasons, with the introduction of new reason return codes, effective since April, 2020.
  • Additional data security requirements, for non-financial institution originators to encrypt deposit account information, when stored electronically, effective since June, 2020.

Payment Service Directive 2 (PSD2) requirements

The role of PSD2 regulation is to guarantee the security of online card payments made in the EU. This happens by the mandatory enforcing Strong Customer Authentication (SCA) mechanism for online transactions made with debit or credit cards.

  • Knowledge — something the customer knows, such as a password or a PIN.
  • Ownership — something the customer has, for example a token or a mobile device
  • Identity — something the customer is, for example their fingerprint or face recognition
Strong Customer Authentication (SCA) mechanism
  • Low volume transactions, under €30. If the online payment transaction value is lower than this amount, then the transaction is exempt from SCA verification. However, if a specific customer has had five previous transactions without SCA verification, or if the sum of recent transactions without a SCA challenge has reached €100, then the sixth transaction or the next one in line will have to undergo SCA verification by default.
  • Fixed-amount subscriptions. In case of subscriptions which incur a fixed price for each billing interval, then only the first transaction must be SCA verified, and subsequent ones are exempt.
  • Merchant-initiated transactions. Some cases, when the merchant has the card on file and initiates the transaction, are exempt from the SCA challenge. These are called use cases where the issuer decides on the application of the exemption. This may apply to recurring subscriptions (even of variable amounts, such as in pay-per-use models) or to buy-now, pay-later models, but even in these cases the card has to be authenticated either when it is stored or during the first payment.

Fiscal compliance

Beyond online payment regulations that provide for how user or payment data should be authenticated, stored, and processed, merchants need to follow each of their market’s tax regulations. If you’re selling cross border, chances are you will have to pay taxes, either in the form of Value Added Tax (VAT) or sales tax (sometimes known as GST).

Fiscal compliance


Accepting online payments may seem like the most effortless action from the outside, but this piece has shown us that merchants actually go through a lot of hurdles and compliance work in order to sell globally.

2Checkout Global Tax and Financial Services



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
2Checkout (now Verifone)

2Checkout (now Verifone)

2Checkout (now Verifone) is the leading all-in-one monetization platform for global businesses built to help clients drive sales growth across channels.