Sandbox
Production
Ways to Accept Payments
Cross-Border Payments
Payment Optimization
Payment Types & Currencies
Fraud Prevention
Chargeback Management
Compliance
Payment Analytics & Reporting
Benefits
Features
Developers
Accounts Receivable Automation
Subscriptions & Recurring Billing
Invoice Payments
Virtual Terminal
Regulations for digital commerce abound and mistakes can be costly. For example, neglecting to meet PSD2 requirements in the European Economic Area prevents your business from being able to process digital payments entirely. GDPR violations can range from €20 million, or $21.7 million, to 4 percent of the firm’s annual global revenue from the previous fiscal year (whichever is greater).
To safeguard your business, you need to achieve payments compliance.
However, achieving payments compliance can be a daunting task. A number of big-name regulations have been enacted, from GDPR to CCPA and PSD2 to the Wayfair Ruling.
Payments compliance is pretty complicated. But it’s not impossible to achieve, and it’s absolutely necessary for the health of your business. That’s why we’ve put together this quick guide to help your business comply with all the necessary regulations and accept customer payments worry-free.
The 6 Compliance Categories You Need to Know
Despite this complexity, there is good news. The wide array of digital commerce compliance rules fit into a consistent set of categories, so they’re easier to comprehend than you might expect. Consider these 6:
- Payment network policies (e.g. Visa’s rules around free trials and NACHA (National Automated Clearing House Association), which has their own unique set of policies)
- Data privacy (such as CCPA in California)
- Consumer security (like PSD2)
- Payment Card Industry Data Security Standards, aka PCI (which regulates control of credit card data)
- Tax collection (for instance, the Wayfair Ruling)
- IT Security (ensuring your business is protected against hackers with things like data center redundancy and other security investments).
Broadly speaking, all regulations can be sorted into these buckets — and all of these buckets are filling rapidly. Payments regulations are frequently being added and updated, and there are many components businesses must keep in mind.
For example, it is not just card networks that have their own policies, but also payment networks. Every payment type has its own set of policies and the right payments provider can help you stay abreast.
Additionally, on the consumer security front, CCPA has sparked discussion of similar regulations in additional states. Similarly, with PSD2 implementation in the EU, other regions are sure to follow.
An Action Plan for Payments Compliance
Monitor everything (or work with a partner that does).
This all means that payments compliance is becoming more difficult to achieve. Above all, if you’re working toward compliance, you need to closely monitor all regulations that impact payments, particularly as regulations are added or updated.
You also need to dissect (preferably with legal counsel at hand) which regulations apply when.
The Wayfair Ruling, for example, enables sales tax to now be imposed on online purchases, allowing each state to make independent decisions and impose distinct rules for such sales tax, including which products are eligible to be taxed and the application of such taxes on parties outside the respective state. The application of those rules can depend both on where your business is based and where the product is sold, but there’s no one clear rule.
In other words, it gets complicated quickly.
To achieve payments compliance on your own, you’ll need to dedicate significant energy just to identifying current regulations and their impact. To avoid a compliance headache, a smarter alternative is to work with a payments provider that’s monitoring all of these changes and easing difficulties for you and your business.
Update your tech infrastructure accordingly.
Much of the core work needed to achieve payments compliance comes in the form of tech updates and website functionality. Data privacy, for instance, requires updates like the ability for visitors to opt out of cookies. Card scheme policies have called for changes like adding an additional checkbox customers can select to allow your site to store their credit card info.
To understand what changes need to be made, you’ll need to dig into the requirements and implications of each regulation. You then need to execute the necessary changes with a developer team and implement any internal process changes (such as how you store customer data). Again, this task is daunting, and far easier with a payments solution that offers built-in tools and resources to guide you to compliance a better way.
A Partnership that Pays Off
Compliance is complicated, and there’s no simple way around it — after all, you don’t want your plumbing to spring a leak. To achieve payments compliance, you need to put in an enormous amount of work and tie up all the associated loose ends.
Or, you can work with a partner that knows a thing or two about payments compliance.
When you partner with a payments expert, you can focus on your business. You don’t have to know all the details or sink in your own time. Instead, you can work with a partner that is dedicated to compliance and rest assured that everything is done right, with no chance of leaks (or lawsuits).
BlueSnap: a single solution for achieving global payments compliance.
At BlueSnap, we’re dedicated to a simple compliance goal: we’ll handle everything, so that you can focus on your business and sell your goods without worry. That’s why our Global Payment Orchestration Platform is fully compliant with all privacy, security and card scheme rules.
We’re also compliant with the Level 1 Payment Card Industry Data Securities Standards (PCI-DSS), which is the highest standard of PCI compliance, and work diligently to maintain secure systems. Whenever shopper’s cardholder payment data is transmitted, processed, or managed through the BlueSnap platform, BlueSnap takes responsibility for the proper security of the sensitive data entrusted to us in accordance with PCI-DSS requirements.
Merchants that use BlueSnap’s Global Payment Platform benefit from having the main burden of PCI compliance covered by BlueSnap. This standard includes encryption of data in transit and at rest, periodical penetration tests and ethical hacks, and deployment of security defenses and infrastructure (such as intrusion prevention systems, data leak protection software, endpoint security protection).Nevertheless, as merchants have access to transaction invoices they must carefully manage the administration of such data in line with relevant privacy legislation and Card Association rules.
Additionally, tax compliance from Avalara is integrated right into the platform to help ensure you are compliant with local tax requirements, and we’re constantly working to build out more robust solutions. When you connect with our gateway, you know all your transactions will comply with all payment regulations.
We also take this compliance partnership to the next level by working to ensure that our customers have all the information and support they need. In other words, we don’t just stop at payments compliance. We work to advise you on any regulations your business needs to follow, such as GDPR’s implications for your contact database. Our team monitors and tracks all regulation changes and consistently informs our customers about any major implications, as well as the next steps to take.
In other words, there’s a simple solution to payments compliance: find the right payments partner.
Frequently Asked Questions
What are payment regulations?
There are six key regulatory categories businesses must consider and adhere to when conducting any financial transaction:
- Payment network policies: These include any rules, regulations, guidelines or specifications put forth by payment networks, including EFT networks and Credit Card Associations.
- Data privacy: These regulations cover the rights given to individual data subjects concerning the personal data being stored (information like an individual’s name, email, location, online identifier, IP address, home address, etc.), including the right to prior notification of what the data is being used for, how it will be processed and when it will be deleted.
- Consumer security: These regulations protect consumers from fraud and theft, such as the Revised Directive on Payment Services (PSD2), enacted by the European Parliament, which requires Strong Customer Authentication (SCA) via three levels of identification for every transaction, from card number confirmations to texts with authorization codes.
- Payment Card Industry Data Security Standards: Payment Card Industry (PCI) is a Data Security Standard (DSS), which is a set of requirements established by the major card companies to ensure that all businesses that process, store and/or transmit credit and debit card information maintain a secure environment. These standards help to defend against cyber-attacks, data hacks and other security breaches, which can result in extensive costs associated with loss of business, credit monitoring, post-breach audits and security updates.
- Tax collection: Tax responsibilities for businesses depend on a variety of factors such as the sales revenue, transaction volume and the location in which sales occur. In addition to the specific local tax laws, the payment model under which your business operates also has an impact.
- IT security: These regulations ensure that businesses are protected against hackers, cybersecurity regulations have been drafted to cover elements including data center redundancy, data storage, data recovery and other security investments.
Do I need to be PCI compliant?
Anyone selling goods and services online needs to be PCI compliant. How you integrate with BlueSnap determines the level of compliance required. We offer a range of tools to help merchants ease the burden of PCI compliance. Learn more here.
What is PSD2?
The Revised Directive on Payment Services (PSD2) is a set of regulations intended to establish a clear set of rules for payment providers across the EU and the UK. The intent is to better protect customers when they make electronic payments and to open up competition among providers.
What are the PSD2 requirements?
The major PSD2 requirement is the use of Strong Customer Authentication (SCA) for all online payments processed by an acquiring bank in the European Economic Area or United Kingdom. Other requirements include:
- The use of open APIs to allow authorized third parties to have access to accounts
- Greater transparency in a provider’s terms and conditions and the details of their financial products
- Resolution of complaints and reporting of security incidents within a set amount of time
- No credit card surcharges to ensure equity among payment methods
Who must comply with PSD2?
If you are a merchant within the European Economic Area (EEA) or UK, then you must abide by all PSD2 regulations when processing transactions from an EEA or UK acquiring bank. If you are a merchant outside these territories, you are still impacted by PSD2 if the acquiring bank you use for payment processing is in either of those regions.
While some transactions may be exempt or excluded from needing to be PSD2 compliant, merchants can ensure their transactions are not declined by enacting Strong Customer Authentication.
Is BlueSnap PCI Compliant?
Yes – BlueSnap complies with Level 1 Payment Card Industry Data Securities Standards (PCI-DSS), which is the highest standard of PCI compliance.