Article 4 min

Navigating the global landscape of payments compliance

December 7, 2022  


Payments compliance

Regulatory compliance tops the priority list for payment service providers but presents layers of local, regional and international complexity.

Regulations vary among countries and financial institutions and can shift depending on payment method, amount and purpose. Cross-border payments can complicate compliance further with a mixed bag of legal requirements and payment systems.

Regulatory technology can help payment service providers simplify and adapt to markets around the world.

Meet payment security requirements

Payment security that enables legitimate transactions is the driving force behind many regulations. For example, U.S. payment systems are subject to a consumer protection regulation as well as numerous others at the federal and state levels.

The PCI Security Standards Council, a global forum of payment industry stakeholders, provides data security standards to simplify compliance. The standards are mandatory for any business that stores, processes or transmits payment cardholder data, and they require companies demonstrate robust security measures.

Fraud prevention - Payment Card Industry Data Security Standard (PCI)

The strict PCI requirements prompt many merchants to turn to payment service providers, which take on the majority of security and risk. Still, PCI compliance violations, which can include fines as high as $100,000 or other sanctions, could apply to anyone in the payment chain.

Reputable partners and a security-first approach can help companies stay on the right side of those regulations.

Ensuring data privacy and security

There’s substantial value in understanding payment trends and behaviors.

Analyzing payment histories and profiles can enable better personalization, targeted offers and improved experiences. But privacy laws around how that information is collected, stored, analyzed, monetized and shared are becoming increasingly common.

The European Union’s General Data Protection Regulation (GDPR), for instance, changed the rules for how organizations process and move personal data.

GDPR for merchants

Data controllers, such as merchants, must implement measures to protect against data breaches. Contracts with data processors must comply with the GDPR regulations and outline the steps for handling data.

GDPR for payments providers

Data processors, such as payment service providers, can’t use personal data for any purpose other than that agreed to in the contract with the data controller. The processor also must have reasonable data protection standards, including internal audits and responsibility for its third-party partners.

Since the introduction of GDPR, more data privacy laws have emerged, including the California Consumer Privacy Act and the Personal Information Protection and Electronic Documents Act in Canada.

Know Your Customer and Anti-Money Laundering procedures

Payment service providers often must comply with Anti-Money Laundering (AML) laws, including Know Your Customer (KYC) procedures.

AML and KYC compliance requirements can vary depending on the region, business and transaction. The EU, for example, has specific Strong Customer Authentication (SCA) payment requirements.

Strong Customer Authentication

The SCA establishes online payment authentication requirements and is designed to reduce fraud and enhance security. If an online purchase is above threshold limits and not exempt, SCA requires at least two of these three authentication methods:

  • Something the customer knows, such as a password

  • Something the customer has, such as a card or phone

  • Something the customer is, such as through biometrics

Merchant onboarding

A critical part of merchant onboarding is ensuring the legitimacy of the business through KYC. The business must exist and be operational, and the account request must be authorized.

Information that can verify a merchant commonly includes company name, registered business or tax identification number, and registered address. Due diligence might also include verifying the business type, sales turnover, bank account details and beneficial ownership.

KYC can go beyond the minimum legal requirements to determining if further due diligence is necessary. Fraud checks and individual ID requirements can add transparency to questionable accounts.

Prepare for the future of payments compliance

Payments compliance is complex, but it gets more complicated when adding evolving technology, market fragmentation and changing regulations. Payment providers that are ready for those challenges can position themselves for success.

“The payments providers that adjust their operating models and platforms in a timely way to be both global and local will stand to benefit from the resulting scale and flexibility,” according to a 2022 McKinsey & Company report. “They will also be well positioned to help customers navigate the growing complexity of the payments and commerce landscape, both cross-border and domestic.”

Compliance today and agility for what might come tomorrow can help payment service providers fight evolving fraud attacks and provide smooth customer experiences.

Payments industry report

Industry Report

Get the Finding the payments sweet spot between security and speed industry report

Learn how to meet customer expectations by optimizing identity verification.

Download the industry report