Compliance relates to conforming with rules and regulations as laid down by the payment schemes, industry regulators and by legislators. Online sellers need to adhere to the set of rules and maintain complaint to prevent penalties, assessments or exclusion to payment processing. In the context of online payments, merchants have to deal with rules and regulations that can be subdivided into three main compliance categories: scheme compliance, payment industry compliance and legislator compliance.
Every payment scheme, whether it is an Online Banking ePayments or card payment scheme, comprises a set of rules that prescribes how payment processors and online sellers should act in respect to the acceptance and processing of transactions under their payment scheme or brand.
These rules are intended to protect the payment scheme for brand damage and financial losses due to – for example – excessive fraud or chargebacks (consumer or merchant related), illegal transaction activity and insecure storage of payment data. Especially card payment schemes like MasterCard and Visa have set a comprehensive set of rules for payment providers and sellers to comply with. To enforce compliance, schemes have the right to impose penalties or terminate the processing connection.
Due to the fraud-prone nature of card payments – especially when processing non-authenticated (e.g. 3D-secured) card transactions – schemes have set specific "card-not-present" fraud thresholds for sellers. These programs monitor the number of fraudulent transactions and the ratio between genuine and fraudulent transactions. When sellers are exceeding these thresholds, they are required to implement strict controls to mitigate fraud. If their performance does not improve, they could face fines or termination of their processing connection.
For more information on the fraud programs and the thresholds, please refer to MasterCard's Security Rules & Procedures (Merchant Edition), Global Merchant Audit Program and Visa's Merchant Fraud Performance Program.
Fraudulent card transactions are the number one reason for chargebacks, but not the only reason for cardholders to reclaim their money. Also disputed transactions – as a result of the non delivery of goods or the receipt of goods which are not as described – are referred to as chargebacks.
Card schemes have determined several chargeback reason codes which relate the aforementioned circumstances and many others. To protect the card brand and consumers from having bad buying experiences, card schemes also have introduced Chargeback Monitoring Programs. These programs are intended to highlight online sellers whereby the number of chargebacks or the ratio between chargebacks and genuine transactions is not conform the average and within acceptable rates. Identified sellers are granted a period of remediation, or they could face penalties or be exempted from card-processing facilities.
MasterCard has laid down its chargeback monitoring criteria (and assessment scheme) in its Excessive Chargeback Program (ECP) which can be found in the MasterCard Security Rules & Procedures. Visa has defined two programs to monitor merchant chargeback performance on European and Interregional card volumes.
Besides monitoring fraud and chargebacks, schemes also determine rules which are intended to prevent brand damage as a result of processing illegal or brand damaging transactions. Both schemes have determined specific categories as illegal and some as high-risk categories due to the possibility of illegality because of the nature of the goods or services.
For example, gambling merchants might have the right business licenses for specific countries, but should prevent transactions originating from consumers in countries where (online) gambling is prohibited. Those transactions can be deemed "illegal" in the eyes of the schemes and result in severe fines or termination. Other (potentially) illegal or high-risk categories relate to the sell of weapons, tobacco, prescription drugs and soft or hard drugs.
Payment Industry Compliance
Besides individual scheme compliance rules, we also recognize a set of rules which has been drafted by a group of payment industry players.
Payment Card Industry Data Security Standard The world's most common and widely known payment industry compliance framework relates to the safeguarding of sensitive card payment information, and is known as the Payment Card Industry Data Security Standard (PCI SSC). The rules set forth under this framework have been drafted by the PCI Standards Security Council.
The Council has been founded by five global payment brands – American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. – who agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. These compliance programs are aimed to prevent unsafe storage of sensitive card data and to mitigate the risk of card data getting compromised. Sellers who accept card payments online are recommended or required to comply with the Standard – which means they need to perform an annual self-assessment and network scans. The Standard's objective is to identify potential vulnerabilities in security policies and the IT system(s) of the merchant. Non-compliant merchants can be eligible for non-compliance fees, and/or applicable for severe fines and penalties in the event of a data compromise (hack).
MasterCard's Site Data Protection Program (SDP) and Visa's Account Information Security (AIS) program are constructed based upon the PCI DSS framework.