Best Practices to Ensure Payment Processing Compliance

Processing payments involves a lot of very detailed, very complex rules. And everyone — from your acquiring bank and payment processor to card brands and government officials — expects full compliance with those rules.

So how do you know what you should and shouldn’t be doing?

We’ve outlined our suggested best practices — four things you should be aware of when it comes to payment processing compliance.

NOTE: This resource is intended as a helpful, educational guide. We’re sharing our personal insights based on years of payment industry experience.

However, Midigator® team members are not legal experts. We suggest you use this guide as a conversation starter with your business attorney or payment processor.


Ask questions.

Our very first — and most important — tip is to ask questions when you are experiencing doubt or confusion of any kind.

The card brands (Mastercard®, Visa®, etc.) publish very thorough guides that outline rules and regulations for everything payments-related. For example, Mastercard maintains a guide with rules about processing transactions and another for managing chargebacks. Guides are usually updated twice a year — around April and October.

These publications should be your first point of contact. However, if you struggle to understand the regulations or have questions about compliance, reach out to credible industry professionals for help.

The account manager at your payment processor should be a well-trained, trusted resource to consult on anything compliance-related. We suggest you start there.


Work with reputable service providers.

There are hundreds of service providers in the payments industry that can help you manage different parts of your business. This includes everything from payment processors enabling you to sell your products or services to order management systems that help you organize order history details.

Even though there might be dozens of different options for each area of expertise, not all service providers have the same values. Choose your vendors wisely.

There’s an old saying that applies to nearly all businesses in all industries: “the customer is always right.” You can certainly find service providers that will tell you exactly what you want to hear. But ultimately, what you want might not be what you need.

For example, some payment processors choose to waive the underwriting process so merchants can get up and running quickly. But the processor might not make it clear that funds will be held until a deeper risk assessment can be completed.

Usually, quick wins — like more revenue or instant gratification — aren’t the best long-term strategies for compliance. And most service providers do not care what happens downstream of them.

Beware of tactics that could benefit your business in the short term but likely cause challenges in the long run.


Don’t try to hide potential issues.

Industry entities — such as the card brands and your payment processor — use various metrics to evaluate your business’s level of risk. They want to know if your business could negatively impact theirs.

It’s understandable to feel intimidated by these risk metrics and the constant monitoring that goes with them. After all, bad performance reviews could cause serious damage — increased fees, penalties, and even business closure.

Therefore, it might be tempting to make things seem better than they actually are.

However, any attempt to hide issues, misrepresent risk, or artificially improve performance metrics is in direct violation of numerous regulations and will ultimately do more harm than good. In addition to financial penalties, the practice can also play a role in legal action taken against your business.

Do not engage in strategies that are intended to deceive your payment processor, the card brands, or any regulatory authority. If anyone suggests such practices, it would be best to stop associating with those vendors or individuals.

Rather than conceal or hide risk, focus on addressing the issue head on. If you are not sure if a strategy is within card brand regulations, talk to your merchant account provider. If you’d like additional help, reach out to Midigator. Our fraud and chargeback management strategies are focused on safely, effectively managing risk.


Make sure your website is compliant.

Your website — and the actions it facilitates — is one of the most valuable assets for your business. However, if it is not compliant, your website can also be one of your greatest liabilities.

Here are some things to keep in mind.

Provide clear, detailed, accurate descriptions for products and services.

Make sure you clearly and honestly explain what the consumer will receive when they buy from your business.

  • Write descriptive copy. When cardholders make in-person purchases, they can usually touch, feel, and handle the merchandise before they buy it. But for an online purchase, you need to create that experience for them. Be detailed and descriptive yet helpful and honest.
  • If relevant, include images of the product or service provided. Take photos from different angles, and zoom in on noteworthy characteristics. Consider including images of real people using or wearing your merchandise.
  • Mention features like material, color, size, weight, duration, file type, etc.

Misleading customers about what they will receive is obviously not compliant with industry standards.

Define and share your policies for returns or refunds.

If you want to charge your customers a restocking fee for returned merchandise, that’s fine. If you don’t want to accept returns at all, that’s fine too. You can even choose to offer store credit instead of refunds.

But, you must clearly disclose your policies to your customers — and that disclosure usually has to happen before the transaction is processed.

Compliance rules can vary by card brand, processor, and state law. But it is best practices to have the following on your checkout page for every transaction:

  • Disclosure: Write out your full return and/or refund policy. Be clear yet complete. Make sure you emphasize limitations like in-store credit only or no refunds.
  • Acceptance: Require the customer to click to accept the terms of your policy before finalizing the purchase.

Failure to disclose your refund policy means you are required to accept returns and/or issue refunds when requested.

Be aware of requirements for recurring transactions.

The card brands have specific expectations if your business processes recurring transactions or subscriptions.

For example, your terms and conditions for recurring transactions must be clearly explained to cardholders. And those policies must be separate and distinct from the general terms and conditions of a sale.

Again, compliance rules can vary by transaction. However, to ensure the maximum protection possible, you should include the following on your checkout page:

  • Disclosure: Write out the terms and conditions for recurring transactions. This should include the amount of each charge, the timing of each charge, and instructions on how to cancel.
  • Acceptance: Require customers to click to accept the terms before finalizing the purchase.

Also, there are additional requirements that are applicable if your recurring transactions include free trials or introductory offers. Click here for a complete guide.

Make sure you understand the rules and are able to comply with expectations. Reach out to your payment processor if you have any questions.

Allow customers to opt into special offers.

Many businesses look for opportunities to upsell or persuade customers to make additional purchases. For example, a business might suggest adding lightbulbs to the shopping cart if a customer is buying a lamp. Or a subscription company might offer a discount if the customer pays annually instead of monthly.

If you use upsell or cross-sell tactics, there are some regulations to be mindful of. The biggest compliance concern is that these additional purchases must be a choice for customers — not a requirement. You can’t automate acceptance with pre-checked boxes. Customers must opt into — not out of — offers.

Have your processor review your website.

A website review is usually part of a processor’s underwriting workflow. If your website undergoes any noteworthy changes after the initial review, reach out to your processor for another check.

A professional analysis of your site conducted by your payment processor should reveal any unintentional mistakes and compliance issues. Ongoing monitoring will help resolve problems before they become liabilities.

Staying Compliant and Confident

Compliance is one of the most important aspects of running a business. When you violate compliance regulations, you put your business at risk for penalties, fine, and even business closure. 

If you ever have doubts about what you should or shouldn’t be doing, take the time to clarify your uncertainties. Check official rule publications or ask a professional.

Midigator’s team of experts has accumulated valuable insights over the past decade. We are happy to lend our expertise to ensure you make smart decisions for your business. And if you have questions we can’t answer with complete confidence, we can put you in touch with the right people.

Ready to Start Preventing
& Fighting


Set up your
demo experience.

analytics-imac@2x analytics-imac

Sign up for
news & updates.

©2023, Equifax Inc., All rights reserved. Equifax and the Equifax marks used herin are trademarks of Equifax Inc. Midigator is a trademark of Equifax Inc. Other product and company names mentioned herin are the property of their respective owners.