written by Alessio Sciarra
Merchant processing constitutes the acceptance, processing, and settlement of payment transactions for merchants.[1] It involves gathering sales information from the merchant, obtaining authorization for the transaction, collecting funds from the issuing bank, reimbursing the merchant, and charge-back processing.[2]
These days, the overwhelming majority of merchant transactions come from credit card purchases at merchant locations. Such transactions involve four parties: a consumer (cardholder), the consumer’s bank (the issuer), the merchant, and the merchant’s bank (the acquirer). On top of these four essential parties, the card network has rules and obligations of its own.[3]
The process has several steps:
Federal regulations
The most significant legislation regulating the credit card industry is the Credit Card Accountability Responsibility and Disclosure Act of 2009 (“Credit CARD Act”), a federal statute.
The Credit CARD Act was signed into law in May 2009, and it amended the Truth in Lending Act of 1968 (“TILA”) that used to constitute the main federal law regulating the credit card marketplace.
The principal aim of Credit Card Act is to protect consumers against unfair practices by the credit card industry. Specifically, the Act’s consumer protection mostly concerns the unfair fees, interest rates and disclosures.
As to interest rates, the Credit CARD Act ended some practices like for example unreasonable penalty charges, the practice of increasing interest rate at will and the so-called double-cycle billing, a particular way of calculating interest charges.[5] Regarding disclosures, the Credit CARD Act, for purposes of increasing transparency in the field, requires a written advance notice by creditors of significant changes of credit card conditions.[6] The CARD Act also requires that certain disclosures, including warnings concerning late fees, be included on monthly billing statements.[7]
Other federal laws applicable to credit cards include the Equal Credit Opportunity Act (ECOA), the Fair Credit Reporting Act (FCRA), and the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank Act”).
The Credit CARD Act also amended the Fair Credit Reporting Act, another federal statute designed to enhance consumer protection.[11] Specifically, it regulates the gathering and reporting of a consumer’s personal information for credit, insurance, and other purposes. Every subject involved in processing credit cards must comply with standards respecting consumers’ right to privacy.[12]
Other authorities
Beyond federal statutes, the Payments Card Industry Data Security Standards (PCI DSS) provide non-legally binding guidelines for protecting account data. PCI DSS was drafted by the Data Security Council, an organ created in 2006 by four big credit card brands: Mastercard, Visa, American Express and Discover. These four brands equally share the ownership, governance, and execution of the Data Security Council’s work.
By creating a common set of security standards for the protection of credit cardholder data, the PCI DSS aims to enhance cardholder data security and incentivize consistency in the adoption of data security measures.[13] PCI DSS applies to all entities involved in payment card processing, regardless of size or number of transactions, including merchants, processors, acquirers, issuers, and service providers that process or transmit cardholder data.[14] Though it applies to all such entities, PCI DSS categorizes merchants into one of four levels based on the volume of card transactions that are processed by a merchant.[15]
PCI DSS provides 12 requirements necessary to build and maintain a secure network and guarantee the safety of cardholder data. Those requirements include, for example: installing and maintaining a firewall configuration to protect cardholder data; not using vendor-supplied defaults for system passwords and other security parameters; protecting and restricting access to stored cardholder data; tracking and monitoring all access to network resources and cardholder data networks; and regularly testing security systems and processes.[16]
Non-compliance can result in fines and restrictions of credit card services. Moreover, PCI DSS provides that the payment card brands can fine merchants for every non-compliance with the security standards.[17] PCI DSS requirements are updated every year to ensure that it reflects new technologies.
[1] FDIC – Division of Supervision and Consumer Protection March 2007.
[2] FDIC – Division of Supervision and Consumer Protection March 2007.
[3] Ryan McCarthy, V. the Durbin Amendment: Summary, Impact, and Reform, 37 Rev. Banking & Fin. L. 68, 69 (2017).
[4] Ryan McCarthy, V. the Durbin Amendment: Summary, Impact, and Reform, 37 Rev. Banking & Fin. L. 68, 69 (2017).
[5] Credit CARD Act of 2009: Implementation Guidelines by Stanton Koppel, Nicole Ibbotson and Helen Lee.
[6] Credit CARD Act of 2009: Implementation Guidelines by Stanton Koppel, Nicole Ibbotson and Helen Lee.
[7] Consumer Financial Protection Bureau – Card Act Report October 1, 2013, A review of the impact of the CARD Act on the consumer credit card market.
[8] § 12 CFR 1002.1.
[9] Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 929-Z, 124 Stat. 1376, 1871 (2010).
[10] Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 929-Z, 124 Stat. 1376, 1871 (2010).
[11] Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (FCRA), Pub. L. No. 91-508, 84 Stat. 1128 (1970).
[12] 15 U.S.C. § 1681(a).
[13] Payment Card Industry (PCI) Data Security Standard, v3.2.1.
[14] Payment Card Industry (PCI) Data Security Standard, v3.2.1.
[15] Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants, Royal Holloway Series 2010.
[16] Payment Card Industry (PCI) Data Security Standard, v3.2.1.
[17] Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants, Royal Holloway Series 2010.
Fill out our quick form to make an appointment with one of our business attorneys. Your information will be kept confidential.