Nearly every business is subject to payment laws and regulations. No matter your specialty or area of expertise, there is no way around this.
Associations like the Payment Card Industry Security Standards Council determine many of these rules and regulations. Although these requirements were adopted to ensure fair business practices and consumer protections, navigating them can lead to sifting through pages and pages of dense language and confusing jargon. The potential consequences of non-compliance only make adherence more stressful.
Key Takeaways:
- Any business hoping to accept and process card payments must comply with the PCI DSS, or Payment Card Industry Data Security Standard.
- Many businesses outsource their compliance-related issues to third-party providers.
- There are levels to PCI DSS compliance reporting, which are determined in part by the volume of transactions you process.
At Kurv, we understand that compliance is no walk in the park. It’s a complex process that requires time, attention, and care. So, we put together a readable, informative guide to covering the laws and regulations that affect the majority of U.S. merchants.
The Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard [1]PCI Security Standards Council “PCI DSS v4.0“. Accessed August 13th, 2025. (PCI DSS) is the most comprehensive regulatory framework businesses must comply with when processing card payments.
It was developed to safeguard credit card and cardholder data (CHD) and applies to any organization collecting, processing, storing, or transmitting this information.
The bottom line is this: you are subject to PCI compliance if you handle credit card payments. The framework itself is extensive—stipulating twelve requirements across six goals and myriad sub-requirements, testing procedures, guidance, and recurring reporting processes.
Although PCI DSS is an industry regulation rather than a legal requirement, the entity that oversees it—the PCI Security Standards Council (SSC)—comprises the major credit card companies like Mastercard and Visa. Compliance is mandatory to continue handling credit card payments through these brands.
The PCI DSS’s 12 Requirements
The six goals and twelve requirements of the PCI DSS’s overarching regulatory framework are:
Goal 1: Build a secure cardholder data environment
- Requirement 1 – Enforce network security controls.
- Requirement 2 – Securely configure all system components.
Goal 2: Protect Account Data
- Requirement 3 – Protect stored account data.
- Requirement 4 – Protect CHD by implementing cryptography for any transmission over open public networks.
Goal 3: Implement a Vulnerability Management Program
- Requirement 5 – Implement cybersecurity defenses against malware.
- Requirement 6 – Develop and maintain secure systems and software.
Goal 4: Implementing strong access control measures:
- Requirement 7 – Restrict access to system components and CHD according to individuals’ roles and responsibilities.
- Requirement 8 – Implement identity and access management for all users and require authenticated access.
Goal 5: Perform regular network testing and monitoring:
- Requirement 10 – All system components and CHD access must be monitored and logged.
- Requirement 11 – Perform regular network security tests.
Goal 6: Implement an information security policy:
- Requirement 12– Develop, implement, and document comprehensive organizational policies and programs that govern and support the oversight and management of information security.
PCI DSS Versions 3.2.1 vs 4.0
Organizations handling credit card payments should note that version 4.0 of the PCI DSS was officially released in March 2022, superseding the previous version (v3.2.1). However, the SCC provides an eighteen-month transition period to adjust to the changes.
In addition to the v4.0 transition, future-dated requirements will not take effect until their specified date. Organizations will need to watch out for those deadlines to remain compliant.
PCI DSS Compliance Levels and Obligations
The volume of processed transactions generally determines the extent of your obligatory PCI DSS compliance reporting, split into four levels. Organizations categorized into each Level must follow the outlined annual reporting requirements.
Credit card companies may define these levels differently to complicate PCI compliance. Per VISA [2]VISA “Account Information Security and PCI | Protect Cardholder Data“. Accessed August 13th, 2025. , level differentiation is as follows:
| Level 4 | Level 3 | Level 2 | Level 1 |
|---|---|---|---|
| Merchants processing under 20,000 Visa eCommerce transactions annually, and all others processing up to 1 million Visa transactions per year. | Merchants that process between 20,000 and 1 million Visa eCommerce transactions per year. | Merchants that process between one and six million Visa transactions per year across all channels (not just eCommerce). | Merchants that process more than six million transactions annually are considered global merchants, and a Visa region has identified them as Level 1. |
| Annual reporting obligation: | Annual reporting obligation: | Annual reporting obligation: | Annual reporting obligation: |
| Complete a Self-Assessment Questionnaire (SAQ). | Complete an SAQ and file an Attestation of Compliance (AOC) via a third-party Qualified Security Assessor (QSA) approved by the PCI SSC. | Complete an SAQ and file an AOC. | File a Report on Compliance (ROC)—which is completed by a QSA during an on-site assessment—and an AOC. |
The forms you or a QSA must complete and file are all available on the PCI SSC’s document library [3]PCI Security Standards Council “Document Library“. Accessed August 13th, 2025. . Organizations subject to the PCI DSS must undergo quarterly vulnerability scanning assessments by an Approved Scanning Vendor.
Third-Party PCI DSS Compliance
If this is the first time you’ve encountered the PCI DSS, you shouldn’t necessarily worry about your organization’s non-compliance.
The overwhelming majority of businesses that accept credit cards don’t have the capacity or resources to manage the framework’s implementation and ongoing reporting requirements. Instead, most businesses can outsource the bulk of their PCI compliance obligations to third-party service providers (TPSPs).
However, it’s important to note that partnering with a PCI DSS-compliant TPSP does not absolve organizations of liability or adherence requirements. This notion holds true regardless of outsourced activities (e.g., POS systems, eCommerce payment gateways). Merchants must maintain a secure cardholder data environment (CDE) according to the twelve aforementioned requirements.
As a result, you’ll want to determine your remaining share of compliance obligations after partnering with a TSPS—and thoroughly assess all third-party vendors and service providers’ PCI DSS and PA-DSS compliance records.
Ready to Grow Your Business?
Apply and start accepting payments within a day
The Payment Application Data Security Standard
Alongside the compliance behemoth that is the PCI DSS, the SSC also oversees the Payment Application Data Security Standard [4]PCI Security Standards Council “Payment Card Industry PCI, Payment Application Data Security Standard“. Accessed August 13th, 2025. , which applies specifically to vendors of payment application software. This framework contains fourteen requirements and an implementation guide.
Given the much narrower range of organizations subject to the PA-DSS, most businesses need not concern themselves with the framework’s specific stipulations. However, for the third-party PCI DSS compliance reasons stated above, you should always confirm whether your partner vendors and service providers subject to the PA-DSS have and maintain their compliance.
Other Payment Processing Laws
Aside from the PCI SSC’s primary two frameworks, merchants are also directly and tangentially subject to a few more laws and regulations. However, these generally do not have nearly as substantial an effect on operations as the PCI DSS and PA-DSS.
Merchants must also be aware of:
26 U.S. Code § 6050W from the IRS
6050W [5]Cornell Law School, Legal Information Institute “26 U.S. Code § 6050W – Returns relating to payments made in settlements of payment card and third party network transactions“. Accessed August 13th, 2025. requires merchants to report their annual gross transactions to their merchant service providers. This applies to credit, debit, and co-branded cards. Following this, these transactions will be reported to the IRS.
The Durbin Amendment
Section 1075 of 2010’s Dodd-Frank law, also known as the Durbin Amendment [6] Authenticated U.S. Government Information, GPO “Dodd-Frank Wall Street Reform and Consumer Protection Act“. Accessed August 13th, 2025. , halved debit card interchange fees (plus 5% of the purchase price). Despite efforts to alleviate merchant and consumer burden with lower interchange costs, the Durbin Amendment has increased transaction and other account fees [7]UPenn Law “The Impact of the Durbin Amendment on Banks, Merchants, and Consumers“. Accessed August 13th, 2025. .
Nacha Operating Rules regulations
The National Automated Clearinghouse Association (NACHA) Operating Rules apply to eCommerce businesses that accept direct payments. Like the PCI DSS and PA-DSS, these rules generally pertain to cybersecurity controls implemented to protect customers’ information.
26 U.S. Code § 6050W from the IRS
6050W [8]Cornell Law School, Legal Information Institute “26 U.S. Code § 6050W – Returns relating to payments made in settlements of payment card and third party network transactions“. Accessed August 13th, 2025. requires merchants to report their annual gross transactions to their merchant service providers. This applies to credit, debit, and co-branded cards. Following this, these transactions will be reported to the IRS.
The Durbin Amendment
Section 1075 of 2010’s Dodd-Frank law, also known as the Durbin Amendment [9] Authenticated U.S. Government Information, GPO “Dodd-Frank Wall Street Reform and Consumer Protection Act“. Accessed August 13th, 2025. , halved debit card interchange fees (plus 5% of the purchase price). Despite efforts to alleviate merchant and consumer burden with lower interchange costs, the Durbin Amendment has increased transaction and other account fees [10]UPenn Law “The Impact of the Durbin Amendment on Banks, Merchants, and Consumers“. Accessed August 13th, 2025. .
Nacha Operating Rules regulations
The National Automated Clearinghouse Association (NACHA) Operating Rules apply to eCommerce businesses that accept direct payments. Like the PCI DSS and PA-DSS, these rules generally pertain to cybersecurity controls implemented to protect customers’ information.
Examples of these operating rules include:
- Third-party sender roles and responsibilities.
- Standardized micro-entry practices and formatting.
- ACH Security Framework data protection requirements and supplemental requirements.
Staying up-to-date on these laws, regulations, and PCI standards will help you avoid penalties for non-compliance.
What’s Next?
Reducing your compliance burden depends on partnering with the right payment processors and other third-party partners. With the right assistance, anything is possible.
At Kurv, we adhere to strict requirements and have developed our platforms to help ensure your compliance with the maximum platform functionality. Let us help you, and together, we’ll thrive.
