The Rules and Regulations of Online Payments

Accepting online payments from your customers isn’t just about having a sleek and easy checkout process. Handling sensitive payment data means that businesses are subject to rules and regulations from various entities. In my role as Manager of Operations, I often help our clients navigate the assorted requirements that affect their online payments acceptance programs.

The following is a high-level overview of some key regulations that businesses should have on their radar when it comes to accepting electronic payments, including Nacha’s Operating Rules, the card networks’ best practices for card-not-present transactions, the Payment Card Industry Data Security Standard (PCI DSS), and an overview of FinCEN’s new CDD rule.

Nacha Operating Rules

Transactions made via the Automated Clearing House (ACH) are a popular way for customers to make insurance, utility, and mortgage payments. Businesses that accept ACH payments are subject to Nacha's Operating Rules, which provide clear guidelines that govern all transactions over the network. Here is some high-level information regarding ACH return thresholds, which are based on both volume and dollar amounts:

• There is a 15.0% threshold for all returns across the board
• The threshold for returns for administrative reasons (no account, unable to locate, etc.) is set at 3.0%
• There is a threshold of 0.5% for returns for unauthorized transactions

What happens if your business exceeds these thresholds? Nacha will initiate an inquiry into whether the Operating Rules have been violated, which may then determine any associated fines or penalties.

Alacriti works closely with its customers to monitor their returns and help them  lower these rates when they start approaching the thresholds. We recommend that all merchants who accept ACH payments perform a thorough review of Nacha’s Operating Rules and stay up to date on changes as they are published.

Card Networks

The major card networks – American Express, Discover, Mastercard, and Visa—have established guidelines for best practices when accepting card-not-present (CNP) payments. Here’s a brief overview of some key guidelines for accepting CNP payments from your customers.

• Collect the card number, cardholder name (as it appears on the card), the expiration date of the card, and cardholder’s mailing address where they receive the card’s statement
• Use tools such as Address Verification Service (AVS) and Card Verification Value (CVV) to further verify electronic transactions
• Use internal or third-party tools to help identify suspicious or fraudulent transactions
• Provide a record of the transaction via email that outlines order details, return policies, and customer support contact information

Failure to implement these best practices can lead to high levels of returns and chargebacks, resulting in fines and even expulsion from the card networks. We collaborate with our customers to ensure that they understand these best practices to help avoid excessive returns and chargebacks.

PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) applies to all organizations that store, process, or transmit cardholder data. It was developed to help keep customers and their sensitive payment data safe. While PCI DSS is overseen and managed by the Payment Card Industry Security Standards Council (PCI SSC), the council does NOT enforce PCI DSS. Instead, the card networks are responsible for making sure that the underlying merchants adhere to PCI DSS. Failure to do so could result in fines and possible cancellation of merchant accounts via the associated merchant’s acquiring bank.

PCI DSS compliance requirements will vary from business to business. For more information on PCI DSS, please click here.

Know Your Customer (KYC)

KYC is an inclusive term used for the processes that businesses undertake to ensure that their customers are who they say they are. KYC is not just one initiative or discipline—it often encompasses different rules and regulations from industry bodies, government agencies, and internal controls. Businesses of all sizes are required to have controls in place that verify the identities of their underlying customers. In addition, U.S. financial institutions are subject to further mandatory KYC regulations.

One of the KYC requirements that affect U.S. financial institutions was rolled out by The Financial Crimes Enforcement Network (FinCEN) in 2018. FinCEN’s Customer Due Diligence Requirements for Financial Institutions (CDD) rule was introduced to improve financial transparency. This is in addition to existing Bank Secrecy Act (BSA) rules regarding Anti-Money Laundering, plus OFAC compliance and the USA PATRIOT Act.

The CDD rule is an amendment to the Bank Secrecy Act (BSA) that helps prevent criminals from misusing companies to disguise illegal activity and money laundering. U.S. banks are affected by the CDD rule because it heightens the requirements for customers’ due diligence. It added a requirement for covered financial institutions to, “Identify and verify the identity of the natural persons (known as beneficial owners) of legal entity customers who own, control, and profit from companies when those companies open accounts.”

The Bottom Line: Accepting online payments from your customers requires adherence to a variety of rules and regulations. Partnering with a seasoned electronic bill presentment and payment (EBPP) provider can help guide you through this process and keep your online payments program running smoothly.

Speaking of mandatory changes, SWIFT’s mandatory adoption of the ISO 20022 standard for cross-border payments in November 2022 will impact financial institutions. Read more about ISO 20022 in ISO 20022: Why After Almost 2 Decades it’s More Important than Ever.

*This is an update on an original post published July 2018

Alacriti’s Orbipay EBPP is a customizable electronic billing and payments solution for businesses and financial institutions of all sizes. For more information, please contact us at info@alacriti.com.