Posted by Tiffany Taylor and Anne Draves on 29 Apr 2021
Accepting online payments from your customers isn’t just about having a sleek and easy checkout process. Handling sensitive payment data means that businesses are subject to rules and regulations from various entities. In my role as Manager of Operations, I often help our clients navigate the assorted requirements that affect their online payments acceptance programs.
The following is a high-level overview of some key regulations that businesses should have on their radar when it comes to accepting electronic payments, including Nacha’s Operating Rules, the card networks’ best practices for card-not-present transactions, the Payment Card Industry Data Security Standard (PCI DSS), and an overview of FinCEN’s new CDD rule.
Nacha Operating Rules
Transactions made via the Automated Clearing House (ACH) are a popular way for customers to make insurance, utility, and mortgage payments. Businesses that accept ACH payments are subject to Nacha's Operating Rules, which provide clear guidelines that govern all transactions over the network. Here is some high-level information regarding ACH return thresholds, which are based on both volume and dollar amounts:
What happens if your business exceeds these thresholds? Nacha will initiate an inquiry into whether the Operating Rules have been violated, which may then determine any associated fines or penalties.
Alacriti works closely with its customers to monitor their returns and help them lower these rates when they start approaching the thresholds. We recommend that all merchants who accept ACH payments perform a thorough review of Nacha’s Operating Rules and stay up to date on changes as they are published.
The major card networks – American Express, Discover, Mastercard, and Visa—have established guidelines for best practices when accepting card-not-present (CNP) payments. Here’s a brief overview of some key guidelines for accepting CNP payments from your customers.
Failure to implement these best practices can lead to high levels of returns and chargebacks, resulting in fines and even expulsion from the card networks. We collaborate with our customers to ensure that they understand these best practices to help avoid excessive returns and chargebacks.
PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) applies to all organizations that store, process, or transmit cardholder data. It was developed to help keep customers and their sensitive payment data safe. While PCI DSS is overseen and managed by the Payment Card Industry Security Standards Council (PCI SSC), the council does NOT enforce PCI DSS. Instead, the card networks are responsible for making sure that the underlying merchants adhere to PCI DSS. Failure to do so could result in fines and possible cancellation of merchant accounts via the associated merchant’s acquiring bank.
PCI DSS compliance requirements will vary from business to business. For more information on PCI DSS, please click here.
Know Your Customer (KYC)
KYC is an inclusive term used for the processes that businesses undertake to ensure that their customers are who they say they are. KYC is not just one initiative or discipline—it often encompasses different rules and regulations from industry bodies, government agencies, and internal controls. Businesses of all sizes are required to have controls in place that verify the identities of their underlying customers. In addition, U.S. financial institutions are subject to further mandatory KYC regulations.
One of the KYC requirements that affect U.S. financial institutions was rolled out by The Financial Crimes Enforcement Network (FinCEN) in 2018. FinCEN’s Customer Due Diligence Requirements for Financial Institutions (CDD) rule was introduced to improve financial transparency. This is in addition to existing Bank Secrecy Act (BSA) rules regarding Anti-Money Laundering, plus OFAC compliance and the USA PATRIOT Act.
The CDD rule is an amendment to the Bank Secrecy Act (BSA) that helps prevent bad actors from misusing companies to disguise illegal activity and money laundering. U.S. banks are affected by the CDD rule because it heightens the requirements for customers’ due diligence. It added a requirement for covered financial institutions to, “Identify and verify the identity of the natural persons (known as beneficial owners) of legal entity customers who own, control, and profit from companies when those companies open accounts.”
The Bottom Line: Accepting online payments from your customers requires adherence to a variety of rules and regulations. Partnering with a seasoned electronic bill presentment and payment (EBPP) provider can help guide you through this process and keep your online payments program running smoothly.
Speaking of rules, learn more about Nacha’s latest rule extensions in our blog.
*This is an update on an original post published July 2018
Alacriti’s Orbipay EBPP is a customizable electronic billing and payments solution for businesses and financial institutions of all sizes. For more information, please contact us at email@example.com.
22 Apr 2021 Blog Chatbots Gone Rogue: How Weak Chatbot Security Enables Bad Actors Chatbots have become a standard practice in customer service. Learn from these past chatbot security flaws and discover how to maximize your investment in AI while minimizing data privacy risks in this blog.