WePay

Platform Payments 101

Your service connects buyers and sellers, and you want to learn more about payments. WePay's Platform Payments 101 is written to help you discover the realities of facilitating payments on your platform.

Chapter 3 Card Network Compliance

The Card Associations (e.g. Visa, MasterCard, American Express, and Discover) publish and regularly update their operating regulations and card-acceptance policies and procedures. American Express, for example, updates its two-hundred page Merchant Regulations at least twice a year. All merchants are required to follow these rules in order to accept card payments.

Not only must payment facilitators adhere to the operating regulations, they must force their users to adhere as well. This section outlines a few of the most salient issues that payment facilitators face.

Payment Aggregation

Some platforms, particularly online marketplaces, charge customers on behalf of individual merchants. Amazon, for example, only charges a customer once upon checkout, even though funds are often routed to a diverse group of small sellers. In this scenario, the platform (not the merchant providing the good or service) is the merchant of record. These platforms are considered aggregators.

Aggregation introduces additional risk because the payment facilitator is responsible for accepting and disbursing payments to third-parties, even though it has little control over the quality or delivery of the good or service these third-parties provide.

Platforms caught factoring face serious penalties, including the termination of their merchant account, and/or hefty fines.

Aggregators are required to register with the Card Associations, who generally discourage aggregation given the inherent risk of the model. Failure to register is tantamount to “factoring” (the expressly prohibited practice of processing payments for a purpose other than that for which the business was approved). Platforms caught factoring face serious penalties, including the termination of their merchant account, and/or hefty fines.

Registering as an aggregator requires sponsorship from an acquirer. Acquirers are the banks or financial institutions that accept card payments on behalf of merchants. Not surprisingly, most acquirers are unwilling to underwrite aggregators, given the additional regulatory and financial risk associated with them. Acquirers willing to underwrite these businesses establish approval processes significantly more rigorous than those for less risky business models.

Once approved, aggregators face additional regulations and requirements from the Card Associations. These rules dictate:

  • The types of merchants for whom they may process payments.
  • The agreement they must execute with each merchant.
  • The information they must collect and the checks they must perform for each merchant.
  • The merchant information and processing data they must report to the Card Associations.
  • The policies and procedures they must develop and submit to the Card Associations for approval.
  • The information they must disclose to cardholders and merchants.
  • The customer service they (or their sub-merchants) must provide.
  • The operating regulations they must enforce.

These additional rules protect the Card Associations from irresponsible aggregators damaging the card network brands.

Payment Card Industry Data Security Standards

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information adequately protect cardholder data. The PCI DSS is administered and managed by the Payment Card Industry Security Standards Council (PCI SSC), a non-governmental regulatory body established by the Card Associations.

While all merchants must be PCI DSS compliant, payment facilitators undergo additional scrutiny. Any platform that stores, processes, or transmits cardholder data for any third party must register with the Card Associations as a Level 1 PCI DSS-Compliant Service Provider, which requires an annual independent security audit and regular network vulnerability scans by an Approved Scanning Vendor (ASV), amongst other equally stringent requirements.

Payment facilitators must also ensure the compliance of individual merchants operating on their platforms.

Payment facilitators must also ensure the compliance of individual merchants operating on their platforms. These merchants are not exempt from PCI compliance, even if their payments are administered by a payment facilitator; though it may reduce the risk of exposure and thus the effort required to validate compliance.

Failure to comply with the PCI DSS may result in fines, higher transaction fees, and/or termination of the relationship between the Card Associations and delinquent payment facilitator or merchant. Furthermore, platforms that suspect or confirm the unauthorized access, use, theft, or misappropriation of cardholder information incur additional obligations, including the responsibility to notify the relevant authorities and conduct a thorough forensic investigation, potentially by a reputable third-party forensic investigator. The vast majority of individual states have also passed laws that require companies to report data breaches to the affected parties.

Convenience Fees

The Card Associations have developed strict rules for how and when merchants can charge transaction fees, which are often an important source of revenue for platforms that facilitate payments between merchants and their customers.

The Card Associations prohibit merchants from prioritizing one payment method over another or applying “surcharges” that dissuade cardholders from using a payment card. They do, however, permit merchants and payment facilitators to charge convenience fees for the privilege of paying for a product or service using an alternative payment channel.

Unfortunately, the policies that determine what constitutes a compliant “convenience fee” vary by Card Association (and also by applicable state laws). According to Visa, certain criteria must be met in order for a merchant to charge a convenience fee. For example, the fee must be disclosed prior to payment, presented as a flat fee (i.e. not a percentage of the sale), and applied to all means of payment accepted in that channel.

Brand Rules

The Card Associations establish rules, which payment facilitators must enforce, that restrict merchants from engaging in activities that harm or degrade the card network brands.

Determining whether a merchant has followed the official guidelines for displaying an Association logo is fairly straightforward, but ensuring that merchants do not engage in illegal activity, fraudulent, deceptive, or unfair business practices, or the sale of goods or services prohibited by the Associations (e.g. adult digital content, loans, or gambling services) can be quite difficult.

Payment facilitators must also ensure that individual merchants establish policies (returns, refunds, customer service, disclosures, etc.) in accordance with the operating regulations and that they convey these policies to cardholders.

Download the PDF