You’ll hear a lot of terms thrown around when it comes to payments compliance, but it might take a while to keep them all straight. Here are some common security standards and organizations you should know about if you’re processing payments:

• PCI-DSS (Payment Card Industry Data Security Standard)

• KYC (Know Your Customer)

• 3D Secure authentication

• GDPR (General Data Protection Regulation)

• CCPA (California Consumer Privacy Act)

• SOC

All of these standards are necessary for any business that wants to process payments, which is why it can feel like an intimidating business move. Often, compliance is managed by the ISO or PayFac that a company is working with, so that these can be met without all the heavy lifting.

When merchants are onboarded they need to go through a battery of compliance checks in order to reduce the risk of fraud.

The Payment Facilitator model offers additional control over both merchants and settlement, since the Payment Facilitator, as opposed to the acquiring bank, contracts directly with the sub-merchant. However, since the Payment Facilitator has a direct relationship with the sub-merchant, the Payment Facilitator takes on all risks (on behalf of the acquiring bank) and is liable for merchant chargebacks, data breaches, fraud, misappropriated funds distribution, etc.

If you’re not ready to become a payment facilitator, but want more control over the payments experience than you have with an ISO, you can take advantage of a payment facilitation partner that manages all the compliance requirements for you.

When you use a payment facilitation partner, your platform becomes the merchant, and your merchants are referred to as sub-merchants. Those sub-merchants still need to go through compliance checks, but the work on their end is simplified, along with what you, as the platform, are required to do.

Merchants with excessive chargeback rates are considered high risk for both acquirers and their processors. From a compliance standpoint, high chargeback rates are a clear indicator that the merchant may not be aligned with PCI-DSS standards or worse yet, may be engaged in some form of insider fraudulent activity.