Payment Processing Compliance: the Existing Standard Regulations and How to Meet Them Best

5 Main Payment Processing Compliance Regulations

While there are many laws and frameworks that may apply to payment processing applications depending on region and business model, the following five tend to have the broadest impact and relevance across payment providers.

1. Payment Card Data Security Standards (PCI DSS)

Payment Card Data Securities Standards date back to 2004. They came into being as an initiative by  5 major credit card issuers: Mastercard, Visa, JCB, Discover, and American Express. 

These standards are binding upon any business entities that collect, store, transmit, or process cardholder data, which stands for a broad range of business entities, including financial institutions, various merchants, brick-and-mortar retailers, online stores, payment processors, and payment facilitators. 

The data that is to be protected in accordance with the PCI DSS compliance requirements is associated with credit, debit, and cash cards and includes credit card numbers, security codes, and card expiration dates. 

In addition to precluding cardholder data from being used for fraudulent purposes, PCI DSS compliance is intended to protect payment processing companies against getting exposed to high-risk. It helps prevent data breaches, identity theft, and fraud during the processing and transmitting of card data. 

PCI DSS compliance indirectly supports anti-money laundering (AML) efforts. It enhances security by preventing fraud, identity theft, and unauthorized transactions, which are often exploited for money laundering.

The PCI DSS compliance standards are pillared upon 6 main principles:

1. Build and maintain a secure network and systems: any credit card transactions are to be handled in a secure network that uses robust but user-friendly firewalls. Any vendor-provided authentication data, like passwords and personal identification numbers are not to be used ongoingly.
2. Protect cardholder data: all sensitive payment card information, including the Primary Account Number (PAN), cardholder name, expiration date, and security codes (CVV/CVC), must be secured during both storage and transmission. Any storage of full PANs must be encrypted or tokenized, and security codes must never be stored after authorization.
3. Maintain a vulnerability management program: one must implement a vulnerability management program that protects the systems that hold cardholder data against hacking attempts (like, for example, those associated with the use of malware and spyware), as well as eradicate any vulnerabilities that malicious actors can potentially exploit to alter or steal cardholder data. The systems that hold cardholder data must also be free of bugs. These systems are to be updated and patched on a regular basis. 
4. Implement strong access control measures: access to the computer systems that hold cardholder data is to be restricted, while all the users of such systems are to be assigned a unique ID name or number that must be kept confidential at all times. It is prohibited to use vendor-supplied security parameters, including default passwords, under any circumstances. All system defaults must be changed before deployment to prevent unauthorized access. In addition to electronic safeguards, a compliant business must also protect cardholder data physically, particularly at Points-of-Sale and data storage locations. Businesses should implement access controls, secure storage solutions, and proper disposal methods, such as rendering data unreadable before disposal. While shredding may be used for printed records, PCI DSS compliance does not explicitly require it.
5. Regularly monitor and test networks: businesses that work with cardholder data are to monitor and test their networks to make sure that the means that ensure the security of the cardholder data they hold function optimally. For example, all the antimalware and antispyware programs that a business has installed must always be updated to their latest versions. 
6. Maintain an information security policy: it is necessary to introduce a detailed information security policy that explains the responsibilities of all the process actors involved.  

Based on the annual volume of transactions, the PCI DSS standards have 4 validation levels. 

If a business fails to comply with PCI DSS, the acquiring bank or card network may impose penalties, which can include fines, increased transaction fees, or even termination of payment processing privileges. For severe non-compliance, such penalties can reach millions of dollars. Besides, they can include recurrent monthly fines to be paid by the business entity in breach of the PCI DSS compliance requirements until this business entity becomes fully PCI DSS-compliant.         

Quite often, compliance with PCI DSS becomes part of companies’ contractual obligations. In one of our recent articles, we shared a PCI DSS compliance checklist. You are welcome to make sure your company meets the necessary requirements accurately. 

2. Know Your Customer (KYC) and Anti-Money Laundering (AML) Regulations 

AML and KYC compliance is crucial for businesses to prevent financial crimes, avoid legal penalties, and maintain trust with customers and financial institutions. Failing to adhere to AML and KYC can mean strict penalties or even business shutdowns imposed by such regulators as FINCEN (US), FCA (UK), and the EU AML Authority.

KYC

Implementing KYC standards in Finance is one of the key and most demanding processes banks and Fintechs must complete to achieve the required regulatory compliance.   

Often used in conjunction with one another, the terms KYC and AML do not mean exactly the same. In fact, KYC is an important and integral part of AML, and any AML activities start with the KYC procedure.

The KYC regulations outline and mandate the steps and procedures that are to be taken by banks and companies to verify customer identities, assess the legitimacy of their financial activities, and evaluate potential money laundering risks. These procedures help institutions determine the level of due diligence required and ensure compliance with AML regulations.

The KYC regulations consist of several components:   

1. Implementing a Customer Identification Program (CIP)

As part of KYC, the customer identification program is pivotal in assessing the risks posed by a customer. It focuses on reliably verifying the customer’s identity by cross-checking customer information against various trustworthy sources. In the US,  the CIP is part of the Patriot Act that is intended to counter not only money laundering, but also corruption and terrorism funding. 

The minimum requirement the CIP puts forward is to check the following details of the customer:

• Name 
• Date of Birth
• Address
• ID Number

The types of checks performed can include both document checks and checks against public and other databases. 

The CIP or procedure for businesses uses a list of parameters other than that used for individuals. Those may include identifying beneficial owners, verifying corporate structures, and assessing the legitimacy of business activities.

2. Performing Customer Due Diligence

In accordance with the risk a customer may pose regarding money laundering or fraud, there are three levels or types of due diligence performed as part of the CIP: 

• Simplified Due Diligence (SDD)
• Customer Due Diligence (CDD)
• Enhanced Due Diligence (EDD)

The due diligence process includes several steps, with varying levels of scrutiny depending on the risk category:

• Customer identification and verification (CIP).
• Beneficial owner identification and verification (for legal entities).
• Assessing the nature of the customer relationship and risk level (CDD and EDD).
• Ongoing monitoring of transactions to detect suspicious activity (part of AML compliance).

Let’s now look at the types of due diligence that make up the CIP in more detail:

• Simplified Due Diligence (SDD): the most simple type of due diligence that is applicable in those cases, when the risks a customer poses are considered to be low. Correspondingly, while having all the basic features of the standard customer due diligence, SDD has a lower verification threshold. Because of  this, while performing SDD, business organizations are entitled to adjust such parameters as the quantity of the information used for verification purposes, the types of such information, the frequency of transaction monitoring, and others.
• Customer Due Diligence (CDD): the baseline or standard due diligence procedure that financial institutions and other relevant business organizations are obliged to complete. This involves collecting personal or business information, verifying the data, and screening customers against sanctions lists, watchlists, and financial crime databases.
• Extended Due Diligence (EDD): the type of due diligence that is applied in the case of high-risk customers. To achieve a more thorough and comprehensive customer verification for risky customers, EDD can include various additional checks, like, for example, checks against sanction lists and watchlists, real-time asset tracking, and adverse media screening.  

3. Ongoing Monitoring 

Ongoing monitoring aims to detect signs of customers’ suspicious financial activity. Financial institutions track transaction patterns, cross-border payments, account balances, and external factors (such as adverse media) to flag potential money laundering or fraud.

Examples of the signs of unusual or suspicious activity that financial institutions can be on the lookout for during ongoing monitoring include tangible spikes in customer activities, untypical cross-border transactions, and newly appeared adverse media mentions. 

The set of the control parameter values for ongoing monitoring is determined in accordance with the customer’s risk profile. 

AML 

Anti-Money Laundering (AML) is a set of laws, regulations, and procedures, intended to prevent criminals from disguising illegally obtained funds as legitimate. In the financial services industry, all market players are obliged to stringently uphold all the existing AML regulations. 

The backbone of AML compliance is the AML program that  relevant businesses must introduce. This program must include:

• Designating an AML compliance officer responsible for overseeing regulatory procedures, ensuring adherence to AML laws, filing suspicious activity reports, and updating compliance policies as needed.
• Developing the internal compliance policies and actionable protocols that state how the various suspicious activities are to be responded to.
• Implementing an AML risk assessment framework that evaluates clients, business relationships, services, products, geographies, and other risk factors to detect potential money laundering threats.
• Training the company’s employees and personnel.
• Conducting an independent AML compliance review, audit, or regulatory examination to assess the effectiveness of AML policies and procedures.

Andrii Semitkin

Delivery Director

“It’s best to put compliance – the part and parcel of what’s required in the Fintech niche – high on your list of priorities yet well prior to the kick-off of your software development effort. There are too many important details to be taken into account and you should discuss them with your IT provider early enough in the project development cycle.”

3. PSD2

The Revised Payment Services Directive (PSD2) is a regulatory framework that is aimed to ensure the security of payments within the EU. For this purpose, the framework focuses on such aspects as consumer rights, access of third parties to consumers’ accounts, and the security of eCommerce.   

For example, with regards to consumer rights, PSD2 mandates that payment service providers establish effective complaint-handling procedures for consumers and requires EU Member States to designate authorities responsible for addressing complaints regarding potential PSD2 violations.

Security-wise, PSD2 requires consumers to perform strong customer authentication (SCA) for electronic payments, which involves at least two of the following: knowledge (e.g., password or PIN), possession (e.g., mobile device or token), and inherence (e.g., fingerprint or facial recognition). SCA is required during payment transactions, not just at login. Third-party providers (TPPs), such as payment processors and account information service providers, can access customer account data only with the account holder’s consent, using secure APIs provided by banks. These TPPs must be licensed and use PSD2-compliant certificates for authentication. 

When it comes to travel, ticketing, and food delivery transactions, PSD2 prohibits merchants from imposing surcharges on consumer debit and credit card payments. However, the ban applies specifically to card payments regulated under PSD2 and does not cover all payment methods.

4. SOC2

The System and Organization Controls (SOC2) framework was introduced by the American Institute of Certified Public Accountants (AICPA) with a view to regulating the way technology and cloud providers handle customer data. 

To minimize risks and reduce the odds of data exposure, the framework provides a set of criteria, as well as some auditing practices that help ensure that both the internal controls of a company and the way they utilize their various compliant systems are up to par.

SOC2 focuses on the following 5 criteria:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

In evaluating the internal controls of a company, the SOC 2 framework uses two types of reports:

• SOC 2 Type 1: a snapshot of the target controls and the extent to which they correspond with the outlined criteria at a given point in time. The report considers the design of the controls the company has in place. 
• SOC2 Type 2: a snapshot of the target controls over a specified span of time. The minimum time period a SOC 2 Type 2 report can cover is typically 3 months, though many organizations opt for a period between 6 to 12 months.

5. OFAC, FinCEN, and FATF

In comparison to compliance payment industry regulations mentioned above, that focus on data security, payment regulations, and financial crime prevention at the business and consumer levels, OFAC, FinCEN, and FATF primarily focus on broader financial crime enforcement, sanctions compliance, and global AML policy development.

OFAC

The Office of Foreign Assets Control (OFAC) is a department within the US Department of the Treasury responsible for imposing economic and trade sanctions based on US foreign policy and national security goals. These sanctions can be levied against entities or regimes engaged in illegal activities. 

Non-compliance with OFAC can mean civil monetary penalties that can result in large civil fines, regulatory enforcement actions, such as cease-and-desist orders and loss of charter or licenses, or even criminal penalties leading to fines and potential imprisonment for individuals responsible.

Financial institutions and companies are expected to implement robust systems that continuously screen their customer base and transactions against OFAC violations. In practice, this entails several key components:

• Regular Updates
• Risk-Based Analysis
• Clear Escalation Procedures
• Clear Recordkeeping
• Employee Training

OFAC regulations often operate under a “strict liability” framework. This means that an organization can be held liable even if a violation was unintentional.

FinCEN

When it comes to collecting and analyzing information on potential money laundering, terrorist financing, and other financial crimes, the Financial Crimes Enforcement Network (FinCEN) comes into play. Just like OFAC, it is a bureau within the U.S. Department of the Treasury. FinCEN implements and enforces compliance with the Bank Secrecy Act (BSA), which sets recordkeeping and reporting requirements for financial institutions.

Suspicious activity reports (SARs) and currency transaction reports (CTRs) are foundational elements in FinCEN’s regulatory framework with crucial functions:

• SARs must be filed for any transaction that suggests money laundering, terrorist financing, or other suspicious behavior.
• CTRs must be submitted for cash transactions over a certain threshold (generally $10,000).

Failure to follow FinCEN regulations can result in large civil fines (in case of not filing SARs or CTRs properly), cease-and-desist orders, loss of charter or licenses, and enhanced regulatory scrutiny (for businesses), or imprisonment (for individuals in charge of a non-compliant business).

FATF

In the case of setting international standards and monitoring global compliance, the Financial Action Task Force (FATF) plays an important role. This intergovernmental organization was created to combat money laundering, terrorist financing, and other financial threats in the international financial system. The FATF recommendations consist of 40 guidelines, including the following:

• Criminalizing money laundering and terrorist financing.
• Implementing a risk-based approach.
• Ensuring thorough customer due diligence and identifying beneficial ownership.
• Reporting suspicious transactions and record-keeping.
• Encouraging international cooperation.
• Regulating financial institutions and certain businesses.
• Ensuring transparency on legal ownership structures.
• Empowering supervisory authorities with proper measures.
• Protecting customer confidentiality.

When companies neglect FATF regulations, the organization does not directly impose fines or legal penalties. Instead, it can “gray-list” or “blacklist” jurisdictions that have significant deficiencies in their AML/CFT regimes. This, in turn, can create significant economic repercussions.