Payments Compliance: Key Regulations and Best Practices
Every business that moves money has a compliance problem. Card transactions, e-commerce checkouts, crypto payments — it doesn't matter which channel. The rules apply, the penalties are real, and ignoring them rarely ends quietly.
What makes payments compliance hard isn't knowing it exists. It's understanding which regulations apply to your specific business, how they interact with each other, and what you actually need to do. That's what this guide covers.
What Is Payments Compliance and Why It Matters
Ask five different payment operators what "payments compliance" means and you'll probably get five different answers. In practice, it covers the full set of rules governing how businesses collect, store, transmit, and process payment data. Those rules exist because when payment systems go wrong — through fraud, money laundering, or data exposure — the damage spreads fast and widely.
The businesses subject to these obligations include basically everyone handling money digitally. Online retailers. SaaS platforms. Marketplaces. Fintech companies. Crypto merchants. The rules don't have a size exemption. A ten-person startup faces the same core requirements as a large enterprise.
Numbers that put the stakes in perspective: payment fraud and e-commerce losses are projected at $343 billion between 2023 and 2027. Verizon's 2023 Payment Security Report found 64% of companies still fall short of full PCI DSS compliance. And a single data breach can kick off lawsuits, forced audits, and card network sanctions that take years to resolve.
Staying compliant keeps payment network access open. Losing it — through a violation or a breach — can close that door for good.
Who Regulates Payment Compliance Globally
No single authority runs payments compliance worldwide. A patchwork of bodies sets standards and enforces rules across jurisdictions, and most businesses end up answering to more than one.
| Regulator | Jurisdiction | Scope |
|---|---|---|
| PCI SSC (Payment Card Industry Security Standards Council) | Global | Sets PCI DSS — the baseline data security standard for card payments |
| FATF (Financial Action Task Force) | Global (40+ member countries) | Sets AML and counter-terrorism financing standards |
| EBA / ECB | European Union | Enforces PSD2, licenses payment service providers |
| FinCEN (Financial Crimes Enforcement Network) | United States | AML enforcement, Bank Secrecy Act, crypto guidance |
| FTC (Federal Trade Commission) | United States | Consumer data protection, unfair payment practices |
| ICO / Data Protection Authorities | EU and UK | GDPR enforcement |
| Central banks | Each country | License and supervise payment service providers locally |
An EU-based merchant accepting US cards from international customers, for instance, deals with PCI DSS, GDPR, and potentially FinCEN guidance all at once. Managing that overlap is what payment compliance and regulatory compliance look like when your business crosses borders.
Key Payment Compliance Regulations Explained
Five regulations define the bulk of what most businesses must do. Each targets a different risk area and carries its own penalty structure.
- PCI DSS — The Payment Card Industry Data Security Standard applies to any entity that stores, processes, or transmits cardholder data. It lays out 12 technical and operational requirements. Non-compliance fines run $5,000–$100,000 per month depending on violation severity.
- PSD2 — The EU's Payment Services Directive 2 governs payment service providers across the European Economic Area. The headline requirement is Strong Customer Authentication (SCA) for electronic transactions. Fines can reach €5 million or 3% of global annual revenue.
- AML/KYC — Anti-money laundering regulations require businesses to verify customer identities (Know Your Customer), monitor transactions for suspicious activity, and file Suspicious Activity Reports. These rules come from national laws built on FATF recommendations.
- GDPR / CCPA — The EU's General Data Protection Regulation and California's Consumer Privacy Act set the rules for data privacy in payments, governing how personal data and payment information is collected, stored, and processed. GDPR fines top out at €20 million or 4% of global annual turnover. Meta's €405 million fine in 2022 confirmed that regulators will enforce at scale.
- BSA / FinCEN rules — The US Bank Secrecy Act requires financial institutions and money services businesses to maintain AML programs, report cash transactions above $10,000, and file SARs. FinCEN has extended these obligations to crypto businesses operating in the US.
PCI DSS 4.0: The Foundation of Payment Data Security
Most online businesses hit PCI DSS before any other regulation. Version 4.0 was finalized in 2022 and fully enforced from April 2025, bringing meaningful changes that merchants and payment providers need to know.
Compliance level depends on annual card transaction volume:
- Level 1: Over 6 million transactions/year — annual on-site audit by a Qualified Security Assessor (QSA)
- Level 2: 1–6 million transactions/year — annual Self-Assessment Questionnaire (SAQ) plus quarterly network scans
- Level 3: 20,000–1 million e-commerce transactions/year — SAQ plus quarterly scans
- Level 4: Under 20,000 e-commerce transactions/year — SAQ recommended
What changed in 4.0 versus version 3.2.1:
- Customized approach: companies can now implement alternative controls that meet the intent of a requirement, rather than following prescriptive technical specs to the letter
- Mandatory MFA: multi-factor authentication is now required for all access to the cardholder data environment, not just remote sessions
- Phishing and social engineering training: targeted awareness training is a formal requirement, not a recommendation
- Stronger passwords: minimum 12 characters (up from 8), with automatic rotation every 90 days for high-privilege accounts
The cost of ignoring PCI DSS is severe. When Heartland Payment Systems suffered a breach in 2008, total losses exceeded $200 million. The stock dropped 50% within days and lost 77% of its value before any recovery. Small businesses don't usually survive that.
AML and KYC: Detecting Financial Crime at Source
AML compliance means building systems that catch financial crime before it flows through your platform. KYC — the identity verification layer — is what makes that monitoring possible in the first place.
What AML compliance actually requires:
- Transaction monitoring: automated systems flagging unusual patterns — large transfers, rapid fund movements, structuring (breaking up transactions to stay under reporting thresholds)
- SAR filing: when suspicious activity surfaces, a Suspicious Activity Report must go to the relevant authority within specified timeframes
- Sanctions screening: every customer and counterparty checked against OFAC, UN, and EU sanctions lists in real time
- Customer due diligence (CDD): ongoing risk profile review, not just a one-time onboarding check
- Enhanced due diligence (EDD): deeper scrutiny for high-risk customers — politically exposed persons (PEPs) and anyone from a high-risk jurisdiction
KYC at onboarding typically means document verification (government ID, proof of address) plus a liveness check. eKYC solutions now handle this in seconds using AI; for any business onboarding at scale, this has become the standard.
The FATF Travel Rule adds a crypto-specific layer: virtual asset service providers must collect and transmit sender and recipient information on transfers above $1,000. The exact threshold varies slightly by jurisdiction, but the obligation applies whether the transfer is Bitcoin, stablecoins, or any other digital asset.
PSD2, SCA, and Open Banking Requirements
PSD2 reshaped authentication for payment service providers across the EU. Its core mandate, Strong Customer Authentication, is now the standard for any payment service operating in the European Economic Area.
SCA requires authentication using at least two of three independent factors:
- Something you know: password, PIN, security question
- Something you have: mobile phone, hardware token, smart card
- Something you are: fingerprint, face recognition, voice pattern
3D Secure 2.0 is the main technical standard for implementing SCA on card-not-present transactions. It passes risk signals between merchant, card network, and issuing bank — letting low-risk transactions through without friction.
SCA exemptions exist to reduce unnecessary friction:
| Exemption | Condition |
|---|---|
| Low-value transactions | Under €30 (up to 5 consecutive transactions or €100 cumulative) |
| Trusted beneficiaries | Customer has pre-authorized the payee |
| Recurring fixed-amount payments | Same amount to same payee each period |
| Corporate payment tools | Dedicated business payment protocols |
| Transaction risk analysis | Real-time fraud score below defined threshold |
PSD2 also mandates open banking. Banks must give licensed third-party providers access to customer account data via APIs, with customer consent. Compliance with those access rules is a condition of licensing — it's not optional.
Payment Compliance in the Crypto and Digital Asset Space
Most payments compliance guides stop at card payments and wire transfers. That's a real gap. Crypto merchants, payment gateways, and digital asset businesses carry the full weight of AML/KYC regulation, plus a growing layer of crypto-specific rules on top.
Virtual Asset Service Providers (VASPs) — crypto exchanges, wallets, payment gateways — are treated as financial institutions for AML purposes under FATF guidance. In practice that means:
- Full KYC at onboarding, ongoing transaction monitoring, and SAR filing obligations
- FATF Travel Rule: transfers above $1,000 require sender name, originator account number, and recipient details to travel with the transaction
- Registration with FinCEN as a Money Services Business for US-based crypto businesses
- Licensing under EU MiCA (Markets in Crypto-Assets Regulation), in force since 2024, covering reserve requirements, consumer protection rules, and disclosure obligations for stablecoin issuers and crypto service providers
The practical challenge is that compliance must function across hundreds of assets and blockchains, each with different settlement finality and traceability. Building that from scratch is expensive and slow.
Plisio handles compliance at the gateway level, supporting 200+ cryptocurrencies while maintaining AML-compatible transaction monitoring and KYC-friendly merchant onboarding. For e-commerce businesses that want to accept crypto without building compliance infrastructure themselves, choosing a gateway that absorbs that regulatory complexity is the practical path.
How to Build a Payment Compliance Workflow
Compliance isn't a tool you switch on. It's a process that runs continuously, and it breaks down when treated as a one-time project.
- Scope your environment — Map every system that touches payment data: checkout pages, processors, databases, third-party integrations. PCI DSS only covers what's in scope, and most breaches happen in corners that were never scoped.
- Conduct a compliance gap analysis — Measure current controls against PCI DSS, AML/KYC requirements, and GDPR (or CCPA). Write down what's missing, not just what's in place.
- Implement technical controls — Tokenization swaps card numbers for non-sensitive tokens; encryption covers data in transit and at rest. These two steps alone eliminate most PCI DSS scope.
- Set up transaction monitoring — Automated systems need to flag suspicious transactions in real time. Define alert rules, review queues, and escalation paths before going live, not after.
- Train staff — Social engineering and phishing cause more breaches than technical failures. PCI DSS 4.0 now requires targeted security awareness training; treat it as an actual control.
- Document everything — Policies, procedures, audit trails, incident response plans. Regulators want documentation as proof that you have intent and capability, not just functioning systems.
- Schedule regular audits — Annual PCI DSS assessments, quarterly network scans, and ongoing AML program reviews. Compliance drifts without active maintenance.
- Choose compliant payment partners — Your processor, gateway, and banking partners carry shared responsibility. A partner that handles PCI DSS at the infrastructure level cuts your scope dramatically.
Payments Compliance Best Practices for E-commerce
Once your payment compliance program is running, these practices keep it from quietly falling apart:
- Use a PCI DSS Level 1 certified gateway — offloads cardholder data handling to the provider, typically reducing your PCI DSS scope to a SAQ A
- Enable 3D Secure 2.0 — cuts fraud liability on card-not-present transactions and meets EU SCA requirements
- Tokenize everything — replace card numbers with tokens at the point of entry; raw cardholder data should never sit in your systems
- Deploy device fingerprinting and IP geolocation — builds fraud prevention signals from behavioral data without adding checkout friction
- Apply data minimization — under GDPR, collect only what you need, keep it only as long as required, delete it on schedule
- Verify merchants before enabling payments — on a marketplace or platform, onboarding compliance extends to sub-merchants too
- Maintain an incident response plan — GDPR requires breach notification to regulators within 72 hours; most US states require 30 days. An untested plan is just a document.
