Skip to main content

Compliance

The rules you have to follow. Break them and you get fined, terminated, or both.

Pick Your Mode

🔧
Operator
What to fix this week. PCI-DSS and subscription rules.
📊
Analyst
Thresholds and monitoring. Network program tracking.
📚
Reference
Rules and requirements. Network rules, consumer protection.
Popular
🔒
PCI-DSS Start Here
Cardholder data security requirements
📊
Dispute Monitoring Popular
VAMP, ECM, BRAM thresholds
🔁
Subscription Rules
Recurring billing compliance
🏛️
Reg E
Debit card dispute requirements
📋
Network Rules
Visa and Mastercard mandates
If You Only Have 2 Hours This Week
  1. Check your chargeback ratio. If it's above 0.65%, you're approaching Visa's early warning threshold.
  2. If you have subscriptions: verify your cancellation flow takes fewer than 3 clicks and renewal emails go out 7+ days before charge.
  3. If you touch card numbers directly: confirm your SAQ is current and your PCI scan passed.

That's it. Deep compliance audits can wait until something flags.

What Gets People in Trouble

In order of how often I see it:

1️⃣
Chargeback Thresholds
Cross 0.9% on Visa or 1.5% on Mastercard (ECM) and you're in a monitoring program with fines
2️⃣
Subscription Billing Violations
Unclear cancellation, wrong renewal notices, failure to disclose terms
3️⃣
PCI Scope Creep
Accidentally handling card data you didn't need to
4️⃣
Reg E Timing Violations
Missing the 10-day provisional credit deadline (issuers)
By Domain
📡
Network Rules
VAMP, ECM, BRAM, MATCH • Acquirers, merchants
🏛️
Consumer Protection
Reg E, Reg Z, FCBA • Issuers
🔒
PCI DSS
Cardholder data security • Everyone touching cards
🔍
AML/KYC
Customer verification, SAR filing • Banks, fintechs
🔁
Subscriptions
Recurring billing rules • Subscription merchants
By Role
🏪
Merchants
🏦
Acquirers
💳
Issuers

What Regulators Actually Look At

There's a difference between "technically required" and "what triggers enforcement."

Hard requirements (will get you fined/terminated):

  • Missing chargeback thresholds for consecutive months
  • PCI breach after not completing SAQ
  • Reg E timing violations with documented customer complaints
  • Subscription billing without proper disclosure (FTC is active here)

Soft requirements (matters in audits or after incidents):

  • Perfect documentation of every decision
  • Formal policies for every edge case
  • Complete training records

Focus your limited time on the hard requirements. The soft stuff matters when you're big enough for formal audits.

Tax Is Not Covered Here

Sales tax and VAT compliance is jurisdictional chaos. This site doesn't provide tax guidance.

What you need to know:

  • Nexus matters: You owe tax where you have tax presence (physical or economic)
  • Economic thresholds: Many states trigger nexus at $100K+ sales
  • When to automate: Multi-state or international = consider Avalara, TaxJar, or processor-native tools (Stripe Tax)
  • Talk to your accountant: Before making tax decisions, get professional advice

This is a payments site, not a tax site. We're flagging this because invoice and checkout workflows touch tax calculations.

Next Steps

New to compliance?
  1. PCI-DSS - Start here if you touch cards
  2. Network Rules - Monitoring programs
  3. Subscription Rules - If recurring billing
Approaching thresholds?
  1. Dispute Monitoring - Know your numbers
  2. Reduce Chargebacks Fast - Emergency
  3. Chargeback Prevention - Long-term

See Also

🛡️ Chargeback Prevention🔍 Fraud Prevention📊 Network Programs🔒 3D Secure