Requirements to Accept Credit Cards Online

Every time they accept credit cards online, e-commerce merchant account holders must achieve and remain in compliance with all of the requirements listed below, in addition to the all usual rules for accepting payments.

Processing Protocol to Accept Credit Cards Online

Every card payment processed by a retailer over the web and submitted to the merchant account provider has to comply with the affected processing bank's standards that include, but are not limited to, all relevant standards mandating the formatting transmittal and encryption of data, known in the industry speak as a "designated protocol." Retailers are mandated to accept only those internet transactions that are safely encrypted in compliance with all of the respective acquirer's designated protocol. All acquirers have accepted that their designated protocols will be the Secure Socket Layer (SSL). However, the acquirer' designated protocol, together with any specific mandates regulating the information encryption procedures, may be changed at any time, upon a 30-day advance written notice. Merchants are not permitted to process payments via e-mail over the internet.

Browser Requirements for Designated Protocol

Retailers that accept credit cards online are not permitted to process any card payments over the internet unless they are sent over a browser that supports the acquirers' SSL designated protocol. If the merchant wishes to process a card payment from a customer whose browser does not support the accepted designated protocol, however, it can do so by means other than the internet, such as physical mail, fax or phone.

Information Security Requirements

Merchants must save all unencrypted data related to card payments, including, but not limited to, web card payment information, in a secure setting. Unencrypted payment data cannot be saved on the retailer's internet hosting server. Retailers that accept credit cards online are mandated to notify their processing bank immediately if there is a confirmed or suspected data breach in the merchant's systems and card data may have been compromised. Failure to be in compliance with this rule may result in the payment processing account holder being held liable for any financial losses resulting from the breach in the merchant's systems.

Non-Compliance Chargebacks

Any sale transaction over the internet that is not in compliance with the above-stated requirements is subject to immediate chargeback by the affected payment processing provider. Retailers may be charged back for any amounts that are owed in regard to any chargebacks for internet card transactions. The processor may, at its own discretion, cancel the merchant's processing agreement if such a merchant fails to achieve and maintain compliance with the stated terms. Retailers should always ask their acquirer for a complete disclosure of all chargeback-resulting liabilities and responsibilities and ensure they understand it.