Nov 20, 20184 min read

Payment Gateway Compliance: The inside scoop on regulations from PCI-DSS to GDPR.


Merchants have to keep track of a laundry list of compliance regulations. It’s no easy task. Much of the apprehension comes from an unfamiliarity with how merchants are expected to protect themselves, their systems, and their customers’ data.

Payment gateways help merchants overcome their compliance challenges. To help you understand payment gateway compliance, we’ve broken down the three most important regulations merchants need to know about.

Here’s your guide to the inner workings of those pesky acronyms — PCI-DSS, GDPR and PSD2.

PCI-DSS Compliance: The Information Security Standard

The first industry regulation for merchants to be aware of is the Payment Card Industry Data Security Standard (PCI-DSS). This is a data security standard that applies to any business that accepts credit cards. Like most payment industry standards, being PCI compliant isn’t a one-time project — it’s an ongoing process.

Whenever cardholder data is transmitted across any of your systems, you need to host that information with a PCI compliant hosting provider. This is where the right payment gateway partner matters. You’ll want to choose a partner that can handle compliance headaches for you.

Part of PCI-DSS compliance is having proper documentation showing that your systems are protecting cardholder data and your payments. You’ll need this information to submit reports to acquiring banks and card brands about your security process. Ensure your payment gateway provider can help you with documentation. It will keep your industry partners resting easy and help keep your customers’ data safeguarded — all without interrupting your daily business flow.

GDPR: European Data Protection Rules

Though the General Data Protection Regulation (GDPR) is a European regulation, if affects U.S. merchants that accept payments from residents of the EU.

The GDPR is about data transparency. The regulation requires businesses that deal with sensitive information — like credit card credentials — to be clear with their customers about how they manage that data. Businesses that use a payment gateway in their payment processing will need to make sure they are GDPR compliant to protect consumer data rights. For merchants, that means taking a close look at what type of data is transmitted across your payment gateway and where it comes from.

A PwC survey showed that U.S. businesses are getting serious about this data regulation. 92 percent of U.S. companies consider GDPR a top data protection priority. In a global world, it’s not just U.S. regulations that merchants need to keep up with.

PSD2: The Third-Party Retail Banking Regulation

The final of our acronyms: PSD2. The Payment Service Directive is designed to allow customers making payments online to do so securely through third-party vendors. Under these compliance guidelines, banks must provide third-party payment providers access to customers’ accounts through open APIs.

In the world of ecommerce, PSD2 opens the door for merchants to process payments through more diverse methods. Third-party providers can build upon the established security infrastructure of their banking partners, allowing more innovative payment methods to flourish. If you’re using a payment gateway to protect your customers’ payment data, you’ve already got a jump on PSD2 compliance.

Payment Gateways Are Your Compliance Partners

You might be thinking: How do I keep up with all these regulations? Rest assured, that’s where a payment gateway partner comes into the mix. Online payment gateways are integrated with a merchant’s e-commerce platform, which means they can deliver the necessary security to keep your business compliant with complex regulations. All you have to do is ensure you’re working with a provider who can check off all of the necessary compliance boxes.

Bottom line? You handle the customers, and leave payment gateway compliance to your chosen partner. That’s the beauty of today’s payment gateway ecosystem. It’s built with the security of both merchants and customers in mind.