Legal do’s and don’ts for accepting payments online
When starting an online business, one of the questions you will very quickly come to ask is “how can people pay me as quickly and as easily as possible?” When selling products or services online, providing customers with the option to purchase your goods or services using a credit card is one of the quickest and easiest ways to get paid.
You will likely have come across a variety of payment processors available to help you, but before selecting a payment processor for your business, it’s a good idea to understand the legalities involved with accepting credit card payments online.
Two main options exist to help you accept credit card payments:
• setting up a merchant bank account; or
• using a third party payment processor.
Picking either one of these options may mean you need to comply with Australian privacy laws, comply with the PCI DSS (more on that later) and a merchant bank’s/payment processor’s terms of service.
Merchant bank accounts
Merchant bank accounts are similar to regular bank accounts, except they exist for the primary purpose of holding funds collected from credit and debit card sales. From there, they are transferred out to a regular business bank account.
Using a merchant bank account means that you are likely to have greater control over when funds from credit card payments are remitted to your standard bank account (very helpful when managing cashflow). If you are processing a higher volume of transactions, you can potentially negotiate lower transaction fees with your merchant bank account.
Third party payment processors
Stripe, Braintree, PayPal and Pin Payments are examples of third party payment processors and provide:
• the payment gateway for you to accept credit cards online (e.g. the online functionality for customers to enter their credit card details on your ‘checkout’ page); and
• credit card processing services (they essentially contact Visa/Mastercard to check that Visa/Mastercard authorises the relevant transaction and once received, ensure that funds are receipted into the correct bank account).
Third party payment processors are potentially a cheaper option if your business doesn’t handle a large volume of transactions as you can negotiate lower fees with your merchant bank account.
The PCI DSS is a set of standards developed by major credit card companies to protect against credit card scams and fraud. Most merchant banks and third party payment processors require you to comply with the PCI DSS.
Let’s take Stripe as an example. Stripe’s Terms of Service expressly state that a business must comply with the PCI DSS. Stripe is backed by NAB and the Terms of Service actually state that you must also allow NAB agents, employees or contractors reasonable access to your property during business hours to check your compliance with the Financial Services terms and data security standards, including the PCI DSS. NAB provides Stripe’s merchant bank account.
While third party payment providers will provide reasonable security measures, you have ultimate responsibility for complying with the PCI DSS. This makes it all the more important that you implement industry standard security measures, e.g. firewalls, encryption software and antivirus software to protect sensitive credit card information. If nothing else, make sure any operating software is up to date!
What can we take from this?
Processing credit card payments are crucial for the health of online businesses. With over 16 million credit cards in Australia, there are strict obligations for business owners and payment platform operators to manage the risks of processing payments online. It is important to ensure your business is set up to manage this risk, and that you understand your compliance obligations under the terms of the merchant bank or third party payments processor and Australian privacy laws. If you handle credit card details, you may also have PCI DSS compliance requirements.
Damien Timms is a practice leader in LegalVision’s IT law and general commercial teams. He also has practical experience working in a startup and a strong understanding the legal and commercial needs of new technology businesses.
Chloe Sevil is a lawyer in LegalVision’s general commercial team. She works closely with large corporates and SMEs on business structuring and capital raising.