Compliance
12 min read
On this page
The rules you have to follow. Break them and you get fined, terminated, or both.
Pick Your Mode
Start with Compliance Basics for SMBs - the 3-thing checklist that covers what actually matters at your size.
- Check your chargeback ratio. If it's above 0.65%, you're approaching Visa's early warning threshold.
- If you have subscriptions: verify your cancellation flow takes fewer than 3 clicks and renewal emails go out 7+ days before charge.
- If you touch card numbers directly: confirm your SAQ is current and your PCI scan passed.
That's it. Deep compliance audits can wait until something flags.
Under $100K/month: Complete your PCI SAQ annually and keep your chargeback ratio under 0.65%. If you use hosted checkout, that covers 90% of your compliance burden.
$100K–$1M/month: Subscription billing rules matter now if you do recurring. Review your cancellation flow and renewal notices. Network threshold monitoring becomes a weekly task.
Over $1M/month: Formal compliance review annually. Know your PCI level, your acquirer's expectations, and whether PSD2/SCA affects your EU sales.
Over $10M/month: Dedicated compliance function or outside counsel. Multiple network programs to track, potential for direct network relationships, and regulatory exposure across jurisdictions.
In order of how often I see it:
By Role (specific requirements for Merchants, Acquirers, and Issuers)
- Network thresholds - VAMP, ECM fines
- Subscription rules - FTC, state laws
- PSD2 & SCA - EU authentication requirements
- PCI DSS - Right SAQ annually
- Surcharging - Caps and state laws
- Merchant monitoring - Portfolio ratios
- High-risk registration - BRAM, VIRP
- MATCH/VMSS - Check and report
What Regulators Actually Look At (hard vs. soft requirements)
There's a difference between "technically required" and "what triggers enforcement."
Hard requirements (will get you fined/terminated):
- Missing chargeback thresholds for consecutive months
- PCI breach after not completing SAQ
- Reg E timing violations with documented customer complaints
- Subscription billing without proper disclosure (FTC is active here)
Soft requirements (matters in audits or after incidents):
- Perfect documentation of every decision
- Formal policies for every edge case
- Complete training records
Focus your limited time on the hard requirements. The soft stuff matters when you're big enough for formal audits.
Sales tax and VAT compliance is jurisdictional chaos. This site doesn't provide tax guidance.
What you need to know:
- Nexus matters: You owe tax where you have tax presence (physical or economic)
- Economic thresholds: Many states trigger nexus at $100K+ sales
- When to automate: Multi-state or international = consider Avalara, TaxJar, or processor-native tools (Stripe Tax)
- Talk to your accountant: Before making tax decisions, get professional advice
This is a payments site, not a tax site. We're flagging this because invoice and checkout workflows touch tax calculations.
Next Steps
- PCI-DSS - Start here if you touch cards
- Network Rules - Monitoring programs
- Subscription Rules - If recurring billing
- Dispute Monitoring - Know your numbers
- Reduce Chargebacks Fast - Emergency
- Chargeback Prevention - Long-term
See Also
- Chargeback Metrics - Tracking dispute rates
- Fraud Metrics - Measuring fraud performance
- Risk Scoring - Transaction scoring
- Processor Management - Acquirer relationships
- Subscriptions & Recurring - Recurring billing rules
- Holds and Reserves - Program consequences
- Zero Point Nine Panic - Emergency response
- Reduce Chargebacks Fast - Crisis playbook