Skip to main content

Compliance Basics for SMBs

On this page
TL;DR
  • Must do now: Complete your PCI SAQ annually, keep chargeback ratio under 0.65% (early warning), use a recognizable billing descriptor
  • Must do if subscriptions: Clear cancellation flow, renewal notices 7+ days before charge, easy opt-out
  • Can wait: Formal compliance audits, AML/KYC programs, PSD2/SCA (unless you sell to EU)
  • Most SMBs only need 3 things: PCI questionnaire, chargeback monitoring, clear refund policy
  • 0.65% is not the crisis point. It's the early warning. Processors typically flag you around 0.9%, and Mastercard ECM starts at 1.5%. Act at 0.65% so you never reach enforcement.

If you're a small business accepting card payments, compliance can feel overwhelming. This page tells you what actually matters at your size and what you can safely ignore for now.

The 3-Thing Checklist

If you do nothing else, do these three things:

1. Complete Your PCI Questionnaire

What it is: An annual self-assessment questionnaire (SAQ) that confirms you're handling card data safely.

What to do:

  • If you use hosted checkout (Stripe Checkout, Square, Shopify Payments): You qualify for SAQ A, the simplest version. It takes 15-20 minutes.
  • If you embed a payment form on your site: You likely need SAQ A-EP. Still manageable.
  • If you handle card numbers directly: You need SAQ D. Consider switching to hosted checkout instead.

What happens if you don't: Your processor charges a PCI non-compliance fee ($10-150/month depending on processor), and you're unprotected if a breach occurs.

See PCI DSS for the full guide.

2. Monitor Your Chargeback Ratio

What it is: The percentage of your transactions that result in chargebacks. Processors start watching at 0.65% and typically take action around 0.9%.

What to do:

  • Check your ratio monthly: total chargebacks / total transactions
  • Set an internal alarm at 0.65%
  • If you're above 0.65%, start reducing chargebacks immediately
0.65% = Early Warning, Not Enforcement

0.65% is the threshold where your processor starts watching you. It's your cue to act, not the point where fines begin. Actual enforcement kicks in higher:

  • Visa VAMP (effective April 2025): Merchant Excessive threshold is currently 2.2% (tightening to 1.5% in April 2026) with 1,500+ disputes. The VAMP ratio includes both fraud reports (TC40) and chargebacks (TC15), so it's harder to stay below than the old program. Processors typically flag you around 0.9% as their own internal threshold.
  • Mastercard ECM: Fines begin at 1.5% (150 basis points) with 100+ chargebacks

Don't wait until enforcement. Fixing a chargeback problem at 0.65% is far cheaper and easier than fighting your way out of a monitoring program at 1%+. See Dispute Monitoring Programs for the full threshold breakdown.

What happens if you don't: You enter a network monitoring program with escalating fees (Visa charges $8 per CNP dispute; Mastercard ECM fines escalate from $1,000 to $100,000+/month) and risk MATCH listing (effectively a 5-year ban from accepting cards).

See Chargeback Ratio Crisis for emergency response.

3. Post a Clear Refund Policy

What it is: A visible policy on your website explaining how customers can get refunds, make returns, or cancel services.

What to do:

  • Link your refund policy in your website footer, checkout page, and order confirmation emails
  • Make cancellation possible in 3 clicks or fewer
  • Include timeframes ("Refund within 30 days of purchase")

What happens if you don't: Customers who can't find your refund process call their bank instead. That's a chargeback.

See Refund Policy Design for templates.

What Matters at Your Size

Your Monthly VolumeWhat to Focus OnWhat Can Wait
Under $10KPCI SAQ, clear refund policy, recognizable billing descriptorEverything else
$10K-$50KAbove + monthly chargeback monitoring, subscription compliance if applicableFormal audits, international compliance
$50K-$100KAbove + chargeback alerts, dispute monitoringAML/KYC, multi-network optimization
$100K-$500KAbove + quarterly compliance review, network threshold trackingDirect network relationships
Over $500KFormal compliance program, consider outside counselNothing - everything matters now

Common Mistakes

MistakeWhat HappensFix
Ignoring PCI SAQNon-compliance fee + breach liabilityComplete SAQ A annually (15 min)
No billing descriptorCustomers don't recognize charges, file chargebacksSet descriptor to your business name
Hard-to-cancel subscriptionsChargebacks from frustrated customers3-click cancellation, pre-renewal emails
No chargeback monitoringBreach threshold without warningMonthly ratio check, alert at 0.65%
Ignoring processor emailsEscalation to monitoring programReply within 24 hours, always

Subscription Businesses: Extra Requirements

If you charge customers on a recurring basis, you have additional obligations:

□ Disclose recurring terms before first charge (amount, frequency, duration)
□ Send renewal/billing reminders 7+ days before each charge
□ Make cancellation available online (no phone-only cancellation)
□ Cancellation flow completes in 3 clicks or fewer
□ Send confirmation when customer cancels
□ Stop charging within 3 business days of cancellation

Violation of these rules is the fastest way for a subscription business to accumulate chargebacks and attract regulatory attention.

See Subscription Rules for the full requirements.

When to Get Professional Help

You need a compliance consultant or payment attorney when:

  • Your chargeback ratio is above 0.9% and climbing
  • You're entering a network monitoring program
  • You process over $500K/month
  • You're expanding internationally (PSD2/SCA requirements)
  • You receive a processor termination notice
  • You handle sensitive data beyond basic card processing

For everything else, this site and your processor's support team should cover it.

Next Steps

Just starting out?

  1. Complete your PCI SAQ (15-20 minutes)
  2. Check your billing descriptor
  3. Post a refund policy

Already processing?

  1. Calculate your chargeback ratio
  2. Review your subscription compliance if applicable
  3. Set up chargeback alerts

See Also

Last updated on