Regulation and Compliance in Payment Processing

    PCI DSS, PSD2/PSD3, interchange regulation, and AML/KYC — the regulatory landscape shaping the payments industry.

    PCI DSS: The Global Security Baseline

    The Payment Card Industry Data Security Standard applies to every entity that stores, processes, or transmits cardholder data, regardless of size or location. Developed by the PCI Security Standards Council (founded by Visa, Mastercard, American Express, Discover, and JCB), version 4.0 became mandatory on 31 March 2025. The standard encompasses 12 core requirements across six domains, covering network security, data protection, vulnerability management, access control, monitoring, and information security policy. Non compliance can trigger fines ranging from USD 5,000 to USD 100,000 per month, increased processing fees, and ultimately the loss of card acceptance privileges.

    European Payments Regulation: PSD2, PSD3, and the PSR

    PSD2, adopted in 2015 and implemented in 2018, was the European Union's landmark payments regulation. It introduced Strong Customer Authentication (SCA) for electronic payments, requiring two factor verification for most online transactions. It mandated open banking by requiring banks to provide authorised third parties with API access to customer payment account data. And it created the regulatory framework for two new categories of payment service providers: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).

    In November 2025, the European Parliament and Council reached provisional agreement on PSD3 and the Payment Services Regulation (PSR), which together will replace PSD2 and the E-Money Directive. Publication is expected in the first half of 2026, with full applicability targeted around the second or third quarter of 2028 after an 18 to 21 month transition period. The most significant changes include merging the licensing frameworks for payment institutions and electronic money institutions, extending verification of payee requirements to all credit transfers, strengthening SCA and establishing collaborative fraud monitoring systems, standardising open banking API access with mandatory customer consent dashboards, expanding scope to cover instant payments, BNPL, and certain cryptocurrency related payment transactions, and implementing the PSR as a directly applicable regulation rather than a directive requiring national transposition.

    Interchange Fee Regulation

    The European Union caps interchange fees at 0.2% for consumer debit cards and 0.3% for consumer credit cards. Corporate cards remain uncapped. In the United States, the Durbin Amendment (part of the 2010 Dodd Frank Act) caps debit card interchange for banks with more than USD 10 billion in assets at USD 0.21 plus 0.05% of the transaction value. In 2024, U.S. merchants paid approximately USD 187.2 billion in swipe fees on more than USD 11.9 trillion in card payments.

    AML, KYC, and Emerging Frameworks

    Anti money laundering and know your customer regulations apply to every participant in the payment chain. In the EU, the sixth Anti Money Laundering Directive (6AMLD) took effect in June 2021. The EU's new Anti Money Laundering Authority (AMLA) launched in mid 2025 and will directly supervise high risk financial entities beginning in 2028. The United States applies the Bank Secrecy Act and FinCEN regulations. Payment Facilitators and PSPs face particularly complex obligations because they must perform due diligence not only on themselves but across their entire sub merchant portfolio.

    Looking ahead, the intersection of agentic commerce and compliance is creating new regulatory questions. "Know Your Agent" (KYA) verification is emerging as a concept alongside traditional KYC, as AI agents acting autonomously on behalf of consumers create novel fraud vectors and liability questions that existing frameworks were not designed to address.

    Need Help With Your Payment Setup?

    Get expert guidance on processor selection, fee optimization, and compliance — tailored to your business.

    Book Free Consultation

    Related Reading