You have a variety of payment processors to help you accept credit card payments for your online business. While these processors help with receiving payments, you should be aware of the legalities of accepting credit card payments online. Terms of Service, the PCI DSS and the Privacy Act 1988 (Cth) (Privacy Act) applies to your business when taking payments online.
Two Different Methods of Accepting Payments Online
If you’re starting out with your first online business, you have two options to accept your customer’s credit card payments:
- setting up a merchant bank account; or
- using a third party payment processor.
Merchant Bank Account
A merchant bank account acts as an intermediary between the customer and your business bank account. Once your payment processor approves your customers' payments, the funds are deposited into your merchant bank account. After a period of time, usually 2-7 days, the funds are automatically transferred to your business bank account.
Your business might choose to set up a merchant bank account when processing a high volume of transactions and therefore can negotiate lower fees for its merchant bank account. Your business will also have greater control over the time it takes for payments to clear its own merchant bank account over using a third party payment processor like PayPal. This can make planning and budgeting easier to manage if you’re operating a bigger business.
Third Party Payment Processor
By contrast, if you use a third party payments provider such as Stripe, Braintree, Pin Payments or PayPal, your customers’ payments are transferred into the third party merchant bank account that is linked to your business bank account.
With a third party payment processor, you can save money as they may offer lower transaction fees than those charged by a merchant bank provider. Regardless of whether you use a merchant bank account or a third party payment processor, you may need to comply with the:
Terms of Service
When using a merchant bank service or a third party payment processor, you will need to agree to their terms of service/terms and conditions. You should read and ensure you fully understand what you are bound by, and ask the provider if you have any questions.
The PCI DSS
PCI DSS stands for the Payment Card Industry Data Security Standards. Visa and Mastercard developed these in the early 2000s to combat credit card fraud.
Most merchant banks and third party payment processors require that you comply with the PCI DSS. For example, Stripe’s Terms of Service states that the business must be PCI DSS compliant. Stripe states that while it makes available facilities and functions to make PCI DSS compliance easier, ultimate responsibility for compliance rests with the business. Stripe’s Financial Services Terms also state that you must allow National Australia Bank (NAB) agents, employees or contractors reasonable access to your premises during business hours to check your compliance.
While third-party payment providers will provide reasonable security measures, you have ultimate responsibility for any data breach. You must implement industry-standard security measures such as antivirus software, firewalls and encryption software to protect sensitive information.
Australian Privacy Laws
If your business collects personal information, then you may have obligations under the Australian Privacy Principles (APPs) in the Privacy Act. ‘Personal information’ is any information about a person that allows that person to be identified. For example, collecting a person’s name or address.
Your business will always need to comply with the APP if it has revenue over $3m in a financial year. Alternatively, your business will also have to comply with the APP if for instance, it is:
- a health service provider,
- related to another company which is subject to the Privacy Act, or
- a credit reporting business.
If your business does not need to comply with the Privacy Act, you may still opt in and choose to comply. Opting in signals to your customers that you take privacy seriously, creating a relationship of trust and transparency. You should also draft a privacy policy which sets out how you collect, store and use personal information, so your customers can easily find out how their information will be used. Drafting an internal privacy manual for staff is also a good idea to ensure they understand how your customers’ personal information should be handled.
Key Takeaways
Handling credit card details imposes obligations and increases risk. You must ensure your business is setup to manage this risk, including being aware of your compliance obligations under Australian law. You will need to comply with the terms of service of your merchant bank or third party payments processor. You may also have to comply with the PCI DSS and the Privacy Act. If you need assistance setting up a payment platform or accepting payments online, get in touch with LegalVision’s business lawyers by completing the form on this page or call 1300 544 755.