Payments and Compliance: Accepting Credit Card Payments Online

by LegalVision

You have a variety of payment processors to help you accept credit card payments for your online business. While these processors help with receiving payments, you should be aware of the legalities of accepting credit card payments online. Terms of Service, the PCI DSS and the Privacy Act 1988 (Cth) (Privacy Act) applies to your business when taking payments online.

Two Different Methods of Accepting Payments Online

If you’re starting out with your first online business, you have two options to accept your customer’s credit card payments: 

  1. setting up a merchant bank account; or
  2. using a third party payment processor.

Merchant Bank Account

A merchant bank account acts as an intermediary between the customer and your business bank account. Once your payment processor approves your customers' payments, the funds are deposited into your merchant bank account. After a period of time, usually 2-7 days, the funds are automatically transferred to your business bank account.

Your business might choose to set up a merchant bank account when processing a high volume of transactions and therefore can negotiate lower fees for its merchant bank account. Your business will also have greater control over the time it takes for payments to clear its own merchant bank account over using a third party payment processor like PayPal. This can make planning and budgeting easier to manage if you’re operating a bigger business.

Third Party Payment Processor

By contrast, if you use a third party payments provider such as Stripe, Braintree, Pin Payments or PayPal, your customers’ payments are transferred into the third party merchant bank account that is linked to your business bank account.

With a third party payment processor, you can save money as they may offer lower transaction fees than those charged by a merchant bank provider. Regardless of whether you use a merchant bank account or a third party payment processor, you may need to comply with the:


Terms of Service

When using a merchant bank service or a third party payment processor, you will need to agree to their terms of service/terms and conditions. You should read and ensure you fully understand what you are bound by, and ask the provider if you have any questions.


PCI DSS stands for the Payment Card Industry Data Security Standards. Visa and Mastercard developed these in the early 2000s to combat credit card fraud.

Most merchant banks and third party payment processors require that you comply with the PCI DSS. For example, Stripe’s Terms of Service states that the business must be PCI DSS compliant. Stripe states that while it makes available facilities and functions to make PCI DSS compliance easier, ultimate responsibility for compliance rests with the business. Stripe’s Financial Services Terms also state that you must allow National Australia Bank (NAB) agents, employees or contractors reasonable access to your premises during business hours to check your compliance.

While third-party payment providers will provide reasonable security measures, you have ultimate responsibility for any data breach. You must implement industry-standard security measures such as antivirus software, firewalls and encryption software to protect sensitive information.

Australian Privacy Laws

If your business collects personal information, then you may have obligations under the Australian Privacy Principles (APPs) in the Privacy Act. ‘Personal information’ is any information about a person that allows that person to be identified. For example, collecting a person’s name or address.

Your business will always need to comply with the APP if it has revenue over $3m in a financial year. Alternatively, your business will also have to comply with the APP if for instance, it is: 

  • a health service provider,
  • related to another company which is subject to the Privacy Act, or
  • a credit reporting business.

If your business does not need to comply with the Privacy Act, you may still opt in and choose to comply. Opting in signals to your customers that you take privacy seriously, creating a relationship of trust and transparency. You should also draft a privacy policy which sets out how you collect, store and use personal information, so your customers can easily find out how their information will be used. Drafting an internal privacy manual for staff is also a good idea to ensure they understand how your customers’ personal information should be handled.

Key Takeaways

Handling credit card details imposes obligations and increases risk. You must ensure your business is setup to manage this risk, including being aware of your compliance obligations under Australian law. You will need to comply with the terms of service of your merchant bank or third party payments processor. You may also have to comply with the PCI DSS and the Privacy Act. If you need assistance setting up a payment platform or accepting payments online, get in touch with LegalVision’s business lawyers by completing the form on this page or call 1300 544 755.


We welcome your feedback

Hi there! We want to make this site as good as it can for you, the user. Please tell us what you would like to do differently and we will do our best to accommodate!

Protected by FormShield

We've updated our Privacy Statement, before you continue. please read our new Privacy Statement and familiarise yourself with the terms.