Reading time: 5 minutes

If you operate an online business, you will likely have come across the variety of payment processors available to help you accept credit card payments. The Payment Card Industry Data Security Standards (PCI DSS), Privacy Act 1988 (Cth) and other Australian law will apply when taking payment online. Before selecting a payment processor, it’s important to understand the legalities of accepting credit card payments online.

There are two main options to accept your customer’s credit card payments and land your hard-earned cash in your bank account:

  1. setting up a merchant bank account; or
  2. using a third party payment processor.

This article will explain the differences, as well as the pros and cons of these methods, to help you understand how different laws will apply to your business. 

You may also need to comply with the PCI DSS, the provider’s terms of service and Australian privacy laws. We unpack all three issues in this article.

Merchant Bank Account

A merchant bank account acts as an intermediary between the customer and your business bank account. Once your payment processor approves your customers’ payments, the funds are deposited into your merchant bank account. After a period of usually 2-7 days, the funds are automatically transferred to your business bank account.

As businesses are processing a high volume of transactions, they can potentially negotiate lower fees for their merchant bank account. Also, businesses have less control over the time it takes for payments to clear the third party payment processor’s merchant bank account compared with using their own business merchant bank account. If you’re operating a bigger business, this delay can make planning and budgeting harder to manage.

Third-Party Payment Processor

On the other hand, if you use a third party payments provider such as Stripe, Braintree, Pin Payments or PayPal, your customers’ payments are deposited into the third party’s merchant bank account. A third party payment processor’s merchant bank account can save you money because the transaction fees they charge can be lower than those a merchant bank provider charges.

What is the PCI DSS?

The PCI DSS is a set of standards developed to protect against credit card scams and fraud. Most merchant banks and third party payment processors require you to comply with the PCI DSS. 

For instance, Stripe’s Terms of Service expressly states that the business must comply with the PCI DSS. You must also allow NAB agents, employees or contractors reasonable access to your property during business hours to check your compliance with the Financial Services terms and data security standards, including the PCI DSS. NAB provides Stripe’s merchant bank account.

While third party payment providers will provide reasonable security measures, you have ultimate responsibility for complying with the PCI DSS. This makes it all the more imperative that you implement industry-standard security measures such as antivirus software, firewalls and encryption software to protect sensitive information.

Terms of Service

When using a merchant bank service or a third party payment processor, you will need to agree to their terms of service/terms and conditions. You should read and ensure you fully understand what you are bound by, and ask the provider if you have any questions.

Do Privacy Laws Apply To My Business?  

Businesses that handle personal information and have a revenue of over $3 million in any given financial year must comply with the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act). 

If your business does not have revenue of over $3m, you may still be required to comply with the APPs if your business is, for instance:  

  • a health service provider, 
  • related to another company which is subject to the Privacy Act, or
  • a credit reporting business. 

If the business does not have revenue of over $3 million or fits within one of the named categories, the business does not need to comply with the Privacy Act. 

Although the Privacy Act may not apply to your business, if you collect personal information and use it for marketing purposes, customers must consent to receive any marketing material, including emails. Consent can be either express or implied. A well-drafted privacy policy should include a clause relating to consent and marketing material. A privacy policy also signals to your customers that you take privacy seriously. Your policy should set our how you collect, store and use personal information so customers can easily find out how your business can use their information.

It’s also sensible to create an internal privacy manual to complement your privacy policy that sets out easy to follow guidelines for the team and ensure they understand how to handle your customers’ personal information.

Key Takeaways

Processing credit card payments are a crucial function for online businesses. With over 16 million credit cards in Australia, there are strict obligations for business owners and payment platform operators to manage the risks of processing payments online. It is important to ensure your business is set up to manage this risk, and that you understand your compliance obligations under the terms of the merchant bank or third party payments processor and Australian privacy laws. If you handle credit card details, you may also have PCI DSS compliance requirements.

If you need assistance setting up a payment platform or accepting payments online, get in touch with our online business lawyers on 1300 544 755.

How can I accept my customer’s credit card payments?

For your online business, you can accept your customer’s credit card payment either through a merchant bank account, or through a third-party processor.

What is the PCI DSS?

The PCI DSS is a set of standards developed to protect against credit card scams and fraud. Most merchant banks and third party payment processors require you to comply with the PCI DSS.

Do Privacy Laws Apply To My Business?

Businesses that handle personal information and have a revenue of over $3 million in any given financial year must comply with the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act). However, there are exceptions to this that you should always check.

Webinars

What to Consider When Buying a Tech or Online Business

Wednesday 13 April | 11:00 - 11:45am

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar today.
Register Now

Corporate Governance 101: Responsibilities for New Directors

Wednesday 27 April | 11:00 - 11:45am

Online
If you are a new company director, join our free webinar to understand your legal compliance obligations. Register today.
Register Now

Rogue Directors and Business Divorces: How to Remove a Director

Thursday 28 April | 11:00 - 11:45am

Online
Removing a board director is not simple. Join our free webinar to learn how to handle rogue directors. Register today.
Register Now

Employment Essentials for Tech Businesses

Thursday 5 May | 11:00 - 11:45am

Online
Protect your tech business and your employees by understanding your employment legal obligations. Register for our free webinar today.
Register Now

How to Protect and Enforce Your Trade Mark

Wednesday 11 May | 11:00 - 11:45am

Online
Protect your business’ brand from copycats and competitors. Register for this free webinar to learn how.
Register Now

How Franchisors Can Avoid Misleading and Deceptive Conduct

Wednesday 18 May | 11:00 - 11:45am

Online
Ensure your franchise is not accused of misleading and deceptive conduct. Register for our free webinar today.
Register Now

New Kid on the Blockchain: Understanding the Proposed Laws for Crypto, NFT and Blockchain Projects

Wednesday 25 May | 10:00 - 10:45am

Online
If you operate in the crypto space, ensure you understand the Federal Government’s proposed licensing and regulation changes. Register today for our free webinar.
Register Now

How to Expand Your Business Into a Franchise

Thursday 26 May | 11:00 - 11:45am

Online
Drive rapid growth in your business by turning it into a franchise. To learn how, join our free webinar. Register today.
Register Now

Startup Financing: Venture Debt 101

Thursday 23 June | 11:00 - 11:45am

Online
Learn how venture debt can help take your startup to the next level. Register for our free webinar today.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer