ISO Industry Update: Regulations & Compliance

The regulatory landscape for payment processors and ISOs continues to evolve rapidly. Staying compliant isn't just about avoiding penalties — it's about building trust with merchants and maintaining the infrastructure that enables smooth, secure transactions.

PCI DSS 5.0: What Changed

The Payment Card Industry Data Security Standard (PCI DSS) version 5.0 introduced significant updates that payment professionals need to understand:

• Continuous compliance replaces annual assessments. Merchants must now demonstrate ongoing security posture, not just point-in-time compliance.
• Customized approach allows organizations to meet security objectives through alternative controls, provided they can demonstrate equivalent effectiveness.
• Expanded multi-factor authentication requirements now cover all access to cardholder data environments, not just administrative access.
• Targeted risk analysis becomes mandatory, requiring organizations to document their specific threat models and mitigation strategies.

For ISOs and payment facilitators, this means your merchants need more support than ever to maintain compliance. Providing compliance tooling, automated scanning, and clear guidance isn't optional — it's a competitive advantage.

State Privacy Laws: The Patchwork Expands

As of 2025, 19 U.S. states have enacted comprehensive data privacy legislation. While each law varies in specifics, common themes include:

• Consumer right to access and delete personal data collected during payment processing
• Opt-out requirements for data sale and targeted advertising
• Data minimization obligations limiting the collection and retention of personal information
• Data protection impact assessments for processing activities that present elevated risk

Payment processors must ensure their data collection, storage, and sharing practices comply with the most restrictive applicable state law. A federal privacy law remains under discussion but has not yet passed.

Anti-Money Laundering (AML) Updates

The Corporate Transparency Act (CTA), which took effect January 2024, requires most businesses to report beneficial ownership information to FinCEN. For payment processors and ISOs, this means:

1. Enhanced KYB (Know Your Business) procedures during merchant onboarding
2. Ongoing monitoring of merchant ownership changes
3. Updated SAR (Suspicious Activity Report) filing requirements
4. Stronger transaction monitoring to detect structuring, layering, and other money laundering patterns

The Beneficial Ownership Registry

FinCEN's beneficial ownership registry is now operational, giving financial institutions — including payment processors — access to verified ownership information. This streamlines KYB checks but also creates new obligations:

• Verify merchant-provided ownership data against the registry
• Flag discrepancies and escalate for review
• Maintain audit trails of all verification steps
• Update verification when ownership changes are reported

Surcharging and Durbin Amendment Updates

Credit card surcharging regulations continue to evolve at the state level. As of 2025:

• Several states have updated surcharging disclosure requirements
• The card brands have tightened surcharging program registration requirements
• New rules require clear, real-time disclosure of surcharge amounts before transaction completion

ISOs must ensure their merchants are registered with card brand surcharging programs and comply with applicable state laws. Non-compliance can result in fines, processor termination, and merchant chargebacks.

Preparing for What's Next

The regulatory environment will continue to evolve. To stay ahead:

1. Invest in compliance automation. Manual compliance processes don't scale. Automated monitoring, reporting, and documentation tools reduce risk and cost.
2. Build compliance into onboarding. Make regulatory requirements part of your merchant onboarding flow, not an afterthought.
3. Maintain open communication with regulators. Engage with industry groups and regulatory bodies to understand upcoming changes before they become mandates.
4. Partner with compliance-forward processors. Your payment processor should be your compliance partner, not just your technology provider.