Main Content

Compliance and Regulatory

Compliance and Regulatory

Dealing with extremely sensitive personal and financial information, the electronic payments industry is understandably, highly regulated. At TSYS®, we take security very seriously and comply with all applicable regulations. Learn more about PCI compliance, W9 validation and EMV.

PCI Compliance

To be PCI compliant, your business must meet the PCI Data Security Standards (PCI DSS) established by the Payment Card Industry Security Standards Council (PCI SSC), an alliance of major credit card companies including — Visa®, Mastercard®, Discover® and American Express®.

These requirements apply to all merchants who process, store, or transmit credit, debit, or prepaid card information, and are designed to help you a secure transaction environment.

TSYS can help you become and remain PCI DSS compliant, even as requirements change. Our program consists of these comprehensive components:

  • Our Self-Assessment Questionnaire(SAQ) is an intuitive and easy-to-use tool with qualification steps that helps you easily determine your Validation Type. It is supplemented with expert help text and real-life examples.
  • External scanning detects network vulnerability for merchants with external-facing IP addresses, and finds holes in web-based applications. TSYS then issues easy-to-understand reports that detail the results, prioritize vulnerabilities, and provide assistance for remediation. 
  • For an individualized approach to compliance, TSYS offers a set of custom security policies as well as policy templates that are automatically generated based on how your business processes payment cards. 
  • Security awareness training, that satisfies PCI DSS requirements, assures that you are prepared to handle sensitive credit card information and eliminating the need to purchase a costly training program from a third-party provider. 

Although PCI compliance protects both merchants and cardholders, there is no law requiring it. However, PCI compliance is a contractual obligation between merchants and the major card brands that comprise the PCI SSC, and noncompliant merchants who experience a data breach are subject to fines, expensive audits, other associated costs.  Most significantly, non-compliance increases your exposure to direct and potentially fatal risks to your business reputation.

PCI compliance is not an expensive proposition, nor does it require a great deal of your time or effort. It’s an excellent investment in security and peace of mind. When you’re ready to become PCI compliant, TSYS is ready to help.

W-9 Validation

Under Section 6050W of the Housing and Economic Recovery Act of 2008, all payment settlement entities — including merchant services providers and financial institutions — must report their merchant customers’ annual gross payment card transactions to the IRS on Form 1099-K.

Transactions include those processed by credit, debit or co-branded cards and third-party network transactions, such as flexible spending accounts.  Information from the form will be used by the IRS to verify financial data it receives from other sources, and a copy of the form will also be given to you.

To comply with W-9 regulations, TSYS asks that you provide a Form W-9 that is completely filled out, including legal business name, address and taxpayer identification number (typically the EIN). All this information must match your filed tax forms in order to be valid.

Merchants who do not comply with W-9 validation could be subject to backup withholding equal to 28% of your gross payment card transactions. Avoid any consequences by taking a proactive approach to compliance. For questions regarding W-9 validation and its impact on your business, ask your tax professional for guidance.


Credit card processing in the United States is catching up with the rest of the world, adopting EMV technology to replace the magnetic stripe technology used for the last four decades.  EMV (the acronym stands for Europay/MasterCard/Visa) is widely regarded as being more secure.

Another goal of the EMV is for credit cards and payment terminals to work together throughout the world. In mid-2012, more than 1.5 billion EMV payment cards were in use worldwide, and 76 percent of all credit card terminals globally were based on EMV. The U.S. is one of the last nations to adopt EMV technology.

EMV cards are also called chip-and-PIN and smartcards. They are equipped with an embedded microprocessor chip that stores the data and instructions needed to process a purchase — information that was previously stored on the mag stripe on the back of payment cards.

There are two types of EMV cards. Contact cards are inserted into a terminal, and contactless cards are waved or tapped in front of the card reader and communicate with it through radio frequency (RFID) or near field communication (NFC).

Smartcards are considered to be significantly more secure than mag stripe cards because the chip’s contents are protected by two different encryption technologies. Data on mag stripe cards remains static, which means if the card is stolen or the data hacked, a new counterfeit card can be created and the cardholder’s identity can be used to open other accounts. The encryption technologies used in EMV makes such fraud far less likely. In fact, it has been reported that credit card fraud has dropped significantly in countries where encrypted EMV cards are used.

EMV transactions are also usually quicker than mag stripe card transactions because the terminal and card communicate directly with each other to verify the authenticity of the transaction.

The implementation of EMV technology in the U.S. is well underway.  Both Visa and Mastercard set compliance deadlines for merchant services providers and their clients that began in April 2013 and ended with a liability shift in October 2015 (October 2017 for gas stations).

The liability shift means that whichever party causes a contact chip transaction not to occur is financially liable for any resulting card-present counterfeit fraud losses. In simple terms, if you don’t have equipment that can support chip technology and this lack of equipment causes the fraud, you will be held financially liable.

The adoption of EMV technology requires that you upgrade your hardware and software to accommodate the new chip-and-PIN cards. You must also continue to maintain PCI compliance through annual SAQ completion and quarterly external vulnerability scanning.

TSYS offers the most up-to-date EMV equipment available on the market. Make sure your business is compliant, and protected from the liability shift. 

Money In, Money Out

Your merchant statement actually looks more complicated than it really is. Each section of the statement is organized to inform you of two things:

  1. Deposits from customer purchases you processed
  2. Fees you are paying for merchant services

 Deposits are itemized individually, showing you the purchase date, purchase amount and type of card used. If you had a good sales month, this section may take up a few pages. You can compare this list to your own saved receipts or invoices. If you’re using an online reporting system and keeping track throughout the month, you’ve already got this step covered.

Processing Fees

Fees come in several different types but they are organized in groups to help you understand them easily. For example, the discount rate is a percentage of each transaction amount that is deducted from that transaction. Discount rates change according to the type of transaction, and you may see different rates for different transactions. You agreed to your discount rates when you signed up with your merchant services provider and you can see the rates on your statement in the legend area. Contact your merchant services provider if you don’t know or understand your discount rates.

A transaction fee is a flat fee, charged in cents, that is deducted from every card transaction. You also agreed to this fee when you signed up with your merchant services provider. Unlike discount rates, transaction fees are the same for every transaction.

Monthly fees are charged for various merchant services and vary depending on the type of processing your business performs, your pricing plan and other aspects of your merchant agreement. If you have any questions about these fees, contact your merchant services provider and ask for a full explanation.

Miscellaneous fees are charged on a non-regular basis for different reasons. There may be a new government regulatory fee that is charged annually or quarterly. Or there may be an industry fee for such things as PCI compliance. If you ever have questions about miscellaneous fees, your merchant services provider can answer them for you.

The Bottom Line

Once you can distinguish the deposits and fees listed on your merchant statement, you’ll have a better understanding of your net profit each month. You may notice patterns in your transactions that indicate the need to make some changes to your merchant account agreement. It’s important for you to understand your statement and the numbers on it so you can make informed decisions about the financial future of your business.

As a merchant services provider, TSYS works to helps explain to our customers the most cost-effective rates and fees. If you’re not getting that kind of service from your current processor, consider making a switch to TSYS for more choices, support and all the information you need to help you save money and grow your business.

Contact Us
About Our
Merchant Services

For Merchant Sales:

Customer Support Form.