top of page

About merchant services.

What Is a Merchant Account?

A merchant account is a type of business bank account that allows a business to accept and process electronic payment card transactions. Merchant accounts require a business to partner with a merchant acquiring bank who facilitates all communications in an electronic payment transaction.

Merchant account relationships are essential for online businesses. These account relationships involve added costs which some brick and mortar establishments may choose not to pay by accepting only cash for deposits in a standard business deposit account.


  • A merchant account is a bank account specifically established for business purposes where companies can make and accept payments.

  • Merchant accounts allow, for instance, a business to accept credit cards or other forms of electronic payment.

  • Merchant account services often come with added fees, but also an array of services.

How Merchant Accounts Work

Merchant accounts are a key aspect of business operations for most merchants. Merchants have a variety of options when choosing a merchant account service provider with transaction costs being a key component in the decision. Merchant accounts are provided by merchant acquiring banks which partner with merchants to facilitate electronic payments.

If a brick and mortar business chooses not to accept electronic payments and only allows for cash, then they would not necessarily need to establish a merchant account and could rely on just a basic deposit account at any bank. Online businesses, however, are required to establish merchant account partnerships as part of their business operations since electronic payments are the only option for customers in making purchases.

Merchant Acquiring Bank Services

A merchant must establish a merchant account with a merchant acquiring bank if they plan to offer electronic payment options for their goods or services. Merchant acquiring banks play a key role in the electronic payment process and are essential for efficient processing and settlement of payment transactions.

Merchant acquiring banks and businesses establish merchant accounts through a detailed merchant account agreement that outlines all of the terms involved with the relationship. Key terms include the per-transaction costs the bank will charge, the bank’s card processing network, established fee structures with the network of card processors, and any monthly or annual fees the bank charges for various services.

Transaction Processing

In an electronic payment transaction, a business sends card communications through an electronic terminal to the merchant acquiring bank. The merchant acquiring bank then contacts the branded card processor who contacts the card issuer. The card issuer authenticates the transaction through various approvals that include fund availability checks and security checks. Once authenticated the approval is sent to the merchant acquiring bank through the network processor. If approved, the merchant acquiring bank authorizes the transaction and begins settlement of the funds in the merchant’s account.

All of the card communications occur within a matter of minutes and incur various fees for the merchant which are deducted from the merchant account. The merchant acquiring bank charges the merchant a per-transaction fee. The network processor also charges the merchant a per-transaction fee. 

Merchant acquiring banks also charge merchants monthly fees as well as any special situation fees. The monthly fee on a merchant account is paid to the merchant acquiring bank for covering certain electronic payment card risks that might arise from a transaction as well as for the service of settling transaction funds.






What Is An ISO?

An Independent Sales Organisation, or as it is most commonly known, an ISO, is a denomination given to a third-party organisation that is not an Association member (such as Visa or MasterCard), but that has a relationship with member banks. Basically, they have a relationships with one or several processing banks, even though they’re not a bank themselves. This organisation could be a company or an individual, and their partnership with these banks allows them to provide different services for consumers.

The main purpose of the ISO is to provide merchant services, card payment solutions to businesses on behalf of the bank or larger financial organisation, where they might have a limited sales and customer service team. Due to this limited resourse, the bank or larger financial organisation will prefer to deal with larger customers as they struggle to service the smaller SME. Many merchants will often struggle with dealing with customer service and they are also slower to react to moves in the industry,  for example the latest technology or pdq machines, which is why they rely on an ISO to fill the gaps.


The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. It was launched on September 7, 2006, to manage PCI security standards and improve account security throughout the transaction process. An independent body created by Visa, MasterCard, American Express, Discover, and JCB, the PCI Security Standards Council (PCI SSC) administers and manages the PCI DSS. Interestingly, the payment brands and acquirers are responsible for enforcing compliance, rather than the PCI SSC.

In order to provide an extensive resource on PCI compliance, this article includes:

  • A detailed overview of PCI SSC Data Security Standards (along with multiple resources for further review).

  • The 12 requirements of PCI DSS Compliance listed out and explained.

  • Benefits of PCI Compliance.

  • Potential setbacks of being non-compliant.

  • A roundup of collected tips from 18 PCS DSS experts.


In an effort to enhance payment card data security, the PCI Security Standards Council (SSC) provides comprehensive standards and supporting materials, which include specification frameworks, tools, measurements, and support resources to help organizations ensure the security of cardholder information at all times. The PCI DSS is the cornerstone of the council, as it provides the necessary framework for developing a complete payment card data security process that encompasses prevention, detection, and appropriate reaction to security incidents.

Tools and Resources Available from PCI SSC:

  • Self-Assessment Questionnaires to assist organizations in validating their PCI DSS compliance.

  • PIN Transaction Security (PTS) requirements for device vendors and manufacturers and a list of approved PIN transaction devices.

  • Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications to help software vendors and others develop secure payment applications.

  • Public resources:

    • Lists of Qualified Security Assessors (QSAs)

    • Payment Application Qualified Security Assessors (PA-QSAs)

    • Approved Scanning Vendors (ASVs)

    • Internal Security Assessor (ISA) education program



Firewalls essentially block access of foreign or unknown entities attempting to access private data. These prevention systems are often the first line of defense against hackers (malicious or otherwise). Firewalls are required for PCI DSS compliance because of their effectiveness in preventing unauthorized access.


Routers, modems, point of sale (POS) systems, and other third-party products often come with generic passwords and security measures easily accessed by the public. Too often, businesses fail to secure these vulnerabilities. Ensuring compliance in this area includes keeping a list of all devices and software which require a password (or other security to access). In addition to a device/password inventory, basic precautions and configurations should also be enacted (e.g., changing the password).


The third requirement of PCI DSS compliance is a two-fold protection of cardholder data. Card data must be encrypted with certain algorithms. These encryptions are put into place with encryption keys — which are also required to be encrypted for compliance. Regular maintenance and scanning of primary account numbers (PAN) are needed to ensure no unencrypted data exists.


Cardholder data is sent across multiple ordinary channels (i.e., payment processors, home office from local stores, etc.). This data must be encrypted whenever it is sent to these known locations. Account numbers should also never be sent to locations that are unknown.


Installing anti-virus software is a good practice outside of PCI DSS compliance. However, anti-virus software is required for all devices that interact with and/or store PAN. This software should be regularly patched and updated. Your POS provider should also employ anti-virus measures where it cannot be directly installed.


Firewalls and anti-virus software will require updates often. It is also a good idea to update every piece of software in a business. Most software products will include security measures, such as patches to address recently discovered vulnerabilities, in their updates, which add another level of protection. These updates are especially required for all software on devices that interact with or store cardholder data.


Cardholder data is required to be strictly “need to know.” All staff, executives, and third parties who do not need access to this data should not have it. The roles that do need sensitive data should be well-documented and regularly updated — as required by PCI DSS.


Individuals who do have access to cardholder data should have individual credentials and identification for access. For instance, there should not be a single login to the encrypted data with multiple employees knowing the username and password. Unique IDs creates less vulnerability and a quicker response time in the event data is compromised.


Any cardholder data must be physically kept in a secure location. Both data that is physically written or typed and data that is digitally-kept (e.g., on a hard drive) should be locked in a secure room, drawer, or cabinet. Not only should access be limited, but anytime the sensitive data is accessed, it should be kept in a log to remain compliant.


All activity dealing with cardholder data and primary account numbers (PAN) require a log entry. Perhaps the most common non-compliance issue is a lack of proper record keeping and documentation when it comes to accessing sensitive data. Compliance requires documenting how data flows into your organization and the number of times access is needed. Software products to log access are also needed to ensure accuracy.


All ten of the previous compliance standards involve several software products, physical locations, and likely a few employees. There are many things that can malfunction, go out of date, or suffer from human error. These threats can be limited by fulfilling the PCI DSS requirement for regular scans and vulnerability testing.


Inventory of equipment, software, and employees that have access will need to be documented for compliance. The logs of accessing cardholder data will also require documentation. How information flows into your company, where it is stored, and how it is used after the point of sale will also all need to be documented.


Complying with PCI Security Standards seems like a daunting task, at the very least. The maze of standards and issues seems like a lot to handle for large organizations, let alone smaller companies. Yet, compliance is becoming more important and may not be as troublesome as you assume, especially if you have the right tools.

According to PCI SSC, there are major benefits of compliance, especially considering that failure to comply may result in serious and long-term consequences. For example:

  • PCI Compliance means that your systems are secure, and your customers can trust you with their sensitive payment card information; trust leads to customer confidence and repeat customers.

  • PCI Compliance improves your reputation with acquirers and payment brands – just the partners your business needs.

  • PCI Compliance is an ongoing process that aids in preventing security breaches and payment card data theft in the present and in the future; PCI compliance means you are contributing to a global payment card data security solution.

  • As you try to meet PCI Compliance, you’re better prepared to comply with additional regulations, such as HIPAA, SOX, and others.

  • PCI Compliance contributes to corporate security strategies (even if only a starting point).

  • PCI Compliance likely leads to improving IT infrastructure efficiency.


PCI SSC also points to potentially disastrous results of failing to meet PCI Compliance. After working to build your brand and secure customers, don’t take a chance with their sensitive information. By meeting PCI Compliance, you are protecting your customers so they can continue to be your customers. Possible results of PCI Non-Compliance include:

PCI Compliance, as with other regulatory requirements, can pose challenges to organizations that are not prepared to deal with protecting critical information. But, protecting data is a much more manageable task with the right software and services. Choose a data loss prevention software that accurately classifies data and uses it appropriately so you can rest more easily knowing that your cardholder data is secure.

  • Compromised data that negatively impacts consumers, merchants, and financial institutions.

  • Severely damaging your reputation and your ability to conduct business effectively, not just today, but into the future.

  • Account data breaches that can lead to catastrophic loss of sales, relationships, and community standing; plus, public companies often see depressed share price as result of account data breaches.

  • Lawsuits, insurance claims, canceled accounts, payment card issuer fines, and government fines.

How a merchant account works
Online Payments

In simple terms, a payment gateway is a network through which your customers transfer funds to you. Payment gateways are very similar to the face-to-face, point-of-sale terminals used at most brick-and-mortar stores. When using a payment gateway, customers and businesses need to work together to make a transaction. The payment gateway – is the technology used by merchants to authenticate and securely transfer payment data between the various parties involved in the transaction process. Once the payment is approved or declined by the parties involved, the payment gateway sends back the relevant message to the merchant. 

How does a payment gateway work?

Now that you’ve understood why a payment gateway is, we can see how it works throughout the payment journey. This also includes the steps taken during payment card processing – i.e., authorisation, capture, and settlement.

  1. When the customer selects the products/services they want to purchase, they proceed to the payment page of an eCommerce website. Most payment gateways offer different options for a checkout page. The payment gateway offers tailored options for your payment page that match your business needs.

  2. The customer enters their credit or debit card details on the payment page, including the cardholder’s name, home address, card number, card expiration date and card verification value (CVV) number. This information is securely passed onto the payment gateway depending on the merchant's preferred integration (hosted payment page, server-to-server integration, or client-side encryption).

  3. The payment gateway encrypts the card details and performs fraud checks before sending the card data to the acquirer.

  4. The acquirer securely sends the information to the card schemes which carry out another layer of fraud checks, and the schemes transmit the payment data to the issuer for payment authorisation.

  5. Authorisation – The issuer authorises the transaction once it performs the necessary fraud screening – namely, it validates the transaction information and ensures the cardholder has adequate funds for the purchase and/or that the bank account is valid. The issuer's approved or declined payment message is transferred from the card schemes to the acquirer.

  6. The acquirer sends the approval or decline message back to the payment gateway which then transmits the message to the merchant. Based on the message, the merchant may either display a payment confirmation page or ask the customer to provide another payment method.

  7. Card capture requests – once the authorisation is completed, the merchant can “capture” the amount for the purchase from the buyer to the merchant account. The customer will not be billed until the capture has occurred, but the funds are reserved, and their card limit is reduced.

  8. Settlement – if the payment is approved, the acquirer collects the payment amount from the issuing bank and puts the funds ‘on hold’ into the merchant account (more on the merchant account below). When the actual settlement will happen depends on the agreement the merchant has with their payment service provider.

Both merchants and customers benefit from a payment gateway, although most of its activity happens behind the scenes of the payment process. All the steps mentioned above can happen in near real-time or take a few seconds.

Security features of a payment gateway

Dealing with confidential payment card data, security and compliance is the number one priority for payment gateways. As we explored above, however, just as digitalisation has enabled eCommerce sales to thrive, so too have online businesses and their customers become more vulnerable to cybercriminals. In fact, online payment fraud globally is expected to hit $48 billion by 2023, which makes the payment security that payment gateways provide all the more important.

Investing in robust risk management solutions that can help detect and deter online fraudulent transactions is key and having the right payment gateway on your side is a great start. 

Intelligent fraud prevention for merchants

Reduce fraud and chargebacks while increasing conversion with our industry-leading fraud solution.

Reduce fraud exposure

Advanced machine learning models cut chargebacks and false positives.

Optimise acceptance rates

We offer a multi-layered solution for frictionless payments by genuine customers.

Supports safe business expansion

Flexible rules and scalable technology ensure the safe launch of new customer journeys or payment types.

Reduce operational costs

Automated decision-making saves time and reduces manual effort.

Chat with our friendly team and we can show you how we can support your business.

bottom of page