Card scheme compliance what businesses need to know before connecting

Pavel Kos

27.03.2026 | 6 min read

Updated: 27.03.2026

I have been running COREDO since 2016 and see every day that companies are helped not only by proper legal entity registration or timely licensing, but also by finely tuned card scheme compliance — meeting payment system requirements. This is an area where strategy, regulation and technology converge. And if you do this excellently here, business scaling, multi-currency processing and entering new markets become matters of planning rather than luck.

In this article I have gathered my position as the founder of COREDO and the team’s experience from projects in the EU, the United Kingdom, Singapore, Dubai, the Czech Republic, Slovakia, Cyprus and Estonia. I will try to analyze the key elements of card scheme compliance (Visa, Mastercard and American Express), show the roadmap for merchant accreditation with the card schemes, the technical and AML/sanctions requirements, as well as steps to reduce risks and increase ROI. This is not a bird’s-eye overview: it is a practicum based on the cases and methodologies we use at COREDO.

Card scheme compliance for businesses

Illustration for the section «card scheme compliance for business» in the article «Card scheme compliance - what businesses need to know before onboarding»

Card scheme compliance is not a single certificate and not a ‘letter from the bank’. It is an end-to-end ecosystem: from contractual relationships with the acquirer and PSP to PCI DSS, 3‑D Secure, AML/KYC, PSD2 SCA, sanctions monitoring and incident response processes. Any weak point quickly becomes a source of scheme fines, merchant blocks, or an increase in the chargeback ratio above thresholds.

Our experience at COREDO has shown that a successful project always starts with a precise definition of the goal: where and how you will accept cards (CNP or POS), how complex the business model is (marketplace, crypto services, subscriptions, forex, financial services), what transaction profile and MCC are expected, how the cashflow is structured (settlement periods, escrow/rolling reserve), and which jurisdictions participate in the data flow (data localization and cross-border transfer of payment data). These answers determine scheme requirements, the PCI scope and the architecture of technical integration.

COREDO’s practice confirms: if at the start you agree with the acquirer on underwriting criteria, MCC, limits, KYB/UBO disclosure, DCC rules, cross-border processing and responsibility for chargebacks, merchant accreditation with the card scheme proceeds faster and without a ‘pause for rework’.

Scheme requirements and contractual relationships

Illustration for the section «Scheme requirements and contractual relationships» in the article «Card scheme compliance - what businesses need to know before onboarding»

Visa merchant rules, Mastercard rules and American Express specifications form the basic rulebook for each role: merchant, PSP, processor, acquiring bank. I recommend keeping the following in focus:

Visa and Mastercard requirements for merchants: permitted models, restrictions on crypto payments, rules for recurring payments and storage of card-on-file, chargeback ratio thresholds.
American Express enrollment requirements: a separate onboarding process to the AmEx payment system with checks for industry risk and the pricing model.
Acquiring bank underwriting criteria: financial stability, risk model, refund policy, fraud policy and customer support SLA.
Acquiring agreement and scheme terms: interchange++, settlement periods, rolling reserve/escrow, indemnities and allocation of liability (merchant fraud liability allocation).
Merchant category code (MCC) classification and risks: an incorrect MCC leads to increased fees, bans, or escalations.
BIN sponsoring risks and liability: if you operate as a PSP/fintech with your own BIN, BIN range management, compliance with network rules and control of the scoring profile are important.

The COREDO team has repeatedly moderated three-party negotiations (merchant – PSP: acquiring bank), where the final commercial offer changed after clarifying the MCC, SCA flow and sanctions control. Result: lower interchange++ due to correct classification, stable settlement periods and predictability of margins.

Connecting a merchant to the payment system

Illustration for the section «Connecting a merchant to the payment system» in the article «Card scheme compliance — what businesses need to know before onboarding»

To shorten the onboarding cycle for acquiring and accreditation with card schemes, we follow the merchant onboarding checklist step by step:

KYB and beneficiary verification before onboarding: beneficial ownership disclosure, UBO requirements, ownership structure, sources of funds.
AML and KYC requirements when onboarding acquiring: identification policy, anti‑money laundering transaction thresholds, suspicious activity report (SAR) procedure.
Sanctions compliance rules: EU lists, OFAC and global sanctions lists, client and counterparty screening, geoblocking.
PSP Due Diligence requirements and checklists: third party vendor risk assessments, contractual SLAs and provider audit procedures.
Compliance governance and internal payments policy: roles, RACI matrix, regular audit, training.
Collection and submission of reporting to card schemes: format, timelines, responsible persons.

In one of the projects for a marketplace from Singapore, the solution developed by COREDO included enhanced sanctions screening at the PSP and merchant level with a single registry of alerts and SLA response times. This allowed the acquirer to approve increased limits and accelerate the accreditation timeline.

PCI DSS, 3-D Secure, tokens, encryption

Illustration for the section «PCI DSS, 3‑D Secure, tokens, encryption» in the article «Card scheme compliance — what businesses should know before onboarding»

The technical scope is half the success of card scheme compliance. Here it is important to minimize the PCI scope without compromising UX and security.

PCI DSS requirements for merchants: defining role and PCI scope, choosing an SAQ profile (PCI SAQ A, SAQ A‑EP, SAQ D — differences and selection).
PCI DSS certification before onboarding: the role of a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV), internal and external scans, remediation.
Encryption: encryption at rest and in transit, P2PE (point-to-point encryption) for businesses on POS.
Card tokenization and scheme compliance: vaulted vs vaultless tokenization, minimizing PCI scope through tokenization, choosing a token service provider and integration.
Hosted payment page as a way to reduce PCI scope: moving card collection to a certified HPP.
Requirements for storing and protecting card data: PAN truncation, key management, secrets and key rotation.
3‑D Secure implementation and compliance: merchant plug-in (MPI), risk-based authentication, dynamic 3‑D Secure and frictionless flow, liability shift and its impact on merchant liability.
Acquirer API integration and ISO 8583: technical integration checklist (API, webhooks, callbacks), ISO 8583 message profile and testing, sandbox testing of integration with schemes’ sandbox environments.

In a recent case for a fintech from Estonia, the COREDO team implemented a transition from SAQ A‑EP to SAQ A by using a hosted payment page and vaultless tokenization with a certified TSP. This shortened the audit cycle, reduced the cost of QSA assessments and simplified the rollout of 3DS 2.2 with frictionless flow support for low‑risk transactions.

Regulation of PSD2, SCA, GDPR, AML and eIDAS

Illustration for the section «Regulation of PSD2/SCA/GDPR/AML/eIDAS» in the article «Card scheme compliance - what businesses need to know before onboarding»

The regulatory environment sets the boundary conditions for card scheme compliance, especially in the EU and the UK.

PSD2 and SCA impact on card scheme compliance: strong customer authentication as the base layer for CNP, exemptions and the transaction risk analysis (TRA) methodology.
GDPR in payment data processing: legal bases, data minimization, DPAs with providers, cross-border data transfers.
eIDAS electronic identification for merchants: legal force of electronic signatures and identifications in onboarding.
FATF recommendations and the EU’s AMLD5/AMLD6 requirements for payment providers: risk‑based approach, customer due diligence, ongoing monitoring.

In one project for an online retailer in the Czech Republic we adapted TRA rules for SCA exemptions using fraud scoring and device fingerprinting. The result: up to 22% of transactions were processed frictionlessly, while the chargeback ratio remained below the schemes’ thresholds.

Anti-fraud, chargebacks, risk monitoring

A strong anti‑fraud model and chargeback management are key to profitability and to smooth relationships with the schemes.

Card‑not‑present (CNP) risk‑models: device fingerprinting, behavioral analytics, velocity‑rules.
Fraud scoring models and threshold tuning: A/B‑threshold setting, seasonality, MCC‑specifics.
Transaction monitoring algorithms and trigger scenarios: high‑risk geo, repeated attempts, test cards.
Chargeback management and scheme requirements: merchant chargeback ratio calculation and monitoring, retrieval request handling and SLA, chargeback representment process and best practices.
Chargeback ratio threshold requirements of the schemes: control at BIN/merchant level, early alerts, predictive analytics.

COREDO practice: for a merchant from Dubai we implemented a multi‑level model – from pre‑auth scoring to adaptive 3DS with RBA. The chargeback ratio dropped below the control threshold, which allowed us to revise the rolling reserve and improve cash flow.

POS channel: EMV, POS certification and NFC

If you have a mixed channel (online and offline), do not ignore the requirements for POS infrastructure.

EMV and chip-and-pin requirements for POS: terminal certification, coordination with the acquirer on profiles.
Point-of-sale (POS) certification and compatibility level: compliance with scheme specifications, biometrics and fallback procedures.
NFC contactless limits and scheme policies: dynamic limits, country-specific policies.

In a project in Slovakia, we achieved compatibility of the terminal fleet with P2PE and EMV Level 2/Level 3, which reduced merchant liability for fraud and provided access to updated contactless limits.

interchange++, DCC, settlements and reconciliations

Financial mechanics directly affect a merchant’s P&L and compliance ROI.

Interchange fees and impact on margin: interchange++ and blended models, influence of MCCs, geographies and card-levels.
Settlement periods and settlement mechanics: payout frequency, cut-off times, holds and adjustments.
Dynamic currency conversion (DCC) and bank agreements: transparency for the cardholder, FX margin, regulatory constraints.
Reconciliation and statement mapping best practices: automated matching, period close SLA, control of fee lines.

In a case for a merchant in the United Kingdom the COREDO team set up reconciliation processes accurate down to scheme fee codes and implemented statement mapping for multiple PSPs. This reduced discrepancies and accelerated financial reporting for investors.

PSP and BIN partner ecosystem

Choosing technology and banking partners is a strategic decision that affects accreditation timelines and operational resilience.

Recommendations for selecting a processor and BIN sponsor: due diligence, technical SLA, level of certifications, roadmap of supported schemes.
Third party vendor risk assessments and SLAs: security audit, capacity redundancy, RTO/RPO.
Contractual SLAs for processing services: authorization time, availability, handling of reversals/refunds.
BIN range management and BIN allocation: geo-coverage, MCC profile, scheme rules.
Token service provider selection and integration: compatibility with mobile wallets and card scheme rules.

For a payment startup in Cyprus, we conducted vendor management with a focus on contractual indemnity clauses and liability insurance (merchant fraud liability allocation and insurance). This reduced legal risks and improved BIN sponsor terms.

Scaling: multi-currency / mobile wallets / recurring

Growth of transactional volume and entering new markets require a resilient architecture and compliance with cross‑border rules.

Multi-currency payment processing requirements: support for FX‑rates, local routing, restrictions on cross‑border processing.
Compatibility of mobile wallets and card scheme rules: tokenization, cryptograms, TSP‑integration.
Recurring payments and rules for storing card-on-file: separate transaction indicators, SCA‑exemptions, customer notifications.
Multi‑entity merchant structures compliance issues: risk allocation, overall chargeback ratio, end-to-end AML monitoring.
Data localization and cross-border transfer of payment data: local requirements of individual countries and SCC/similar mechanisms.

In one of the projects in Singapore, a solution developed at COREDO provided a single token vault for a group of companies with different merchant‑IDs and cross‑border routing. This helped preserve UX, minimize PCI‑scope and comply with local data storage rules.

Incidents, fines and resilience

Incidents happen even at mature organizations. It’s important not to deny the risk, but to be prepared.

Liability for card data leaks and fines: card scheme sanctions for non-compliance, case examples, reputational damage.
Plans for incidents and forensic investigation: incident response plan, forensic data capture requirements of the schemes, selection of an independent investigator.
Forensic data capture requirements of the schemes after an incident: logging, preservation of artifacts, chain of custody.
Data breach notification timelines and obligations: who and when to notify – schemes, acquirer, regulator, customers.
Operational resilience and the impact of DORA on payment processing: resilience requirements in the EU, testing crisis scenarios.

In the case of a provider from Estonia we ran IRP exercises involving the acquirer and PSP. After adjustments to logging and the notification runbook the bank confirmed the “maturity” of the processes, and the schemes relaxed requirements for the frequency of external scans.

Sanctions and AML framework

Compliance schemes are closely intertwined with AML/sanctions regulations, especially in cross-border situations.

transaction monitoring and sanctions control rules: EU lists, OFAC, geo-blocking, PEP/Adverse Media, logs and escalations.
Suspicious activity report (SAR) procedure: triggers, timelines, interaction with the acquiring bank.
Beneficial ownership disclosure and UBO requirements: transparency of ownership and sources of funds.
legal opinion for cross-border acquiring: when required and what issues it addresses.

The COREDO team supported a fintech company in the UK: we synchronized AML scenarios (TRA) with sanctions control and formalized SAR procedures. This simplified communication with the bank and sped up approval of increased transaction limits.

Accreditation timeline: audit/remediation

To meet deadlines you need a controlled schedule and clear execution oversight.

Timelines and stages of certification with payment schemes: preparation, testing, pilot, production accreditation, post-go-live monitoring.
compliance audit and the role of the QSA: annual assessment, pentest, ASV scans, remediation of vulnerabilities.
Accreditation timeline and a checklist of steps: artifacts, demos, UAT results, scheme confirmations.
Remediation roadmap after non-compliance: suspension of functions, corrective measures, evidence base.

In one project for a PSP from the EU we built a roadmap with a buffer for ASV remediation and agreed it with the acquirer in advance. This allowed us to meet the go-live deadline despite vulnerabilities found at an early stage.

Economics of compliance: ROI and metrics

Card scheme compliance: it’s an investment. It needs to be measured.

Estimating ROI when implementing compliance: comparison of fines/leaks/chargebacks vs. the cost of 3DS, P2PE, tokenization and QSA.
Cost‑benefit analysis of implementing 3DS and P2PE: reduction of fraud and shift in liability vs. UX friction and investments in terminals.
Metrics to assess compliance ROI (NPS, ARPU, LTV) integrate naturally: impact on retention, approval rates, reduction of support opex.
Vendor management and contractual indemnity clauses: reduction of tail risks in monetary terms.

In a marketplace case in Estonia we calculated the economics of migrating to 3DS 2.2 with dynamic RBA: a conversion increase of 1.7 percentage points with a 38% reduction in chargebacks in risky segments produced a positive ROI in 4.5 months.

Technical details of integration

Final section on how to launch the integration without repeated approval cycles.

Technical integration checklist API, webhooks, callbacks: idempotence, retries, signatures, monitoring, alerts.
ISO 8583 message profile and testing: correct response codes, reversals, chargeback reason codes.
Sandbox testing with scheme and acquirer environments: test cases for errors, offline handling, AAA scenarios.
Cross‑border processing limitations and rules: field localization, routing and fallback.

In a project for a forex broker in the EU, the COREDO team implemented an ISO 8583 adapter with code normalization and fallback to a secondary processor. As a result, the authorization SLA was met even under abnormal load during market peaks.

How to speed up without sacrificing quality

I’ll compile final tips that systematically increase the chances of smooth accreditation and a favorable economic outcome:

From the outset, agree with the acquirer on MCC, model risk, SCA flow and sanctions controls. This is the basis of underwriting and a fair interchange++ price.
Minimize PCI scope: a hosted payment page + tokenization with a certified TSP often pay off faster than a “home-grown vault”.
On the online channel use 3DS 2.x with risk-based authentication and dynamic rules; for offline: P2PE and EMV compatibility.
Formalize AML/KYC/KYB and sanctions monitoring: thresholds, scenarios, SARs, audits and logs. This speeds up merchant accreditation with the card scheme.
Work through the contractual side: indemnities, fraud liability allocation, escrow/rolling reserve, settlement periods, DCC policy.
Build an incident response plan with forensic data capture requirements and procedures for notifying schemes/regulators within required timelines.
Resolve data localization and cross-border payment data transfer issues: these are common causes of delays in the EU and some Asian countries.
Use ROI metrics: NPS, ARPU, LTV, chargeback ratio, authorization conversion, compliance TCO. This makes it easier to justify investments to the board of directors.
Check compatibility with mobile wallets and card scheme rules in advance, including the choice of token service provider.
Plan operational resilience in the spirit of DORA: redundancy, regular tests, RTO/RPO, external dependencies and vendor management.

Card scheme compliance — what businesses need to know: it’s not limited to a single PCI “checkbox” or enabling 3DS. It’s a system of managerial, legal and technical decisions where each part supports the others.

COREDO case studies – brief on the approach

EU e‑commerce: migration to SAQ A + 3DS 2.2 with frictionless for low‑risk, TRA under PSD2, a 30% reduction in chargebacks and acceleration of settlement by 1 day due to better MCC and interchange++.
Singapore marketplace: unified sanctions screening and AML‑scenarios confirmed by the acquirer; accelerated accreditation and increased limits.
Dubai merchant: RBA + device fingerprinting + adaptive 3DS; chargeback ratio consistently below scheme thresholds, rolling reserve reduced.
Cyprus fintech: vendor risk assessment, indemnity clauses and insurance coverage; secure BIN sponsoring and resilience to incidents.

We approached each of these projects as a partner: from regulatory expertise to final UAT and go‑live in production with reporting to the schemes.

Conclusions

Card scheme compliance – is the foundation of a payment transaction on an international scale. It determines what economics you will have tomorrow, whether you will be able to connect to new markets without a pause, and how confidently you will pass scheme or regulator audits. My team at COREDO is used to treating this boundary as a single product: legal design, AML/KYB/KYC, sanctions control, PCI DSS and 3DS, tokenization architecture, contractual framework, reconciliation and incident response.

Put simply, the path looks like this:

A clear onboarding checklist, a well‑designed architecture for a minimal PCI scope, AML and sanctions discipline, a thought‑through anti‑fraud model, transparent settlements and SLAs with partners, plus incident readiness and continuous improvement.
When these elements are brought together into a single system, card scheme compliance stops being a cost item and becomes a competitive advantage.

COREDO’s practice confirms: with the right strategy and controlled execution you will connect to the payment system without unnecessary back-and-forth, pass merchant accreditation with the card scheme within the expected timelines, and build a scalable payment infrastructure that will support the growth of your business in the EU, Asia and beyond.