Reading time: 6 minutes

If you run an eCommerce business, accepting customers’ payments online will be a fundamental part of your business functioning. It is therefore important that your payment methods offer both variety and security for your customers. For instance, some customers may prefer to use internet bank transfer systems. On the contrary, others may prefer credit or debit cards. Whatever options you offer, you need to maintain security and comply with any relevant regulations. This is especially important if you accept credit card payments. For some guidance, this article will go through various legal considerations when accepting credit card payments online. 

Accepting Credit Card Payments Online

If you want to accept credit card payments online, you will likely do so through:

  • a payment gateway; or
  • an all-in-one payment solution such as PayPal.

A payment gateway is a third party payment processing software that manages online payment. Importantly, you can integrate this function into your site or direct customers to the payment gateway’s website as part of their transaction. However, these companies will charge you an extra fee to use their service. Some standard payment gateways in New Zealand are:

  • Stripe;
  • Windcave;
  • eWay; or
  • Paystation.

In order to use these payment gateways, you will need to set up a merchant account with your bank. However, your bank will likely have particular ones they support, so do your research and find one that works for you. Alternatively, if you use an eCommerce platform like Shopify, they will have a payment gateway integrated into their systems.

PayPal is another global payment option that you do not need to use a merchant account for. However, they may charge higher fees that may cost more as time goes on.

Credit Cards and Privacy

If you handle personal information in New Zealand, your business qualifies as an agency, and you must follow New Zealand privacy law. Personal information is any data that can identify a living individual, so credit/debit card details can fall under this definition. Therefore, when handling credit card information, you need to meet your privacy obligations. To do so, you must ensure:

  • customers know when you collect their credit card information;
  • you collect credit card details straight from the source;
  • you do not store credit card details for longer than you need;
  • any storage facilities are secure;
  • customers transmit their credit details over a secure connection;
  • you do not disclose credit card details with third parties;
  • credit card details are accurate and up to date;
  • customers know who has access to their credit card details and that they can correct them; and
  • you provide your contact details.

Try to avoid storing credit card or debit card details, as this can increase the risk for your business. It is important to remember that your payment gateway will likely handle any credit card detail retention, so be sure you understand how you are meeting your privacy obligations when you use one.

PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a global standard for maintaining security and preventing fraud when credit card processing online. If you handle any kind of payment card data, then you need to ensure that you comply with this standard. Payment card data refers to both credit and debit card details. The PCI DSS’ purpose is to:

  • increase consumer confidence in credit card payments;
  • lessen the risk of credit card fraud;
  • aid your business in developing security procedures around credit card processing and payment; and
  • reduce the risk of credit card security breaches. 

The standards operate on six goals for security control and outline steps for your business to meet those goals. You can see these goals and potential ways to meet them below.

Build and maintain a secure network

Ensure you have adequate security protocols in your system. Have a firewall, strong passwords, and do not rely on default login credentials.

Protect cardholder data

Secure any cardholder data you deal with, both in storage and transmission. Encrypt this data on your networks, and limit retention where possible to reduce potential fallout from a breach.

Maintain a vulnerability management program

Keep anti-virus programmes up to date, and keep your systems/devices secure. Identify and mitigate any vulnerabilities in your systems.

Introduce strong access control measures

Limit access to cardholder data to only those who need it. Ensure that those who have access have a unique user ID and restrict physical access to devices that hold sensitive cardholder data.

Regularly monitor and test networks

Keep access logs for all networks that transmit cardholder data, and regularly test your security systems.

Develop an information security policy

Have an in-house policy that outlines how you protect information security at your business, for your employees and partners.

It is a good idea to keep records of any security reports or system tests. To do so is beneficial for your own reference and when proving compliance with the PCI DSS if need be. You can complete a self-assessment to determine what your business may need to do to be PCI compliant. 

Key Takeaways

In conclusion, if you want to allow payment by credit or debit card as an option for your customers, ensure that you know any regulations that apply to this process. It is thus important to consider the PCI DSS and New Zealand privacy law. Remember, if you use a payment gateway, they will likely handle most of this process, but you still need to meet your obligations. If you would like more information or help with the legal aspects of accepting credit card payments online, contact LegalVision’s eCommerce lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What does PCI DSS stand for?

PCI DSS stands for the Payment Card Industry Data Security Standard. This is a global standard regulating credit card payments by mandating that businesses take appropriate steps to secure any payment card data they deal with.

What is personal information?

Personal information is any data that you can use to identify a living individual. For instance, this includes names, phone numbers, email addresses, or credit card details.

Should I keep my customers’ credit card details?

As credit card details are personal information, you can only keep them if it is necessary for a business purpose. You should avoid storing this sensitive data, as it increases your risk of a privacy breach, and you need to do more to protect it.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards