Onboarding

Website compliance checks

Cardflo conducts thorough website compliance checks as part of the merchant onboarding process. We assess website content, functionality, and disclosures to ensure adherence to regulatory standards and acquirer requirements.

This proactive approach mitigates risks and prevents future compliance issues.

Category
Onboarding
Capabilities
10
Available on
All plans
Apply now

The overview

Website compliance checks represent a critical phase of the merchant onboarding process, functioning as a bridge between the initial application and the final merchant identification number authorisation.

Acquirers and payment service providers utilise these assessments to ensure a merchant storefront aligns with card scheme rules, such as those mandated by Visa and Mastercard, as well as local legal frameworks like the Consumer Rights Act.

The process involves a technical and content-based audit of the digital interface where the transaction occurs. By verifying the presence of essential disclosures, clear pricing, and legal terms, providers minimise the probability of future disputes or regulatory fines.

These checks are not merely bureaucratic hurdles; they serve as a risk mitigation tool to identify prohibited business models or deceptive marketing practices before the merchant begins processing live transactions through the gateway.

In a landscape governed by PSD2 and rigorous AML standards, maintaining a compliant website is a prerequisite for maintaining a stable relationship with an acquirer.

How it works

  1. URL and content analysis

    The system crawls the provided domain to identify the core business model and category. This step verifies that the products or services listed align with the Merchant Category Code requested during the KYB phase.

    It checks for prohibited items or restricted services that might violate the acquirer's risk appetite or card scheme policies.

  2. Document and disclosure verification

    Automated scripts and manual reviewers search for mandatory legal pages. This includes the terms and conditions, privacy policy, and refund or cancellation policies.

    The check ensures these documents are accessible within a few clicks and contain the specific language required by regional consumer protection laws and card brand standards.

  3. Check-out flow technical audit

    The audit examines the payment page to ensure it meets PCI DSS requirements and displays card scheme logos correctly.

    It verifies that the checkout process clearly communicates total costs, including taxes and shipping, and that the customer must actively agree to the terms before the authorisation request is sent to the issuer.

  4. Contact and identity validation

    Reviewers confirm that the website displays a physical operating address, a functional email, and a telephone number.

    This transparency is a requirement for most acquirers to ensure cardholders have a direct route for customer service, which can reduce the frequency of retrieval requests and subsequent chargebacks.

Why it matters

Reducing initial decline rates

Acquirers often reject merchant applications if the digital storefront lacks necessary disclosures or displays conflicting information. By performing comprehensive compliance checks during onboarding, a merchant can rectify deficiencies before the final underwriting review.

This proactive approach leads to a higher rate of successful merchant account approvals and avoids the delays associated with multiple resubmissions of the same application package.

Mitigating chargeback and fine risk

Incomplete or unclear refund policies are a primary driver of friendly fraud and legitimate disputes.

When a website clearly displays its cancellation terms and contact details, the cardholder is more likely to resolve issues directly with the merchant rather than initiating a chargeback through their issuer.

Furthermore, adhering to scheme rules prevents the assessment of non-compliance fines by the networks, protecting the merchant's bottom line.

Use cases

Subscription service providers

Businesses using recurring billing must adhere to strict disclosure rules regarding trial periods and cancellation methods. Compliance checks ensure the merchant clearly states the renewal frequency and price to avoid soft declines or disputes during future billing cycles.

Cross-border e-commerce

For merchants selling into multiple jurisdictions, compliance checks verify that the website includes necessary FX disclosures and adheres to the consumer protection laws of the target markets, ensuring the acquirer stays within regulatory boundaries.

High-risk category merchants

Entities in sectors like gaming or pharmaceuticals undergo intensive scrutiny. The compliance check ensures that all necessary licences are displayed and that no unauthorised claims or prohibited promotional tactics are present on the site.

By the numbers

85-95%
Application Approval Rate

Typical approval range for merchants who undergo pre-underwriting website audits compared to unassisted submissions, though final outcomes depend on individual acquirer risk policies.

15-25%
Dispute Reduction

Industry studies suggest that clear disclosure of refund and contact policies can lead to a measurable decrease in transactional disputes and retrieval requests.

24-48h
Audit Duration

The standard timeframe for a comprehensive automated and manual review of an e-commerce storefront during the initial onboarding workflow.

Ready to route with Website compliance checks?

Talk to our team about a live rollout on your acquiring stack.

Apply now

What you get with Website compliance checks

  • Verification of Merchant Category Code alignment with website content and marketed services.
  • Detection of prohibited goods or services as defined by card scheme global rules.
  • Validation of clear pricing displays including all applicable taxes and delivery surcharges.
  • Audit of the terms and conditions page for mandatory legal and contact disclosures.
  • Confirmation of refund and cancellation policy visibility during the checkout sequence.
  • Review of data protection and privacy policies to ensure compliance with local regulations.
  • Assessment of card scheme logo usage and placement on the payment interface.
  • Identification of physical address and contact details to facilitate customer service accessibility.
  • Check for secure transaction indicators and PCI DSS compliant payment page integration.
  • Evaluation of subscription disclosure clarity to minimise future recurring transaction disputes.
See Website compliance checks on your acquiring stack.

A short scoping call, then a written plan for your MIDs.

Apply now

Questions about Website compliance checks

What happens if a website fails the initial compliance check during the onboarding phase?

If a website fails the compliance check, the onboarding process is typically paused rather than outright rejected. The merchant receives a list of specific deficiencies, such as missing refund policies or incorrect branding, that must be corrected.

Once the merchant updates the site, a re-check is performed. Continuous failure to meet these standards will lead the acquirer to decline the Merchant Identification Number application, as they cannot verify the legitimacy or safety of the business model.

Remediation is usually a requirement for progression to the final underwriting stage.

Which specific legal documents are mandatory for a merchant website to be considered compliant by an acquirer?

Standard requirements across the industry include a comprehensive terms and conditions page, a clearly outlined refund and return policy, and a privacy policy explaining data handling. Additionally, merchants must provide an 'About Us' page containing a physical address and contact information.

For businesses operating in the UK or EU, explicit details regarding VAT and company registration numbers are often required. Failure to provide these can lead to a refusal by the acquirer based on failure to meet fundamental transparency and consumer protection standards.

Do website compliance checks assess the security of the payment gateway itself?

While compliance checks do look for indicators of security, such as HTTPS and the presence of PCI-compliant payment fields, their primary focus is on content and regulatory disclosures.

The technical security of the gateway is usually covered by the payment service provider's PCI DSS certification and the secure tokenisation methods employed during transaction capture.

The compliance check ensures that the merchant is not store-fronting for a different business and that the merchant's own site facilitates a transparent and legally sound transaction environment for the consumer.

How do card scheme rules for Visa and Mastercard influence these website audits?

Visa and Mastercard have specific operating regulations that all merchants must follow to accept their cards. These include how their trademarks are displayed at the point of sale and how transaction totals are presented to the cardholder.

A compliance check ensures the merchant website adheres to these brand standards. Non-compliance can result in the acquirer facing fines from the schemes, which are typically passed down to the merchant.

Ensuring alignment during onboarding helps the merchant avoid these costs and maintains their standing within the card network.

Are compliance checks a one-time event or an ongoing requirement for merchants?

While the most intensive check occurs during the initial onboarding and KYB process, compliance is an ongoing requirement. Many acquirers and PSPs perform periodic monitoring or 're-sweeps' of merchant websites to ensure that the business model hasn't changed or that prohibited items haven't been added.

If a merchant significantly alters their website or product line, they may trigger a new compliance review. Maintaining the standards established during the first audit is essential for avoiding sudden account suspensions or increased reserve requirements.

Why is the Merchant Category Code (MCC) so important during the website audit?

The MCC determines the interchange rates, risk profile, and scheme rules applicable to the merchant. The website audit confirms that the products sold actually match the MCC assigned to the Merchant Identification Number.

If a merchant is assigned a low-risk MCC but their website displays high-risk goods, this represents 'miscoding'.

This is a serious violation that can lead to immediate account termination, as it bypasses the acquirer's risk controls and potentially misleads the issuer about the nature of the transaction.

Get started

Ready for velocity?

Tell us about your business. We'll match you with the right acquiring partners and the right route, typically inside a week.

Apply now
Apply now