Payment Facilitator Compliance Checklist

Becoming a payment facilitator (PayFac) means taking on the compliance that a traditional merchant account normally pushes onto the bank. You register with the card networks, you validate at the highest PCI level, you underwrite and monitor every sub-merchant, and you report to Visa and Mastercard on an ongoing basis.

This checklist maps the ten areas you need to cover. It's a planning tool, not legal advice — confirm specifics with your sponsor bank, a QSA, and qualified counsel before you launch.

New to the model first? Start with the full guide, then come back here to plan the compliance work.

Before you use this checklist

This applies to companies pursuing the fully registered PayFac model. You may not need most of it if:

• You use PayFac-as-a-Service / managed PayFac — your provider carries most of the obligations below.
• You only need to accept payments across multiple countries — that's cross-border local acquiring, not the card-network PayFac model. More on that at the end.

If you are becoming a registered PayFac, here's the map.

1. Card-network registration

You cannot operate as a PayFac without a sponsor bank and card-network registration.

• Secure a sponsor (acquiring) bank willing to register you as a payment facilitator.
• Register with Mastercard through its registration program and complete the required risk/anti-fraud onboarding. Mastercard runs a Mastercard Registration Program (MRP) and a Business Risk Assessment and Mitigation (BRAM) program covering this.
• Register with Visa as a payment facilitator / service provider.
• Renew registrations annually and budget for the per-network fees.

Authoritative rules are linked in the Sources section of the main guide: Payment Facilitator Guide

2. PCI DSS Level 1

Card networks classify PayFacs as service providers, and a PayFac is generally held to PCI DSS Level 1 — the highest validation tier.

• Complete a Level 1 assessment validated by a Qualified Security Assessor (QSA) through an onsite assessment, not just a self-assessment questionnaire.
• Be compliant before you process your first transaction — many acquirers won't sign you without proof.
• Meet the v4.x requirements now in force. The "future-dated" requirements of PCI DSS v4.x became mandatory on March 31, 2025. v4.0.1, published June 2024, was a clarifying revision that did not change that date and added no new requirements. Key items now enforced include:
• • Req. 6.4.3 — all payment-page scripts are authorized, integrity-assured, and inventoried.
  • Req. 11.6.1 — a change-and-tamper detection mechanism on payment pages, evaluated at least weekly or on a frequency set by a targeted risk analysis.
  • Expanded MFA for all access into the cardholder data environment (CDE).
  • Stronger password standards and formal targeted risk analyses (TRA) for control frequencies.
  • Encryption that renders PAN unreadable at the file/column/field level. Disk-level encryption alone no longer qualifies, except for removable media.
• Understand PCI does not "pass through." Each sub-merchant is a separate legal entity with its own PCI obligations. Where your solution covers requirements on their behalf, document it in your Report on Compliance and in the sub-merchant's SAQ.

Sub-merchant PCI detail: What Is a Sub-merchant?

3. KYC / AML / sanctions screening

You own the decision to onboard each sub-merchant, so you own the screening.

• Verify identity (KYC) for each sub-merchant: legal entity, business model, and ultimate beneficial owners (UBO).
• Screen against sanctions lists such as OFAC before onboarding and on an ongoing basis.
• Check the MATCH list — Mastercard's Member Alert to Control High-risk Merchants — before approving a sub-merchant.
• Maintain a BSA/AML program appropriate to your jurisdiction, with suspicious-activity processes.
• Re-screen periodically, not just at onboarding.

4. Money transmitter licensing (US)

This is the most commonly underestimated cost.

• Determine whether you "touch" merchant funds. If settlement flows through you before reaching the sub-merchant, money transmitter licensing (MTL) may apply.
• Map state-by-state requirements via NMLS; obligations and costs vary widely by state.
• Consider structural alternatives, such as having the bank settle directly to sub-merchants, to reduce MTL exposure.
• Budget surety bonds and ongoing reporting where licensing applies.

Outside the US, licensing is jurisdiction-specific — confirm local requirements in each market you operate in.

5. Sub-merchant underwriting policy

Underwriting is how you keep risk out before it enters your portfolio.

• Write a documented underwriting policy: business types accepted, prohibited/high-risk verticals, data collected.
• Assess each applicant's risk: business model, financials, credit, fraud/chargeback history, billing practices.
• Apply graduated controls — conservative limits, reserves, or delayed funding for higher-risk merchants; expansion as they prove performance.

6. Funds flow and reserves

• Define your settlement model and document how funds move from acquirer to your master account to sub-merchants.
• Establish a reserve policy — rolling or fixed — in writing, including how and when reserves are applied and released.
• Keep reconciliation accurate and real-time — chargebacks and adjustments are typically debited from settlement flows.
• Disclose reserve and funding-hold terms clearly in the sub-merchant agreement to avoid disputes.

7. Chargeback and dispute management

• Build dispute workflows aligned to card-network timelines.
• Monitor chargeback ratios against network thresholds; exceeding them can put you into network monitoring programs.
• Define who covers what — remember the PayFac bears the ultimate loss if a sub-merchant can't fund a chargeback.

8. Ongoing reporting and monitoring

Compliance is continuous, not a one-time gate.

• File required reports to Visa and Mastercard on the cadence they specify.
• Re-validate PCI annually with a QSA onsite assessment for Level 1.
• Monitor sub-merchant activity continuously for fraud, volume spikes, and prohibited activity.
• Run internal audits of your underwriting and risk controls.

9. Documentation you must maintain

• Underwriting policy, risk policy, reserve policy
• AML/BSA program and training records
• Incident response plan
• PCI Report on Compliance (ROC) and sub-merchant SAQ references
• Sub-merchant agreements with required disclosures
• Network registration and renewal records

10. The shortcut: PayFac-as-a-Service / managed PayFac

If sections 1–9 look like a multi-year program — they are. The full registered model is commonly estimated at hundreds of thousands to several million dollars upfront and 12–24 months before onboarding the first sub-merchant, which is why it usually only makes sense at large scale.

• Evaluate PayFac-as-a-Service / managed PayFac, where a provider already holds the registrations, PCI Level 1 posture, and much of the risk — and you integrate in weeks rather than building for a year-plus.

Cross-border merchants: you may not need any of this

If your actual goal is getting paid across many countries — Pix in Brazil, GCash and GoPay in Southeast Asia, UPI in India, Mada/STC Pay in the Middle East — the PayFac compliance program above may be solving the wrong problem. What you usually need is cross-border local acquiring: a provider that already has the local payment methods, local clearing, and licensing in each market.

HaiPay is a licensed payment provider that facilitates cross-border local acquiring across 52 regions (pay-in) and 50+ countries (pay-out), with local payment methods and local payout — without you registering as a card-network PayFac.

See how cross-border local acquiring works: Pay-ins Acquiring

FAQ

Do all payment facilitators need PCI DSS Level 1?

Registered PayFacs are generally validated at Level 1 with a QSA onsite assessment, as card networks treat them as service providers. Confirm exact scope with your acquirer and QSA.

Are the PCI DSS v4.x "future-dated" requirements mandatory now?

Yes — they became mandatory on March 31, 2025. v4.0.1, published June 2024, was a clarifying update and did not move that date.

What is the MATCH list?

Mastercard's Member Alert to Control High-risk Merchants list, which PayFacs check before onboarding sub-merchants.

Do I need a money transmitter license to be a PayFac?

It depends on whether you touch merchant funds and on each state's rules. Many PayFacs structure funds flow to limit this; confirm with counsel.

Is HaiPay a registered payment facilitator?

No. HaiPay is a licensed payment provider that facilitates cross-border local acquiring; it is not a card-network-registered PayFac.

Last updated June 2026. This checklist is for planning only and is not legal or compliance advice. Verify requirements with your sponsor bank, a QSA, and qualified counsel.

Sources

Compliance facts here are based on primary card-network and PCI sources. These are updated periodically — always consult the current version.

• Mastercard — Payment Facilitators (program & rules overview):mastercard.com/us/en/business/support/payment-facilitators.html
• Mastercard — Customer Compliance Program / Mastercard Rules:mastercard.us/en-us/business/overview/support/rules.html
• Visa — Merchant Payment Providers (PayFac overview):usa.visa.com/supporting-info/merchant-payment-providers.html
• PCI Security Standards Council — PCI DSS v4.0.1 announcement:blog.pcisecuritystandards.org/just-published-pci-dss-v4-0-1
• PCI Security Standards Council — PCI DSS v4.0 Timeline (future-dated requirements effective 31 March 2025):blog.pcisecuritystandards.org/updated-pci-dss-v4.0-timeline