Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
Being able to accept credit and debit cards is almost essential for Australian businesses today. It’s convenient for your customers and can help you get paid faster.
But turning card payments on also comes with rules. You’ll need to think about consumer law at checkout, what you disclose about pricing and surcharges, how you protect cardholder data, and what your payment provider requires in your merchant agreement.
In this guide, we’ll unpack what’s legally required, what’s contractually required by card networks and providers, and the practical steps to set yourself up with confidence.
What Does “Accepting Credit Card Payments” Legally Involve?
When you take card payments (in‑store, online or by phone), you step into a few overlapping frameworks:
- Australian Consumer Law (ACL) rules on pricing, receipts, refunds and fair dealing.
- Card network and merchant agreement rules (e.g. Visa/Mastercard scheme rules, your gateway or bank terms) - including security, chargebacks and surcharging.
- Data security standards (PCI DSS) that apply via those agreements and industry practice.
- Privacy obligations under the Privacy Act 1988 (Cth) if you are an “APP entity” (more on the small business exemption below).
- Surcharging rules under the Competition and Consumer Amendment (Payment Surcharges) Act 2016, which prohibit “excessive” card surcharges. These are enforced by the ACCC and aligned with RBA standards on “cost of acceptance”.
Whether you use a bank merchant facility, a POS terminal, a payment gateway, or an all‑in‑one eCommerce platform, the technology may differ but your responsibilities are similar. The key is to build compliance into your setup from day one.
Do You Need Any Permits Or Registrations To Take Cards?
There’s no special government licence just to accept card payments. In practice, you’ll sign up for a merchant facility with a bank or partner with a payment service provider/gateway. That contract sets your fees, settlement timeframes, chargeback rules, fraud tools and security obligations.
Beyond that, make sure your general business setup is in order. You’ll usually need an ABN and, if you trade under a name, ensure your business name is registered. If you’re building a larger operation or taking on risk, consider whether a company structure is right for you so the business is a separate legal entity.
If you plan to offer card‑not‑present or recurring billing (e.g. subscriptions), be crystal clear in your terms about when and how charges occur. You may also decide to offer bank debits alongside cards - if so, check the framework that applies to direct debit laws in Australia.
Protecting Card Data And Customer Privacy
Security is one of the biggest risks when you accept card payments. Two areas matter most: PCI DSS (industry card security standards) and the Privacy Act.
PCI DSS (Card Security Standards) - Contractual, But Critical
The Payment Card Industry Data Security Standard (PCI DSS) is a global set of technical and operational standards for protecting cardholder data. While PCI DSS isn’t an Australian “law”, it’s typically built into your merchant and gateway agreements and card scheme rules. In short, it’s a contractual requirement with very real consequences if you ignore it (for example, fines, higher fees or loss of your merchant facility).
If you use a reputable, PCI‑compliant gateway or POS and you never see or store raw card numbers yourself (for example, you use tokenisation or hosted payment pages), your own PCI obligations are usually lighter - but they don’t disappear. You’re still responsible for selecting compliant providers, handling devices securely and training your team.
- Don’t write down full card numbers or store them in spreadsheets, emails or CRMs.
- Use tokenisation, encryption and access controls offered by your provider.
- Physically secure POS devices and check for tampering.
Before you enable any “save card” or recurring billing feature, understand the do’s and don’ts of storing credit card details.
Privacy Act - Small Business Exemption And When It Won’t Apply
Under the Privacy Act 1988 (Cth), most organisations called “APP entities” must follow the Australian Privacy Principles (APPs). Many small businesses with annual turnover of $3 million or less are exempt, but not if they are health service providers, they trade in personal information, they are contractors to the Commonwealth (among other exceptions), or they opt in to the Act.
Even if you’re exempt, your merchant/provider terms, PCI obligations and customer expectations will still require prudent data practices. If you are covered by the Act, you’ll need to collect only what you need, secure it, and be transparent about use and disclosure.
- Publish a clear, accessible Privacy Policy explaining what you collect, why, and how customers can contact you.
- Limit access to personal information to authorised staff and implement role‑based permissions.
- Be prepared to assess and notify eligible data breaches under the Notifiable Data Breaches scheme (where it applies).
Data Breaches And Incident Response
Incidents happen. Prepare now so you can contain issues quickly and meet any notification deadlines.
- Assign roles and document steps to contain, assess, notify and remediate.
- Keep emergency contacts handy (payment provider, IT support, legal support).
- Train and test so staff know what to do under pressure.
A practical step is to implement a Data Breach Response Plan and include it in staff onboarding and refresher training.
Australian Consumer Law Rules At Checkout
The Australian Consumer Law (ACL) sets the baseline for fair dealing when you accept payments. It affects how you show prices, what you put on your receipts, how you handle refunds, and how you present any surcharges or fees.
Pricing, Receipts And Surcharges
- Clear, upfront pricing: Display total prices clearly, including compulsory charges, so customers aren’t surprised at the checkout.
- Receipts and proof of transaction: You must provide proof of transaction for all sales. For purchases of $75 or more, you must provide an itemised receipt; for smaller purchases, you must provide a receipt within 7 days if the customer asks.
- Surcharging: You may apply a card surcharge, but it must not be “excessive”. The cap is your cost of acceptance for that card type, consistent with RBA standards. The ACCC enforces these rules, so disclose any surcharge before the customer pays and set different rates only where your costs genuinely differ by card type.
Refunds, Chargebacks And Consumer Guarantees
Consumer guarantees still apply whether your sale is online, in‑store or “card‑only”. You can’t exclude these statutory rights in your terms. Build policies that are consistent with the ACL, and make them easy for customers to follow.
Chargebacks - where a cardholder disputes a transaction through their bank - are also a reality. Your merchant agreement will explain how disputes work and what evidence you need to provide. Clear product descriptions, good delivery records and prompt support reduce your risk.
Misleading Or Deceptive Conduct
Be careful with “from $X” claims, crossed‑out prices, “limited time” offers and any add‑on fees revealed late in the process. Presenting prices or features in a way that could mislead customers risks breaching section 18 of the ACL (misleading or deceptive conduct).
Warranties Against Defects
If you offer your own warranty in addition to the consumer guarantees, make sure the wording and process are compliant (for example, prescribed wording in some cases). Many businesses standardise this in a written Warranties Against Defects Policy.
Your Payment Terms And Website Policies
Strong, plain‑English terms reduce disputes and help you stay compliant. The exact documents you need will depend on how you sell, but most businesses benefit from the following.
Customer Terms (POS, Invoices Or Service Agreements)
Set out pricing, when you take payment, any surcharges, late payment rules, refunds, risk allocation and liability limits. Align these with your provider’s processes (for example, how you issue refunds) and the ACL so customers aren’t stuck between inconsistent rules.
Website And App Documents
If you sell online, pair your checkout with clear Website Terms and Conditions and a Privacy Policy. If you operate a marketplace or app, explain how payments are handled, when funds are captured, and who bears risk for cancellations or no‑shows.
Subscriptions And Recurring Billing
For recurring payments, be specific about timing (billing frequency, renewal dates), how to cancel, notice periods and when charges stop after cancellation. Many businesses use dedicated Online Subscription Terms and Conditions. If you also offer bank debits, ensure your approach is consistent with direct debit laws.
Security Statements And Consent
If you use tokenisation or “save card” features, explain this simply and obtain clear consent at checkout. If you ever take card details by phone, document a compliant process and include it in staff training.
Internal Policies And Staff Training
Have procedures for handling card data, verifying suspicious transactions and escalating chargebacks. Keep them current and run regular refreshers - especially if you sell through multiple channels (in‑store, online and phone).
Step‑By‑Step: Set Up Card Payments The Right Way
1) Map Your Payment Flows
Decide where and how you’ll accept cards: POS terminals, online checkout, invoices with “pay now” links, phone orders, subscriptions - or all of the above. Map the customer journey so you know what you collect at each step and what you must disclose.
2) Select A Compliant Provider
Compare providers on PCI posture, fraud tools (e.g. 3D Secure), tokenisation, settlement times, fees, chargeback support and the features you need (recurring billing, multi‑currency, digital wallets). Read your merchant terms carefully - they set the rules you have to follow.
3) Configure Surcharges (If You Use Them)
Confirm your cost of acceptance by card type and set any surcharge within that limit. Update signage and checkout copy so customers see the surcharge before payment. Monitor costs and adjust if they change.
4) Put Your Legal Documents In Place
Prepare your customer terms, Privacy Policy and any online terms. Keep your refund, dispute and chargeback processes aligned with the ACL and your provider’s procedures so customers get a consistent experience end‑to‑end.
5) Lock Down Data Security
Avoid storing raw card details in your systems. Use tokenisation and hosted pages, restrict access, secure devices and logs, and keep software up to date. Build and rehearse your Data Breach Response Plan.
6) Train Your Team
Train staff to spot red flags, process refunds correctly, preserve evidence for disputes, and handle card data properly. If you take phone orders, standardise the script and steps for entering details into a secure system (no sticky notes or screenshots).
7) Test, Launch And Review
Run test transactions, review receipts and emails, and simulate a refund. After launch, track chargebacks and feedback, and keep an eye on provider updates (for example, changes to dispute rules or fraud tools) so you can adapt quickly.
Key Takeaways
- Accepting card payments in Australia engages the ACL, card scheme and merchant rules, PCI DSS (via contract) and, in many cases, the Privacy Act - bake compliance into your setup from the start.
- Make prices, receipts and any surcharges clear and accurate at checkout. Surcharges must not be “excessive” and should reflect your actual cost of acceptance.
- Treat PCI DSS seriously: choose compliant providers, avoid storing raw card details, secure your devices, and train your team.
- If you’re covered by the Privacy Act, publish a compliant Privacy Policy and manage personal information in line with the APPs; even if exempt, strong privacy practices are expected by providers and customers.
- Back your checkout with clear customer terms and, if you sell online or via an app, appropriate Website Terms and Conditions and, for recurring billing, subscription terms.
- Reduce disputes by setting accurate expectations, keeping good records, and responding quickly to issues; understand your chargeback process and evidence requirements.
If you would like a consultation on setting up your payments compliance and documents for accepting credit card payments, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
