Payment Gateway Agreements: What Australian Businesses Need To Know Before Signing

Online payments are now part of everyday business in Australia. Whether you sell products, take bookings, run subscriptions or accept donations, choosing a payment gateway is a big call - and the agreement you sign can affect your costs, compliance, cash flow and customer experience.

Before you hit “agree”, it’s worth understanding how payment gateway agreements work, what terms matter most, and where the legal risks sit. In this guide, we’ll walk through the essentials in plain English so you can make a confident, risk-aware decision for your business.

What Is A Payment Gateway And How Does It Work?

A payment gateway is the technology that authorises and processes electronic payments from your customers - typically credit/debit cards and digital wallets (like Apple Pay and Google Pay). It acts as the bridge between your checkout (website or POS), your customer’s bank, card networks and your own bank account.

In practice, a typical payment flow looks like this:

• Your customer enters their payment details at checkout.
• The gateway encrypts and transmits the data for authorisation.
• The transaction is approved or declined by the issuing bank.
• Funds are captured and later settled to your merchant bank account.

In Australia, gateways are offered by banks and acquirers, specialist fintechs and some platforms/marketplaces. To use one, you’ll accept a merchant or gateway agreement that sets the rules for fees, permitted use, privacy/security, chargebacks, reserves and more.

Are Payment Gateway Agreements Negotiable?

Many providers use standard-form terms that apply across their customer base. In practice, small businesses often have limited scope to negotiate the core legal template.

That said, some commercial settings are still worth discussing - for example, pricing tiers, reserves, settlement schedules, onboarding requirements, or an addendum about data portability. Larger or higher-volume merchants tend to have more leverage.

Even where terms aren’t negotiable, it’s still critical to understand them before you sign. If something is a poor fit (for example, a prohibited-products clause that catches your category or a long minimum term), choosing a different provider early is far easier than switching later.

What Should You Check Before You Sign A Payment Gateway Agreement?

1) Pricing, Fees And Cash Flow

• Transaction pricing: Percentage + fixed fee per transaction, and whether pricing differs by card type, currency or payment method.
• Monthly or platform fees: Flat subscription charges or minimum monthly spend that apply even during quiet periods.
• Chargeback fees: The fee per dispute and who pays scheme penalties if your dispute ratios rise.
• Settlement timing: How quickly funds land in your bank (T+1, T+2, weekly), whether weekends/holidays are excluded, and any delays for high-risk categories.
• Foreign exchange: If you accept international cards, check FX rates, conversion fees and whether you can settle in multiple currencies.

Map these costs against expected volumes and your cash cycle. A slightly higher transaction fee can be acceptable if settlement is faster and reserves are lower.

2) Reserves, Rolling Holds And Risk Reviews

• Reserves/holds: Some providers withhold a percentage of takings to cover chargebacks or refunds. Check the percentage, the release schedule and the triggers to increase or decrease reserves.
• Risk re-assessment: Providers may revisit your risk profile (e.g. after a product launch, seasonal spikes or rising disputes) and adjust pricing or reserves.
• Onboarding limits: Initial daily/weekly caps during your first months, and the process to increase them.

3) Permitted Use And Restricted Products

• Prohibited categories: Many gateways restrict “high-risk” goods/services (e.g. supplements, adult content, gambling, nicotine, certain ticketing or pre-sales).
• Scope creep: Check whether you need consent to add new products, open a new storefront, launch a marketplace model or sell cross-border.
• Sub-merchant rules: If you facilitate payments for others (platforms/marketplaces), confirm whether you need a platform account and specific onboarding flows.

Choose a provider whose permitted use fits both today’s catalogue and your near‑term roadmap.

4) Security, PCI DSS And Data Handling

• PCI DSS responsibilities: Confirm what level of PCI DSS compliance applies to you and what the provider covers. If you touch card data at all, your obligations increase.
• Data storage: Clarify whether you’ll store tokens only, who can access them, and how long data is retained.
• Breach obligations: Notification timeframes and who contacts affected customers, card schemes and regulators.

If you store or process payment details, review your processes against practical guidance on storing credit card details and ensure your staff and systems match your contract promises.

5) Chargebacks, Disputes And Evidence

• Chargeback workflow: Deadlines, required evidence and tools to help you respond (screenshots, delivery confirmation, usage logs).
• Refund rules: Whether you can issue partial refunds, and how refunds interact with fees (non‑refundable fees are common).
• Dispute ratios: Thresholds that, if exceeded, may trigger pricing changes, reserves or even account termination.

6) Liability, Uptime And Service Credits

• Limitation of liability: Typical clauses cap the provider’s liability to a multiple of fees paid, and exclude indirect loss (like lost profits). Consider how this affects you during an outage or settlement delay.
• Service levels: Check any uptime commitments, maintenance windows and remedies (often limited to service credits).
• Indemnities: Note where you indemnify the provider (e.g. for your breach of law, fraud or misuse).

It’s worth understanding how limitation of liability clauses operate so you can plan sensible workarounds - like failover payment methods for critical sales periods.

7) Term, Termination And Portability

• Minimum terms: Some agreements run month-to-month, others have 12–24 month minimums with early exit fees.
• Suspension/termination: Look for triggers like increased disputes, “high risk” determinations, prohibited use, or a change in your business model.
• Data portability: Can you export tokens, customer profiles and recurring billing schedules to migrate to another gateway without re‑collecting card details?

8) Governing Law, Jurisdiction And Support

• Jurisdiction: International providers may specify a foreign law and courts. That can add time and cost to any dispute resolution.
• Support: Response times, live support hours in AEST and escalation paths for outages.

What Laws And Rules Apply In Australia?

Australian Consumer Law (ACL)

You’re responsible for complying with the Australian Consumer Law when you sell to customers, regardless of the gateway you use. That includes accurate pricing and advertising, consumer guarantees and fair refund processes. If you provide warranties, ensure they align with the ACL and your operational reality. A helpful primer on warranty obligations is here: Australian Consumer Law warranty.

Privacy And Personal Information

Handling customer information (names, emails, addresses and in some cases payment details) engages privacy obligations. Under the Privacy Act 1988 (Cth), the Australian Privacy Principles generally apply to APP entities (including many businesses with annual turnover of $3 million or more, and some smaller businesses in specific sectors such as health services or credit reporting).

Even if you’re not legally required to comply as an APP entity, your gateway contract, platform terms or marketplace rules may still require a clear privacy practice and policy. It’s best practice to publish a clear, tailored Privacy Policy and make sure your actual handling of data matches what it says.

Security And PCI DSS

Card networks require compliance with the Payment Card Industry Data Security Standard (PCI DSS). Your exact obligations depend on how your checkout is implemented (e.g. fully hosted, iFrame, API with tokenisation) and whether your systems ever touch cardholder data. Your agreement should spell out who does what - and you must follow through operationally.

Anti‑Money Laundering And KYC

Most businesses using gateways aren’t themselves reporting entities under Australia’s AML/CTF regime, but expect your provider to conduct identity verification and ongoing monitoring (e.g. business verification, beneficial ownership, transaction screening). Cooperating with these processes is usually a contractual requirement.

Tax And GST

If your GST turnover meets the threshold, register for GST and issue compliant tax invoices. Gateways often provide reporting to help reconcile settlements and fees, but your accounting obligations sit with you. This is general information only - speak with your tax adviser for advice on your circumstances.

E‑Commerce And Marketing Rules

If you take orders and communicate online, you’ll also need to consider e‑commerce and marketing compliance. Ensure your email campaigns comply with Australia’s spam rules and that your checkout disclosures are clear. A quick refresher on email marketing laws can help you stay onside.

Step‑By‑Step: Setting Up A Payment Gateway The Right Way

Step 1: Map Your Payment Needs

• List your payment methods and channels (web, mobile app, in‑store, subscriptions, invoicing).
• Estimate transaction volumes, average order value and currencies.
• Decide on features you need now and soon (recurring billing, saved cards, BNPL, fraud tools, marketplace payouts).

Step 2: Get Your Business Details In Order

• Confirm your business structure and ABN, and register a business name if needed.
• Set up a dedicated business bank account for settlements.
• Prepare basic documents providers will ask for (ID, business details, website URLs, product list and policies).

Step 3: Compare Providers

• Shortlist providers that support your industry and use cases (some decline high‑risk categories).
• Compare total cost of ownership - not just headline fees, but settlement timing, reserves and support.
• Review docs you’ll publish to customers, such as your checkout terms; many online businesses use tailored online terms and conditions that align with their refund and dispute processes.

Step 4: Review The Agreement Carefully

• Read the fee schedule, term/termination, reserves, data handling, PCI, chargebacks and jurisdiction sections closely.
• Clarify anything unclear with the provider; where possible, ask about commercial adjustments (price tiers, settlement frequency, onboarding limits).
• Get a professional contract review to spot hidden risks in standard-form terms.

Step 5: Integrate And Test

• Work with your developer to implement the most secure integration path your provider supports (e.g. hosted fields or tokenisation).
• Publish and align your Website Terms and Conditions and Privacy Policy with how your checkout actually works.
• Run end‑to‑end test transactions, refunds and chargeback evidence drills before going live.

Step 6: Train Your Team And Monitor

• Train staff on fraud signals, refund procedures, data handling and least‑privilege access to payment tools.
• Set alerts for dispute rates, declines and settlement anomalies so you can react quickly.
• Schedule regular checks to ensure practice matches policy and your agreement obligations.

What Legal Documents Help Support Your Gateway Setup?

Your gateway agreement is only one piece. Having the right customer-facing and internal documents reduces disputes and supports compliance.

• Customer Terms and Conditions: Clearly sets purchase terms, pricing, delivery, cancellations and refunds. Align these with your gateway’s refund and evidence rules to protect against chargebacks; many online stores rely on customised online terms.
• Privacy Policy: Explains what personal information you collect and how you use it, including payment information and fraud prevention tools. Even if not legally required for every small business, many providers and platforms expect a clear, robust Privacy Policy.
• Website Terms and Conditions: Sets user rules, IP rights and liability limits for your site or app, which is helpful if you experience downtime or integration issues; see Website Terms and Conditions.
• Refunds/Returns Policy: A simple, consistent policy reduces confusion and supports any chargeback evidence you submit.
• Employment Contract and Policies: If team members access payment systems, include confidentiality and security obligations in each Employment Contract and add clear internal data security procedures.
• Supplier and Platform Agreements: If you rely on third parties (e.g. fulfilment, platforms, SaaS), ensure responsibilities for payments, refunds and customer communications line up across contracts.
• Incident Response Playbook: A short, practical guide for outages, suspected fraud or breaches - who does what, and by when.

Not every business will need every document on day one, but most will need several. Getting them tailored to your operations makes compliance simpler and gives you better footing if a dispute arises.

FAQs: Common Questions From Australian Businesses

Do I need a Privacy Policy if I’m a small business?

Under the Privacy Act, APP entities (including many businesses with turnover of $3 million+ and some smaller businesses in certain sectors) must comply with the Australian Privacy Principles and publish a privacy policy. Even if you’re under the threshold, your gateway or platform may require a policy, and it’s widely considered best practice to publish a clear Privacy Policy that reflects your actual data handling.

Can I pass card fees onto customers?

Businesses can surcharge for card payments, but surcharges must be limited to your reasonable cost of acceptance and disclosed clearly at checkout. Your gateway agreement and the card scheme rules will set limits on how this is implemented.

What happens if there’s an outage and I lose sales?

Most providers exclude liability for indirect loss and cap direct liability to a relatively low amount. Understanding those liability limits helps you plan contingencies, such as a backup payment method for peak periods.

If I only accept bank transfers, do I need a gateway?

No. Bank transfers can be taken without a gateway. However, gateways enable cards, wallets and recurring billing, and they provide reconciliation and fraud tools that manual transfers don’t offer.

Key Takeaways

• Payment gateway agreements are usually standard-form, but you should still assess fees, reserves, settlement timing, data handling, chargebacks, liability limits and jurisdiction before you sign.
• Your obligations in Australia don’t stop at the provider’s terms - you must also comply with the ACL, privacy rules that apply to your business, PCI DSS responsibilities and tax reporting.
• Publishing clear Customer Terms, a Privacy Policy and Website Terms, and aligning them with your gateway settings, reduces disputes and supports chargeback responses.
• Plan for portability and resilience: confirm how you can export tokens if you ever switch providers, and consider fallback payment options for outages.
• A quick contract review and policy tune‑up can save time, fees and headaches later - it’s much easier to get this right before you go live.

If you’d like a consultation on selecting and setting up a payment gateway - including reviewing your gateway agreement and customer‑facing documents - you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.