Payments & Processing Mastery

📚 Contents

Payments & Processing Mastery: A Complete Merchant Playbook

Category: Payments & Processing • Format: Comprehensive Merchant Playbook • Status: Complete (3 Deep‑Dive Chapters)

Author: Kateule Sydney
Published: 2026/04/08
Last Updated:

This research‑based playbook provides merchants with a complete education on payment processing. You will learn how to choose a processor using a 7‑point framework, achieve PCI DSS compliance with a 90‑day plan, and master interchange‑plus vs. flat‑rate pricing – with real case studies, comparative tables, and actionable templates.

Playbook Overview

• Subject: Payment Processing, Interchange Pricing, PCI Compliance, Processor Selection
• Level: Beginner to Advanced – no prior payments experience required
• Target Roles: Merchants, e‑commerce operators, retail managers, finance staff, business owners
• Learning Style: Frameworks + Scorecards + Step‑by‑Step Guides + Case Studies + Checklists
• Chapters: 3 comprehensive chapters (each 45‑60 min read)
• Language: English

Learning Outcomes

• Confidently evaluate and select a payment processor using a 7‑point vetting framework and weighted scorecard.
• Identify hidden fees, contract traps, and data portability requirements before signing.
• Achieve and maintain PCI DSS compliance with a detailed 90‑day roadmap – reducing scope to SAQ A.
• Understand the 12 PCI requirements in plain English and produce evidence for each.
• Calculate your true effective rate and compare interchange‑plus vs flat‑rate pricing for your specific transaction mix.
• Negotiate processor markup and avoid common pricing pitfalls like tiered or bundled pricing.

Who This Playbook Is For

This playbook is for merchants, business owners, e‑commerce operators, retail managers, finance professionals, and anyone who accepts credit card payments. It is also valuable for students of business, entrepreneurs, and payment industry newcomers. No prior technical or financial experience is assumed – every term is defined, and every concept is illustrated with real‑world examples.

Playbook Structure

Chapter 1 (Processor Selection) provides a 7‑point framework, a downloadable scorecard template, analysis of contract traps (auto‑renewal, ETFs, equipment leasing), and a deep dive into data portability and tokenization.

Chapter 2 (PCI DSS Compliance) explains the 12 requirements in plain English, helps you determine your SAQ type, offers a week‑by‑week 90‑day implementation plan, and shows how to reduce scope using hosted payment fields.

Chapter 3 (Interchange Pricing) demystifies the three cost components (interchange, assessments, markup), provides current interchange rate tables, shows step‑by‑step how to re‑price your transactions, and includes a negotiation script.

Why Study This Topic?

• Payment processing is often a merchant’s third‑largest expense after inventory and payroll – yet most merchants cannot explain how they are priced.
• Hidden fees (PCI non‑compliance fees, batch fees, statement fees) add 0.5‑1.5% to effective rates without merchants knowing.
• Long‑term contracts with automatic renewal and high early termination fees lock merchants into uncompetitive pricing for years.
• PCI non‑compliance fines can reach $100,000 per month, but achieving SAQ A compliance can be done in 90 days for free.
• Interchange‑plus pricing saves the average merchant 15‑30% compared to flat‑rate – but only if you understand how to compare.

All Characters (Key Stakeholders in This Playbook)

• The Merchant: Business owner accepting card payments – seeks low fees, reliability, and fair terms.
• The Payment Processor: Company that handles transaction routing, settlement, and reporting.
• The Acquirer (Merchant Bank): Bank that sponsors the merchant and assumes settlement risk.
• The Card Issuer: Bank that issues credit/debit cards to consumers – earns interchange.
• The Payment Gateway: Technology provider that securely transmits transaction data (e.g., Stripe, Authorize.Net).
• The PCI Assessor: Internal or external party validating compliance (SAQ or ROC).
• The Compliance Officer: Ensures PCI rules and pricing transparency are followed.
• The Sales Agent (ISO): Independent sales organization that often sells processor services – may not fully disclose fees.
• The Customer (Cardholder): End consumer – their experience affects brand perception and chargeback risk.

Table of Contents

1. Chapter 1: How to Choose a Payment Processor for Your Business
2. Chapter 2: PCI DSS Compliance – A Step‑by‑Step Guide
3. Chapter 3: Interchange‑Plus vs. Flat‑Rate Pricing – Which Is Better?

Start Mastering Payments Today

Begin with Chapter 1 to learn how to choose a processor using a 7‑point framework. Each chapter includes real‑world case studies, comparative tables, and practical deliverables.

Start Chapter 1 →

Frequently Asked Questions

Do I need technical experience to use this playbook?

No. The playbook is written for merchants and business owners. Technical terms are defined when first introduced, and examples are used throughout.

Are the pricing examples current?

Yes. Interchange rates, assessment fees, and markup targets reflect the market as of early 2026. Visa and Mastercard update interchange tables twice per year (April and October).

Does this cover international processing?

The focus is on US and major card schemes (Visa, Mastercard, Amex, Discover). Cross‑border principles apply, but local acquiring rules vary by country.

Can I use the checklists and templates for my business?

Absolutely. The scorecard, compliance checklist, and pricing comparison spreadsheet are designed to be adapted for your own use.

How long will it take to work through all chapters?

Each chapter is designed for 45‑60 minutes of reading plus exercises. You can complete the full playbook in one day or study it chapter by chapter.

Related Topics

• Merchant Services
• Interchange Rates
• PCI Compliance
• Fraud Prevention

Chapter 1: How to Choose a Payment Processor for Your Business

Estimated Reading Time: 55 minutes

1.1 The Hidden Cost of a Bad Processor

Choosing a payment processor based only on a low headline rate is a common mistake. A processor that appears cheap may charge hidden fees (batch fees, statement fees, PCI non‑compliance fees), lock you into a long contract with high early termination fees, or provide poor customer support when you need it most. This chapter provides a systematic framework to evaluate processors, uncover hidden costs, and select a partner that fits your business.

1.2 Step 1: Define Your Business Profile

Before contacting any processor, document the following. Bring this one‑page profile to every conversation.

Factor	Your Answer	Why It Matters
Business model	In‑store / online / omnichannel	Determines need for POS terminals, payment gateway, or both.
Monthly card volume	$______	Volume drives negotiating power; processors price differently for <$10k vs >$50k.
Average ticket size	$______	Low‑ticket/high‑volume businesses need different pricing than high‑ticket.
International cards	% of sales	Cross‑border cards incur higher interchange (1.5–2% extra).
High‑risk industry?	Yes/No	Subscriptions, travel, CBD, nutraceuticals, gaming – many processors won’t touch these.
Must‑have integrations	Shopify, Woo, NetSuite, etc.	If your platform isn’t supported, integration costs explode.

1.3 Step 2: The 7‑Point Vetting Framework

Use this framework to compare up to three processors. Do not sign anything before completing all seven steps.

1. Authorization & Uptime: Ask for 12‑month authorization rate by card type and reported uptime SLA. A good processor has >99.95% uptime and auth rates >95% for swiped, >85% for keyed. Red flag: They cannot provide data or quote “industry standard” without proof.

2. Pricing Transparency: Require a full pricing table showing interchange, assessments, processor markup, monthly fees (PCI, gateway, statement, batch), per‑transaction fees (AVS, international), and one‑time fees. Hidden fee alert: “PCI non‑compliance fee” of $20–50 per month – avoidable by completing your annual SAQ.

3. Settlement & Funding: T+1 or T+2? Weekend/holiday funding? Reserve policy (common for high‑risk)? Minimum payout threshold?

4. Contract Terms: Month‑to‑month vs multi‑year? Early termination fee (ETF) amount – typical $250‑$500, but some charge “liquidated damages” equal to 12 months of estimated profit. Auto‑renewal trap? Never lease a terminal – buy outright. A $299 terminal leased at $49/month for 48 months costs $2,352.

5. Risk & Fraud Support: Dedicated risk manager? Real‑time fraud tools included (AVS, CVV, velocity rules, 3DS2)? Chargeback management automation?

6. Customer Support: Test pre‑sale – call their support line at 2 AM. 24/7 phone, chat, or ticket only? Dedicated onboarding specialist for first 90 days?

7. Data Portability: “If we leave, can we export our customer token vault? In what format?” Without token portability, you lose returning customers and must ask them to re‑enter card details.

1.4 Step 3: Build a Weighted Scorecard

Assign weights based on your priorities. Example for a typical e‑commerce merchant:

Criteria	Weight	Processor A	Processor B
Effective rate (estimate)	30%	2.8% → 9/10	3.1% → 7/10
Uptime SLA (99.95%+)	15%	Yes → 10/10	No data → 3/10
Month‑to‑month contract	15%	Yes → 10/10	3‑year lock → 0/10
24/7 phone support	10%	Yes → 10/10	Ticket only → 4/10
Token portability	10%	Yes → 10/10	No → 0/10
Transparent pricing	20%	Full disclosure → 10/10	Hidden PCI fee → 5/10

Multiply each score by weight, sum, and choose the highest total.

1.5 Real‑World Case Study: Coffee Shop vs. Online Apparel

Case 1 – Coffee shop (in‑store, low ticket $8, volume $15k/mo): They chose a processor with 2.6%+$0.10 headline rate but ignored $0.15 AVS fee, $0.10 batch fee, and $25 monthly PCI fee. Effective rate = 3.4%. After switching to interchange‑plus with no monthly fees, effective rate dropped to 2.1% – saving $1,950/year.

Case 2 – Online apparel (high ticket $120, volume $80k/mo): They prioritized token portability and 24/7 support. Their processor had a slightly higher markup but allowed customer token export. When they switched platforms 2 years later, they retained 85% of returning customers – saving $120k in lost sales.

1.6 Deliverable: Processor Scorecard Template

Create a spreadsheet with columns: Processor Name, Effective Rate Estimate, Uptime SLA, Contract Term, ETF Amount, Support Channels, Token Portability, Transparent Pricing. Score each 1‑10, apply your weights, and compare.

Practice Questions – Chapter 1

1. List the seven components of the processor vetting framework. For each, explain why it matters.
2. Calculate the true cost of leasing a terminal at $45/month for 48 months vs buying outright for $350. Assume you keep the terminal for 4 years.
3. What is token portability? Why does a processor’s refusal to export tokens hurt your business?
4. Create a weighted scorecard for a hypothetical business (e.g., a food truck with $8k monthly volume, average ticket $12, in‑store only). Assign weights and justify them.

Keywords: processor selection, interchange, markup, ETF, token portability, scorecard, hidden fees, auto‑renewal, equipment lease

📚 Main ContentsNext Chapter →

Chapter 2: PCI DSS Compliance – A Step‑by‑Step Guide

Estimated Reading Time: 60 minutes

2.1 What Is PCI DSS and Why It Matters

The Payment Card Industry Data Security Standard (PCI DSS) applies to every merchant that accepts credit cards. It is not optional. Compliance is required by your merchant agreement, and non‑compliance can result in fines ($5,000–$100,000 per month), increased transaction fees, or loss of your ability to accept cards. However, most small to medium merchants can achieve compliance with a few days of focused work – especially by reducing scope.

2.2 The Scope Reduction Principle

The less card data you touch, the fewer PCI requirements apply. The gold standard: use a payment processor that offers “hosted payment fields” or redirect checkout (e.g., Stripe Checkout, Braintree Drop‑in, Authorize.Net Accept.js). With this setup, your website never touches card data – all sensitive information goes directly from the customer’s browser to the processor. This drops you into SAQ A, which has only ~30 requirements instead of ~330 for SAQ D.

2.3 Determine Your SAQ Type

SAQ Type	When It Applies	# of Requirements	Difficulty
SAQ A	Fully outsourced – hosted payment fields or redirect. Your site never touches card data.	~30	Low
SAQ A‑EP	Your site controls payment page (iframe/JS) but card data goes direct – no storage.	~50	Medium
SAQ B / B‑IP	Standalone terminal (dial‑out or IP) for in‑store only.	~20	Low
SAQ D	You store, process, or transmit card data on your own servers – avoid if possible.	~330	High

Pro tip: If you are using WooCommerce with a plugin that collects card data on your server, you are likely SAQ D. Switch to a hosted payment solution (Stripe, Braintree, Square) to drop to SAQ A.

2.4 The 12 PCI Requirements in Plain English

1. Firewall: Isolate your card data environment (CDE) from the public internet and other networks.
2. No default passwords: Change all vendor defaults on systems that touch card data.
3. Protect stored data: Do NOT store CVV, track data, or PIN. If you store PAN, truncate or tokenize.
4. Encrypt transmission: Use TLS 1.2 or higher for any card data sent over public networks.
5. Anti‑malware: Install and maintain anti‑malware on all CDE systems.
6. Patch systems: Apply security patches within 30 days of release.
7. Least privilege access: Restrict CDE access to only employees who need it.
8. Unique IDs + MFA: Each user has a unique ID. Use multi‑factor authentication for admin access.
9. Physical security: Lock terminals, servers, and any media containing card data.
10. Logging and monitoring: Log all access to the CDE and review logs daily.
11. Vulnerability scans: Quarterly ASV scans + annual penetration test.
12. Security policy: Written policy, incident response plan, and annual staff training.

2.5 90‑Day Implementation Plan (Week by Week)

Days 1‑30 – Assessment & Scope Reduction:
Week 1: Draw a data flow diagram – where does card data enter, travel, and exit? Identify every system in the CDE.
Week 2: Eliminate any unnecessary storage. If you are storing CVV or track data, stop immediately (prohibited).
Week 3: Segment your network – move the CDE onto a separate VLAN with a firewall blocking inbound public traffic.
Week 4: Enable MFA on all admin accounts. Change default passwords on routers, terminals, and gateways.

Days 31‑60 – Controls & Scans:
Week 5: Install and configure anti‑malware on every CDE system. Set automatic weekly scans.
Week 6: Schedule your first Approved Scanning Vendor (ASV) scan. Your processor can recommend an ASV. Fix any “failed” findings.
Week 7: Enable logging on all CDE systems (firewall, server, application). Set logs to be retained for 12 months.
Week 8: Write your information security policy (template available from PCI Council). Cover incident response, access control, and training.

Days 61‑90 – Validation & Attestation:
Week 9: Train all employees who handle card data. Use a short video + quiz. Keep sign‑in sheets.
Week 10: Complete your SAQ using the PCI Council’s online tool. Be honest; false attestation carries fines.
Week 11: Submit your Attestation of Compliance (AOC) to your processor. Many processors provide a portal.
Week 12: Set a calendar reminder for next year’s SAQ and quarterly ASV scans.

2.6 Keeping Compliance Cheap

• Use hosted payment fields → SAQ A → 80% fewer requirements.
• Do not store card data → eliminates requirements 3, 7, 8, 9, and 10 for most merchants.
• Use free ASV scans – Stripe, Square, and some other processors include them for free.
• If you are part of a franchise or trade association, many offer group discounts for pen tests.

Practice Questions – Chapter 2

1. Which SAQ type applies if you use Stripe Checkout (customer redirected to Stripe’s hosted page)? Why?
2. List three PCI requirements that become unnecessary if you do not store any card data.
3. What is the difference between an ASV scan (external vulnerability scan) and a penetration test?
4. Draw a simple data flow diagram for a WooCommerce store using a hosted payment field (e.g., Stripe Elements). Show where card data enters and where it goes.

Keywords: PCI DSS, SAQ, CDE, tokenization, hosted payment fields, ASV scan, AOC, scope reduction

← Prev📚 ContentsNext →

Chapter 3: Interchange‑Plus vs. Flat‑Rate Pricing – Which Is Better?

Estimated Reading Time: 50 minutes

3.1 The Three Components of Every Transaction

Interchange: A fee set by the card brand (Visa, Mastercard, etc.) that goes to the cardholder’s issuing bank. Interchange varies by card type (debit, consumer credit, rewards, corporate, purchasing), transaction method (swiped, keyed, online), and data provided (Level 1/2/3). Interchange is non‑negotiable – the processor passes it through.

Assessments: Fees set by the card brands, typically a small percentage of volume plus a per‑transaction fee. Examples: Visa 0.13% + $0.0195, Mastercard 0.13% + $0.0185. Also non‑negotiable.

Processor markup: The only negotiable part. This is how the payment processor makes its profit. Usually expressed as a percentage plus a fixed fee (e.g., +0.15% + $0.07).

Interchange‑plus pricing shows you all three components separately. Example: 1.15%+$0.10 interchange, 0.13%+$0.02 assessments, 0.15%+$0.07 markup → total 1.43% + $0.19.

Flat‑rate pricing bundles everything into a single percentage + fee, e.g., 2.9% + $0.30. The processor pockets the difference when interchange is low (e.g., debit cards) and loses when interchange is high (e.g., corporate rewards).

3.2 Current Interchange Rate Table (2026 – Representative)

Card Type	Swiped (CP)	Keyed (CNP)	Online with 3DS
Consumer debit (regulated)	0.05% + $0.22	0.05% + $0.22	0.05% + $0.22
Consumer credit (standard)	1.15% + $0.10	1.35% + $0.10	1.30% + $0.10
Consumer credit (rewards)	1.65% + $0.10	1.85% + $0.10	1.80% + $0.10
Corporate / purchasing	2.10% + $0.10	2.30% + $0.10	2.20% + $0.10
International card	+1.0% extra	+1.0% extra	+0.8% extra

3.3 When Interchange‑Plus Wins vs. Flat‑Rate Wins

Interchange‑plus is better when: Monthly volume > $20k, average ticket > $40, high percentage of debit cards, ability to provide Level 2/3 data (B2B), and you are willing to manage monthly fees (PCI, gateway, statement). Savings typically 15‑30% compared to flat‑rate.

Flat‑rate is better when: Volume < $10k/mo, low average ticket (<$15), startup, you value predictable accounting over chasing savings, or most of your transactions are keyed or premium cards where interchange is already high.

3.4 Step‑by‑Step: How to Compare Pricing for Your Business

1. Export your last 3 months of transaction data (date, card type, transaction amount, swiped/keyed).
2. Calculate your current effective rate = total fees paid / total volume. Example: $1,500 fees on $50,000 volume = 3.0%.
3. Obtain interchange tables from Visa/Mastercard (updated April and October). Your processor should provide them.
4. Re‑price each transaction under interchange‑plus: Look up interchange rate, add assessments (e.g., 0.13%+$0.02), add a quoted processor markup (e.g., 0.15%+$0.07). Sum for each transaction.
5. Add monthly fixed fees (PCI, gateway, statement, batch) – typically $15‑$40 total per month.
6. Compare total cost. If interchange‑plus saves >10% after monthly fees, switch.

3.5 Negotiation Script and Target Markups

Call your processor (or a prospective one) and say: “I want interchange‑plus with pass‑through assessments. Show me the interchange tables. Quote me your markup in basis points plus a per‑transaction fee. No basis‑point floor, no tiered pricing, no three‑year lock‑in. What can you offer?”

Target markups (2026):
Low‑volume (<$50k/mo): 0.20% + $0.08 to 0.30% + $0.10
Medium‑volume ($50k‑$250k): 0.12% + $0.06 to 0.18% + $0.08
High‑volume (>$250k): 0.05% + $0.03 to 0.10% + $0.05

3.6 Real‑World Case Study: Savings Calculation

A restaurant processes $80,000 monthly, average ticket $35, 60% debit, 40% credit. Under flat‑rate (2.9%+$0.30), total fees = ($80,000×2.9%) + ($80,000/$35×$0.30) = $2,320 + $686 = $3,006/month.
Under interchange‑plus (debit: 0.05%+$0.22, credit: 1.15%+$0.10, assessments 0.13%+$0.02, markup 0.15%+$0.07):
Debit portion: $48,000×0.05%=$24 + (1,371 debit transactions×$0.22)=$302 → $326
Credit portion: $32,000×1.15%=$368 + (915 credit transactions×$0.10)=$92 → $460
Assessments: $80,000×0.13%=$104 + (2,286 transactions×$0.02)=$46 → $150
Markup: $80,000×0.15%=$120 + (2,286×$0.07)=$160 → $280
Total interchange‑plus = $326+$460+$150+$280 = $1,216/month. Monthly fees $25 → $1,241.
Savings = $3,006 – $1,241 = $1,765/month ($21,180/year).

Practice Questions – Chapter 3

1. What are the three cost components of interchange‑plus pricing? Which one is negotiable?
2. Why do debit cards have much lower interchange than rewards credit cards?
3. Calculate the effective rate for a $100 transaction under flat‑rate (2.9%+$0.30) vs interchange‑plus (1.15%+$0.10 interchange + 0.13%+$0.02 assessments + 0.15%+$0.07 markup).
4. What is Level 3 data? How can it reduce interchange for B2B transactions?
5. Using the case study above, what would be the savings if the restaurant’s volume was $20,000/month instead of $80,000?

Keywords: interchange, assessments, markup, effective rate, Level 2/3 data, pass‑through, basis points, tiered pricing

← Prev📚 Main Contents

📚 References

The following resources provide additional information on topics covered in this playbook:

1. PCI Security Standards Council – Official SAQ and DSS documentation
2. Visa Chargeback and Dispute Management
3. Mastercard Chargeback Guide
4. Visa Surcharge Rules (FAQ)
5. Mastercard Surcharge Program Guidelines
6. CardFellow – Interchange Rate Tables and Calculators
7. Stripe Guide to 3‑D Secure 2
8. Square – Cash Discount vs. Surcharge (Merchant Guide)
9. ECB Euro Reference Exchange Rates (for cross‑border)

✨ Complete 3‑chapter payments playbook – from processor selection to PCI compliance and interchange pricing.
Author: Kateule Sydney. Updated: