Compliance

Corporate structure and sponsorship

PayMullet is a Delaware C-corporation headquartered in New York. We are not a bank. Our ability to access the card networks and the ACH network is made possible by agreements with our Sponsor Bank, an FDIC-insured member institution registered with each card network as an Acquirer. Under these agreements, PayMullet is the Independent Sales Organization (Visa), Merchant Service Provider (Mastercard), Program Participant (Discover), and registered ESA (American Express OptBlue).

Sponsor Bank

Disclosed in the Merchant Application and on the Dashboard under Settings → Settlement. The Sponsor Bank is the counterparty to you under Visa and Mastercard rules, though day-to-day operations, underwriting, and support are performed by PayMullet.

Registration status

Visa registered ISO; Mastercard registered MSP; Discover registered acquirer; American Express OptBlue ESA. Registration IDs listed in the Dashboard footer.

Card-brand rules (incorporated by reference)

When you process cards through PayMullet, you agree to comply with the operating regulations of each card brand whose products you accept. These documents are updated by the brands periodically and are binding on every merchant:

• Visa Core Rules and Visa Product and Service Rules
• Mastercard Rules and the Security Rules and Procedures
• Discover Operating Regulations
• American Express Merchant Reference Guide

High-impact provisions include:

• Honor All Cards: You must accept all cards within a brand (credit or debit) as a product category; surcharging and steering are regulated and vary by jurisdiction.
• Surcharge caps: Up to 3% on credit cards (Visa/Mastercard), debit surcharges are generally prohibited, with specific state-law exceptions (e.g., NY ceiling, CT prohibition).
• Cash discount vs surcharge: Implementations must be disclosed at entry and on receipts; PayMullet's compliant surcharge program auto-injects required language.
• Minimum and maximum transaction amounts: $10 minimum credit allowed (Durbin §1075); no minimum on debit.
• No factoring: You may not process charges for another business.
• Accurate MCC and descriptor: Your MCC and DBA-matching descriptor must reflect your actual goods/services.

PCI DSS v4.0.1 — your obligations as a merchant

Every merchant who accepts, transmits, or stores cardholder data is contractually bound by the Payment Card Industry Data Security Standard (PCI DSS) under the Card Brand rules. As of March 31, 2025, PCI DSS v4.0.1 is the only active version — v3.2.1 is fully retired. Your specific obligations depend on your transaction volume tier:

• Level 1 — 6,000,000+ Visa/Mastercard transactions per year (or any merchant suffering a breach). Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), quarterly ASV scans, annual penetration test, internal and external.
• Level 2 — 1,000,000 to 6,000,000 transactions per year. Annual Self-Assessment Questionnaire (SAQ) signed by an officer, quarterly ASV scans by an Approved Scanning Vendor, and annual penetration test.
• Level 3 — 20,000 to 1,000,000 e-commerce transactions per year. Annual SAQ and quarterly ASV scans.
• Level 4 — Fewer than 20,000 e-commerce, or up to 1,000,000 total transactions per year. Annual SAQ; ASV scans required when eligibility for certain SAQ variants depends on them.

The right Self-Assessment Questionnaire (SAQ) depends on how you take cards. PayMullet pre-fills the correct SAQ for you in the Dashboard under Compliance → PCI:

• SAQ A — E-commerce merchants who fully outsource card data to a PCI-compliant iframe or redirect (e.g., our hosted checkout). Reduced scope.
• SAQ A-EP — E-commerce merchants whose site controls the payment page but offloads the card fields (e.g., our JavaScript SDK). Larger scope.
• SAQ B — Merchants using standalone dial-up terminals, no CHD in electronic systems.
• SAQ B-IP — Merchants using standalone IP-connected terminals (e.g., a Clover Flex on Wi-Fi).
• SAQ C — Merchants with payment-application systems connected to the Internet.
• SAQ C-VT — Virtual-terminal users (web-based keyed entry on a dedicated computer).
• SAQ D — Everyone else, including service providers. Full 300-plus-control self-assessment.
• SAQ P2PE — Merchants using a validated PCI P2PE solution end-to-end. Smallest scope of all.

New requirements that became mandatory on March 31, 2025 under v4.0.1 include: multi-factor authentication for all non-console administrative access to the CDE (Req. 8.4.2); automated log review tools for daily review (Req. 10.4.1.1); anti-phishing technical controls (Req. 5.4.1); authenticated internal vulnerability scans (Req. 11.3.1.2); and client-side script integrity controls (Req. 6.4.3 and 11.6.1). If you are still operating under v3.2.1 control baselines, you are out of compliance and exposed to fines from $5,000 to $100,000 per month levied through your acquirer.

PayMullet’s PCI Level 1 attestation reduces our scope but does not eliminate yours. Offloading card fields to our hosted pages is how we cut your scope to SAQ A — the smallest possible — but you still must complete it annually and keep it on file for three years. We will not let you auto-renew your merchant account past your SAQ expiration without evidence of renewal.

Fair pricing and merchant-choice disclosures

PayMullet discloses in every pricing quote and on every monthly statement the following three pieces of information, which the Card Brands and the Federal Trade Commission have made the benchmark for fair dealing in merchant services:

1. The true interchange category assessed on each transaction, not a blended grouping. You can see which Visa “CPS Retail”, Mastercard “Merit III”, etc. rate applied to every swipe in your effective rate report.
2. The PayMullet margin — the basis points and per-transaction markup we keep — separated from interchange and assessments. No “qualified/mid-qualified/non-qualified” buckets, no “enhanced recovery fees”, no made-up line items.
3. Your right to leave. Every statement includes the termination-notice address, a link to the deconversion checklist, any remaining contract term, and the exact amount (often zero) of any early-termination fee.

If you ever see a line item on your statement you don’t understand, you can click it in the Dashboard and we will explain what it is, where it comes from, and whether it is a pass-through cost or our margin. If we can’t explain it, we’ll refund it.

Fraud and risk programs

Visa Acquirer Monitoring Program (VAMP)

Effective April 2025, VAMP consolidates VDMP/VFMP. Excessive fraud-dollar ratio (≥ 0.9% of payment volume) or enumerated-attack events trigger escalation, remediation plans, and fines. We surface your VAMP ratios in real time on the Dashboard.

Mastercard Excessive Chargeback Merchant (ECM) / Excessive Fraud Merchant (EFM)

ECM threshold: 100 chargebacks and a chargeback-to-transaction ratio of 1.5%+ for two months; EFM has fraud-specific thresholds. Entry triggers a remediation plan and monthly assessments.

Visa Chargeback Monitoring Program (VCMP)

Early/Standard tiers at 0.65%/0.9% chargeback ratios with 75+ monthly chargebacks.

MATCH (Member Alert To Control High-Risk Merchants)

Mastercard-operated list of terminated merchants. Reason codes 04 (Excessive Chargebacks), 12 (Fraudulent Transactions), 13 (Identity Theft), 14 (Merchant Collusion) are the most common triggers. Listing lasts 5 years. See the Merchant Agreement §16 for your MATCH acknowledgment.

PayMullet Risk Operations

24/7 team runs real-time transaction monitoring, velocity rules, device intelligence, and network-token re-issuance. We reach out before card brands do when we detect elevated ratios.

Anti-Money Laundering (AML) program

PayMullet maintains a BSA/AML program approved by the board, reviewed annually by an independent third party, and overseen by a designated BSA Officer. The program covers:

• KYC/KYB at onboarding: Legal entity verification (Secretary of State, EIN, Articles), Ultimate Beneficial Owner identification per FinCEN's CDD rule (25% ownership, plus one control person), OFAC and PEP screening, adverse-media screening for high-risk MCCs
• Ongoing transaction monitoring: Rules-based + ML models against structuring, rapid deposit-and-withdrawal, unusual card-present/not-present ratios, cross-border velocity
• OFAC sanctions screening: Every transaction passes through real-time sanctions check (SDN list + sectoral + state lists); matches are frozen and escalated
• SAR-adjacent reporting: While PayMullet is not a bank and does not file SARs directly, we escalate suspected illicit activity to the Sponsor Bank for their determination and cooperate with FinCEN inquiries
• Record-keeping: 5 years post-termination for BSA records
• Training: Annual AML training for all staff; specialized training for Risk, Underwriting, and Customer Support teams

ACH / Nacha compliance

PayMullet acts as a Third-Party Sender for ACH transactions originated on behalf of merchants. Operations conform to the Nacha Operating Rules & Guidelines, including:

• Originator Agreements with every merchant authorizing ACH
• Consumer authorizations captured and retained per Nacha §2.3 (WEB), §2.2 (TEL), and §2.1 (PPD/ARC/BOC)
• Unauthorized return-rate monitoring (< 0.5% threshold); administrative-return monitoring (< 3%); overall return monitoring (< 15%)
• Annual Rules Compliance Audit per §2.17
• Same-Day ACH support with applicable processing-window disclosures
• WEB debit account validation (micro-deposit or commercially reasonable validation service)

State money transmitter status

PayMullet operates under the "payment processor exemption" recognized by most state money-transmitter laws (the merchant-acquirer model transmits funds to satisfy obligations to the payee and is generally not money transmission). Where a state has no clear exemption or our product feature set exceeds the exemption scope (e.g., on-platform balances, FBO wallets, cross-border disbursements), we register or operate through a licensed partner.

Tax reporting (IRS Form 1099-K)

As a Third Party Settlement Organization under IRC §6050W, PayMullet issues Form 1099-K to merchants who meet the federal threshold. For 2025 returns (filed January 2026), the IRS transition threshold is $2,500; the threshold steps down to $600 for the 2026 tax year unless further changed by Congress or the IRS. State 1099-K thresholds are lower in several states (e.g., MA, VT, VA, MD, IL, DC — generally $600 and/or lower transaction counts).

• W-9 collected at onboarding; TIN matching run within 48 hours
• B-notices issued for TIN mismatches; 24% backup withholding applied after the second B-notice
• 1099-K furnished by January 31 and filed electronically with the IRS by March 31
• Merchant corrections available through the Dashboard until the filing date; corrected forms issued after

Data protection and privacy regimes

PayMullet operates across US federal and state privacy regimes, plus GDPR/UK GDPR for data flowing from the EEA and UK. See Privacy Policy for full detail. Key compliance artifacts:

• GDPR Article 30 Records of Processing Activities (available under NDA)
• DPIA library for high-risk processing (fraud scoring, behavioral biometrics)
• Standard Contractual Clauses + UK IDTA + Swiss FADP addendum for onward transfers
• CPRA-compliant notice, rights workflow, and GPC handling
• Appointed Article 27 representative in the EU

Accessibility

We target WCAG 2.2 Level AA across the Dashboard, marketing site, and hosted checkout. Full detail on the Accessibility page.

Responsible disclosure of compliance issues

Compliance concerns (AML, OFAC, sanctions evasion, suspected fraud by a PayMullet merchant) can be reported confidentially to compliance@paymullet.com or via our ethics hotline (details in the Dashboard footer). We do not retaliate against good-faith reporters.

Regulatory inquiries

Subpoenas, investigative demands, and civil process should be served on our registered agent in Delaware (Corporation Service Company, 251 Little Falls Drive, Wilmington, DE 19808) with a courtesy copy to legal@paymullet.com. We comply with valid legal process narrowly scoped; overbroad demands will be objected to or narrowed.

Changes and change log

Material compliance updates are announced in the Dashboard and the public change log. We give at least 30 days' notice for any change that shifts obligations onto merchants.