What is a Payment Processor?

Summary

• A payment processor is a service that facilitates credit and debit card transactions between merchants, banks, and card networks.
• It handles the secure transmission of payment data and authorization.
• Payment processors are service providers under PCI DSS and must meet strict compliance requirements.
• Merchants often rely on processors like Stripe, Square, or Adyen—but still retain security responsibilities.
• Poor integration or misconfigured scripts can expose cardholder data and expand PCI scope.

What Does a Payment Processor Do?

A payment processor is a company that enables merchants to accept credit card, debit card, and digital wallet payments by managing the technical and financial flow of each transaction.

When a customer submits payment, the processor:

• Encrypts and transmits card data from the point of entry
• Routes the transaction through card networks (Visa, Mastercard, etc.)
• Checks with the issuing bank to verify funds or credit
• Returns an approval or decline to the merchant
• Settles funds into the merchant’s account

The processor may also handle fraud detection, tokenization, and dispute resolution depending on the provider and integration level.

How Are Payment Processors Different From Payment Gateways?

While the terms are often used interchangeably, they serve different roles:

In many modern platforms (e.g., Stripe, Shopify Payments), gateway and processor functions are bundled together, making the distinction less visible to merchants.

Are Payment Processors Subject to PCI DSS?

Yes. Payment processors are considered “service providers” under PCI DSS, and they are required to:

• Maintain full PCI DSS compliance
• Complete annual Reports on Compliance (ROCs) or Attestations of Compliance (AOCs)
• Encrypt, segment, and monitor all cardholder data
• Provide secure APIs and SDKs for merchants
• Offer documentation and support for PCI scope reduction

Processors that store, process, or transmit cardholder data must follow all PCI DSS requirements relevant to their environment.

Merchants should only use processors listed on the Visa Global Registry of Service Providers.

What PCI DSS Responsibilities Do Merchants Still Have?

Using a payment processor does not eliminate a merchant’s PCI obligations. Depending on how the processor is integrated, the merchant may still be responsible for:

• Securing checkout pages and client-side scripts
• Completing an annual Self-Assessment Questionnaire (SAQ)
• Ensuring cardholder data never touches their servers
• Monitoring the use of third-party code on payment pages
• Keeping systems updated and secure

If the merchant’s website collects card data using JavaScript (e.g., via custom forms or embedded fields), the site becomes part of the CDE and must comply with additional PCI DSS controls—including Requirements 6.4.3 and 11.6.1 under PCI DSS 4.0.

FAQ

Can using Stripe or Square make me PCI compliant?

Not automatically. While they reduce your scope, you still need to complete the correct SAQ and ensure your integration doesn’t expose cardholder data.

Do payment processors sign a BAA for HIPAA compliance?

Generally, no. Most processors are not HIPAA-compliant and shouldn’t be used to collect payments for protected health services without proper safeguards.

How do I know if my processor is PCI compliant?

Ask for their Attestation of Compliance (AOC) or look them up on Visa or Mastercard’s approved provider lists.

Conclusion

A payment processor is a critical link in the chain of digital commerce—but it doesn’t absolve merchants of security responsibilities. Both parties play a role in PCI DSS compliance and in protecting cardholder data.

Merchants should:

• Choose PCI-compliant processors with clear AOCs
• Integrate using lowest-scope configurations (e.g., hosted forms, tokens)
• Secure any pages that load card-related scripts
• Monitor browser-side risk to meet PCI DSS 4.0

As the payment landscape grows more complex, processor selection and integration strategy directly affect your compliance and risk posture.