Can I use third-party payment processors on my website in Washington? What are the requirements?

Third-Party Payment Processors in Washington

Yes, you can use third-party payment processors on your website in Washington. However, businesses that process more than six million credit card and debit card transactions annually and provide, offer, or sell goods or services to persons who are residents of Washington are subject to liability under RCW 19.255.020 if there is a breach of unencrypted account information ^[1.1].

If a business uses a third-party payment processor, it must ensure that the processor complies with the payment card industry data security standards adopted by the payment card industry security standards council and is certified compliant. The compliance must be validated by an annual security assessment, and the assessment must have taken place no more than one year prior to the time of the breach. The nonrevocability of a processor’s security assessment of compliance is only for the purpose of determining a processor’s liability under RCW 19.255.020(2) ^[1.1].

Additional Requirements

There are additional requirements for electronic delivery of documents and notices in Washington. For example, if you deliver notices or documents electronically, you must obtain the party’s consent and provide a clear and conspicuous statement informing the party of their right to withdraw consent to have a notice or document delivered by electronic means at any time, and any conditions or consequences imposed in the event consent is withdrawn ^[2.2].

Additionally, financial institutions that issue payment cards must list a phone number on their website for cardholders and merchants to report suspected incidents in which payment cards are used for fraud or payment cards have been stolen. They must also have employees or contractors available during business hours to receive phone calls for the purpose of providing assistance to cardholders or merchants regarding suspected incidents in which payment cards are used for fraud or payment cards have been stolen ^[3.1].

Conclusion

In summary, you can use third-party payment processors on your website in Washington, but you must ensure that the processor complies with the payment card industry data security standards and is certified compliant. You must also comply with the additional requirements for electronic delivery of documents and notices, and financial institutions that issue payment cards must provide a phone number for reporting suspected incidents of fraud or stolen payment cards.

Source(s):

• [1.1] Liability of processors, businesses, and vendors.
• [3.1] Requirements for financial institutions.
• [2.2] Delivery by electronic means authorized—Insurer requirements—Party consent—Definitions.

Jurisdiction

Washington

• Privacy