Internet Merchant Account In The UK: Legal Essentials

If you sell online or plan to, you’ll quickly run into a key question: how do you actually accept card payments securely and legally? That’s where an internet merchant account comes in.

In the UK, picking and setting up the right internet merchant account isn’t just a tech decision - it has legal and compliance implications that affect your cash flow, customer trust and risk exposure. The good news is that with the right setup and clear policies, you can be ready to take payments with confidence.

In this guide, we’ll demystify internet merchant accounts in the UK, explain how they fit with payment gateways and PSPs, outline your legal duties (from consumer law to privacy and Strong Customer Authentication), and share a practical checklist to get you protected from day one.

What Is An Internet Merchant Account In The UK?

An internet merchant account (IMA) is a special bank account that allows your business to accept card payments online. It’s different from your ordinary business bank account. When a customer pays, funds are authorised and settled into your merchant account first, and then transferred (usually daily or weekly) into your business bank account - minus any fees, chargebacks or reserves.

Key players in a typical online payment flow include:

• Merchant Acquirer: The financial institution that provides your internet merchant account and settles card transactions to you.
• Payment Gateway/PSP: The technology that securely captures card details, applies fraud checks and forwards authorisations to card schemes and acquirers.
• Card Schemes: Visa, Mastercard, Amex and others that route the transaction and set scheme rules and interchange fees.

Some providers bundle the gateway and merchant account into a single service (often called a PSP), while others split them. Either model can work - what matters is understanding costs, contractual terms and your compliance responsibilities.

How Internet Merchant Accounts Work With Gateways And PSPs

There are two common models you’ll see when comparing providers:

1) Separate Gateway + Merchant Account

You sign one agreement with a gateway (technical processing) and another with a merchant acquirer (settlement account). This can offer flexibility (e.g. switching gateways without changing acquirer), and sometimes sharper pricing at higher volumes. It does mean two sets of contracts and support channels.

2) All-In-One PSP

You sign a single contract with a PSP that provides both gateway and acquiring services. This can be quicker to onboard and simpler to manage. Fees may be blended into one “per transaction” rate. If you outgrow the package or want bespoke terms, you may need a migration plan.

In both models, check how settlement works (timings, currency options, rolling reserves), how disputes and chargebacks are handled, and what happens if you need to exit or scale. Your commercial deal should be clear on pricing, settlement delays, refunds, reserves and termination rights so there are no surprises later.

Legal And Compliance Requirements For UK SMEs Taking Card Payments

Accepting online payments brings specific legal duties. Here are the big ones, in plain English.

Consumer Law: Refunds, Transparency And Fair Terms

• Consumer Rights Act 2015: Your terms must be fair and transparent, and goods/services must match their description and be of satisfactory quality.
• Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013: For most online sales to consumers, you must provide clear pre-contract information, confirm the contract on a durable medium (e.g. email), and allow a 14-day cooling-off period for most goods and all distance services (with exceptions).
• Clear Returns And Refunds: Make sure your refund language matches the law and your payment provider’s rules. A clear returns page and robust Online Shop Terms & Conditions reduce disputes and chargebacks.

If you’re not sure whether your policy is compliant or how long refunds should take, it helps to align your practices with your UK returns policy obligations and the way chargebacks are processed by your acquirer.

Data Protection And PCI DSS

• UK GDPR and Data Protection Act 2018: If you process personal data (including contact details, order information and identifiers), you must have a lawful basis, keep data secure, minimise collection and be transparent in your Privacy Policy.
• PCI DSS: Card data security standards apply to merchants. Most SMEs can reduce scope by using a fully hosted payment page or tokenisation, so card details never touch your servers.
• Data Processing: If a third party (like your gateway/PSP or a fulfilment partner) processes personal data for you, put a compliant Data Processing Agreement in place.
• Cookies And Tracking: If your store uses analytics or marketing cookies, publish a clear Cookie Policy and obtain consent where required.

Strong Customer Authentication (SCA) Under PSD2

The UK’s Payment Services Regulations 2017 (as amended) implement PSD2-style rules, including Strong Customer Authentication for most online card payments. Practically, your gateway or PSP should handle 3‑D Secure flows, exemptions and frictionless decisions - but you should still test customer experience and understand how SCA affects conversion and liability shift.

Record-Keeping, Invoices And Tax

• VAT: If you’re VAT-registered, ensure your checkout and invoices capture the right rates, and include required details. Your documentation must meet UK invoice requirements.
• Electronic Records: Keep accessible records of orders, refunds and chargebacks for audit and dispute handling.

Chargebacks And Scheme Rules

Card schemes and acquirers have rules about refunds, fulfilment evidence and disputed transactions. Failing to follow them can lead to penalties or even termination of your merchant facility. Make sure your terms, fulfilment processes and customer communications align with your acquirer’s policies to reduce chargeback risk.

How To Choose An Internet Merchant Account Provider

Comparing providers can be overwhelming. Use these decision points to narrow your shortlist and negotiate the right deal for your business.

Pricing And Fees

• Blend vs Interchange++: Interchange++ shows true scheme and interchange costs plus a margin - often better for larger volumes. Blended fees are simpler but less transparent.
• Fixed Fees: Watch for authorisation fees, chargeback fees, monthly minimums, PCI fees and refund fees.
• Settlement Costs: Currency conversion and payout fees can add up for cross‑border sales.

Risk And Reserves

• Rolling Reserves: Higher‑risk categories (ticketing, subscriptions, pre‑orders) may attract reserves that affect cash flow.
• Refunds And Pre-Orders: Clarify how refunds are handled if you don’t yet have the settled funds, and any restrictions on pre‑sales.

Onboarding And Support

• Underwriting: Be ready to provide bank statements, forecasts, and details of your products and delivery times.
• Dispute Handling: Understand how you’ll be notified, what evidence is needed, and deadlines for responses.
• Tech Stack: Check plugins for your ecommerce platform, tokenisation support, subscription billing and reconciliation tools.

Contract Terms

• Auto‑Renewal And Term: If the agreement auto‑renews, ensure renewal and termination clauses are fair and comply with UK rules around auto‑renewal laws.
• Termination For Convenience: Check notice periods, early exit fees and your right to switch providers.
• Service Levels: Uptime commitments, incident response and maintenance windows matter for your revenue.

It’s wise to get legal eyes on the small print, especially on reserve mechanics, termination triggers, liability caps and scheme compliance clauses. A few tweaks here can protect your cash flow later.

Essential Contracts And Website Policies To Put In Place

Your merchant account is just one part of taking payments online. To prevent disputes and comply with UK law, make sure your website and order flow are backed by clear, enforceable documents.

• Online Shop Terms & Conditions: Sets out pricing, delivery, returns, warranties and liability. These should be tailored to your products, shipping model and target customers.
• Terms of Sale: If you also sell to B2B customers, you’ll need robust commercial terms covering risk transfer, payment terms, late fees and limitations of liability.
• Privacy Policy: Explains what personal data you collect, why, and how customers can exercise their rights under UK GDPR.
• Cookie Policy: Required where you use non‑essential cookies (analytics, advertising, social media).
• Payment And Refund Language: Align your refund timelines with acquirer rules to avoid double payouts. Your policy should be consistent with consumer law and your disputes process described above.

It’s also important that your checkout flow presents terms in a way that makes them binding. Simple design tweaks (like a “tick‑box” acceptance and clear links at the point of purchase) can make your terms more enforceable - see our guidance on how to make website terms & conditions enforceable.

Step-By-Step Setup Checklist

1) Map Your Payment Flow

Decide whether you’ll use an all‑in‑one PSP or separate gateway and acquirer. Consider your platform (Shopify, WooCommerce, custom), subscription needs and multi‑currency plans.

2) Prepare For Underwriting

Most acquirers will ask for bank statements, company details, forecasts, delivery times and your refund policy. Make sure your website is live (even if password‑protected) with clear product descriptions and policies.

3) Compare Commercial Terms

Get quotes with full fee breakdowns. Ask about settlement times, rolling reserves, chargeback fees, and whether pricing improves with volume. Clarify trial periods and exit fees.

4) Put Your Website Legals In Place

Publish your Online Shop Terms & Conditions, Privacy Policy and Cookie Policy, and ensure they’re presented at checkout. If you sell B2B, add Terms of Sale for trade customers.

5) Configure SCA And PCI

Enable 3‑D Secure via your gateway to meet SCA requirements, and choose hosted fields or redirects to minimise PCI DSS scope. Document your PCI approach for annual SAQ (self‑assessment questionnaire) where applicable.

6) Set Up Refunds And Chargeback Playbooks

Decide who approves refunds, when they’re issued, and how you’ll document delivery and communications. Maintain templates for responding to chargebacks with shipment tracking, proof of download or service logs.

7) Test And Go Live

Run end‑to‑end test transactions (including SCA challenges), email receipts, and refund flows. Check order records, VAT invoices and reconciliation into your accounting software.

Common Pitfalls And How To Avoid Them

• Unclear Returns Policy: Vague or non‑compliant language often leads to chargebacks. Align with consumer law and your acquirer’s evidence requirements, and mirror this in your returns policy.
• Hidden Fees: Watch for monthly minimums, PCI “non‑compliance” charges and early termination fees. Ask for a complete schedule of fees before you sign.
• Reserve Shock: If you sell high‑risk products or long‑lead items, negotiate lower reserves or time‑limited reserves tied to performance.
• Poor SCA UX: Not testing 3‑D Secure flows can tank conversion. Use exemptions where appropriate (managed by your provider) and keep customers informed.
• Missing Policies: Skipping your Privacy Policy or cookie notices risks ICO complaints and erodes trust.
• Unenforceable Terms: If your terms aren’t properly presented or drafted, they may not be enforceable. Follow best practice for click‑wrap presentation and ensure your content actually matches how you trade.
• Weak Evidence For Disputes: Keep delivery confirmations, tracking, timestamps and customer comms to respond effectively to chargebacks.

If this feels like a lot to juggle, don’t stress - once your framework is in place, day‑to‑day operations become far smoother. Getting your contracts and compliance right up front saves time and money later.

Key Takeaways

• An internet merchant account lets you accept online card payments; it typically works alongside a gateway or all‑in‑one PSP. Choose the model that fits your platform, volume and growth plans.
• UK consumer law, the Consumer Contracts Regulations, UK GDPR, PCI DSS and SCA all apply when you take payments online - build compliance into your checkout and fulfilment processes from day one.
• Compare providers on total cost, settlement times, reserves, dispute handling and contract terms (especially termination and auto‑renewal) - not just the headline rate.
• Publish tailored website documents, including Online Shop Terms & Conditions, a Privacy Policy, a Cookie Policy and, where relevant, separate Terms of Sale for B2B.
• Minimise PCI scope by using hosted payment solutions, enable 3‑D Secure for SCA and maintain clear evidence trails to manage chargebacks.
• Design your checkout to make your terms enforceable and align refund timeframes with both consumer law and your acquirer’s processes.

If you’d like tailored help reviewing a merchant agreement or drafting the right website terms and policies for your store, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.