Why rules and regulations matter to subscription businesses

In the subscription space, there are both state and federal laws as well as various network rules in place to protect consumers. Some have been in place for decades, while others were recently introduced. Understanding which regulations apply, how they apply, and how to ensure compliance is important for any merchant processing recurring payments.

Everyone in the organization – not just those in the legal department – should be knowledgeable and cognizant of these rules. It takes focus across all areas, including billing, operations, finance, and legal teams working together to ensure compliance.

Where subscription industry rules and regulations come from 

Payment processing rules are put in place by payment networks (e.g. Visa, Mastercard, Discover, etc.). Given the long operating history of the networks with rulebooks that are over 2,000 pages long, it can be difficult to understand every one of them. 

Communication of rules and potential violations with merchants is typically conducted by payment processing companies, also known as merchant acquirers, who would underwrite (vouch for) the merchant’s transactions. Acquirers are a good source of information for merchants to work with to ensure that they are complying with these rules.

Although it is essential that businesses comply with rules and regulations, not all are enforced equally. This is because generally, rules may not be enforced until there is “noise” around a violation (e.g. customer complains to their issuing bank, and the complaint is then forwarded to the payment processing company). As soon as payment processing companies become aware of the non-compliance, they provide their merchant with a notice informing them of the issue and request a plan to resolve it. If the business fails to comply, the networks may increase the consequences until the business loses their network processing rights altogether.

There are other regulations set by government bodies such as the Federal Reserve and by non-profits such as NACHA, an organization that governs transactions processed through the ACH network. One important regulation, Regulation E, is set by the Federal Reserve and mandates when and how businesses are able to transact with checking and savings accounts. This regulation has been in place since 1978.

Other important rules and regulations to know in the subscription space


The CCPA and the GDPR are newer regulations that address consumer privacy. They protect consumers by setting provisions on how consumer data must be processed, stored, or shared. In order to comply with CCPA and GDPR, businesses need to be extremely careful about what consumer data they store, as well as where and how they store it. However, there is a delicate balance between following these privacy laws and simultaneously complying with other ones. For example, corporate financial laws, such as Sarbanes-Oxley, regulate how businesses recognize their revenue and how their financial statements are reviewed and audited. In this case, businesses need to retain certain consumer information as a record of transactional detail.


ROSCA was introduced in 2010 to address aggressive and deceptive online marketing practices by certain merchants towards consumers. This regulation prohibits two or more separate businesses from sharing consumer payment information with each other without the consumer’s consent or knowledge. For example, if a consumer purchased ‘Item A’ on one website and was shown an offer for ‘Item B’, sold by a separate merchant on the checkout page, the consumer would need to re-enter their payment information to purchase ‘Item B’. This prevents businesses from using misleading language and information on their websites to make consumers accidentally purchase products without their consent. 

In addition, ROSCA requires clear disclosures when a client is going to be automatically billed, as well as easy and straightforward ways for them to cancel recurring payments. Customers should be able to cancel their recurring subscriptions the same way they signed up for them (e.g. if they signed up for the subscription online, they should be able to cancel online).

Card Network Operating Rules

Card network operating rules are constantly changing. Visa usually takes the lead on these rule changes, and other major payment providers follow suit. One change that was recently implemented is the Stored Credential Framework

This framework ensures that issuers can decipher that a payment is recurring, and it separates payments into CIT (consumer initiated transaction) and MIT (merchant initiated transaction) types. CIT transactions include the introduction of a consumer credential in a recurring arrangement and all credentials that are kept on file by a merchant. MIT transactions occur when the merchant already has payment information on file and automatically initiates a renewal term. The introduction of the stored credential framework meant that, for example, businesses would need to include a specific ID for CIT transactions so that the issuer would know that the transaction was a stored credential on file. 

State Laws

California was one of the first to develop their own state regulations around subscriptions by passing the CCPA, and many states followed suit. For example, Vermont recently introduced a new regulation outlining specific requirements for how information needs to be presented to consumers entering into recurring billing. The law describes specific actions that businesses need to follow such as use bold typeface, separate checkboxes for consumers to affirmatively agree to the recurring subscription, and more, to ensure that consumers understand that they are signing up for a recurring arrangement.

Overall, there is no conclusive list detailing every rule and regulation that affect subscription models. New rules are constantly being created, and old ones are frequently revised or amended. In recent years, regulatory activity has had an increasing focus on privacy (e.g. CCPA), as that is the prevailing theme seen today.

Potential consequences of non-compliance

When a business fails to comply with laws or regulations, they are at risk of both fines and damage to their reputation. Fines are the tangible consequence (e.g. Google fined for non-compliance with GDPR), whereas damage to a business’s reputation is more difficult to quantify (e.g. Target and Home Depot data breaches). PR and media companies commonly report on big events, and seeing news of a business’s non-compliance can make consumers lose confidence in the company and avoid transacting with them. To prevent this from happening often, there are PCI regulations in place that govern how card data is processed. This protects brands, consumers, and businesses from having any loss of data.

If a business consistently fails to comply with network rules, they are at risk of completely losing their payment processing privileges. They may lose their payment processing privilege with specific companies, such as Visa or Mastercard, or they may lose their privileges across all major payment processing companies. This is detrimental to businesses because by telling consumers that they can’t accept a common card type (e.g. Visa or Mastercard), they will almost certainly lose the consumer.

How to keep up with new rules and regulations

There are a number of different things that businesses can do to stay on top of new rules and regulations. First, they can develop a close relationship with their acquirer. Because the acquirer is additionally responsible for the payment transactions a merchant processes, they have a higher stake in making sure the business is compliant. It’s a good idea for businesses to regularly check in with their acquirer and ask them to provide updates that will impact the business. 

Industry events are also a good way to stay up-to-date on new regulations. These events are often attended by lawyers with subscription expertise, and they offer valuable insight into new legislation to be aware of. In addition, attending industry events provides businesses with an opportunity to network with others in the industry and hear about their experiences with compliance.

Businesses can also work with experts in the subscription billing space, such as Rebar Technology. In addition, businesses can opt to work directly with lawyers who specialize in e-commerce and subscription businesses. This option is especially beneficial for businesses who operate internationally.

How Rebar helps merchants keep up with changing rules and regulations

Rebar takes a two-pronged approach to helping businesses comply with rules and regulations in the subscription billing space. When working with businesses, Rebar’s first order of business is figuring out which rules and regulations a specific business needs to comply with. Rebar then holds brainstorming and internal working sessions to figure out how the business can best comply with all of the rules and regulations and then brings this to the business to educate them on the findings. On top of that, Rebar is PCI certified and goes through annual Level 1 audits to make sure that all systems, people, and technology are compliant. 

Rebar is a sister company to W. Capra Consulting Group, a consulting firm that has worked with many companies in the subscription space. Working with Rebar means also gaining access to all of the knowledge and expertise that W. Capra has gained through engagements with other subscription businesses. 

Ensuring compliance with the countless rules and regulations in the subscription billing can be difficult, but it’s essential that businesses do their best in order to avoid the consequences of non-compliance. By actively working to comply with rules and regulations either internally or externally with companies such as Rebar Technology, subscription businesses will be able to provide their customers with a better experience and avoid unnecessary complications that may jeopardize their company.