Merchants should stay informed about the shifting landscape of fees, surcharging rules, and security standards. In the United States, 2025 is a pivotal year for changes in payment regulations and industry standards, including potential legislation on interchange fees, new surcharging laws, and updated security requirements.

This blog will guide you through the key updates and new credit card regulations, explaining their implications for merchant compliance and operations.

Key Takeaways

• Congress is reconsidering a bill that could increase competition in credit card processing by requiring big banks to offer at least one non-Visa/Mastercard network. Supporters argue that it could lower fees for merchants, but opponents caution that it may reduce or eliminate consumer rewards. The bill’s future is still uncertain as of mid-2025.
• States are advancing laws to limit swipe fees on sales tax and tips, following Illinois’ lead. At the federal level, a proposed 10% cap on credit card interest rates, supported by both Trump and Sanders, has stirred debate. These moves reflect growing frustration with high fees from both merchants and consumers.
• Surcharging is legal in most states but comes with strict rules that vary widely. Merchants must stay within fee caps, comply with disclosure requirements, and refrain from applying surcharges to debit card transactions. Some states, like California and Minnesota, have banned or limited separate surcharge fees altogether.
• New PCI DSS 4.0 rules take effect March 31, 2025. All businesses handling card payments must strengthen authentication, monitor their systems more closely, and adhere to over 50 updated security requirements. Noncompliance can result in significant fines, so thorough preparation is essential.

Congress Reconsiders the Credit Card Competition Act in New Credit Card Regulations

A primary focus is the proposed Credit Card Competition Act (CCCA), initially introduced in 2022 and reintroduced with bipartisan support in 2023. The CCCA aims to increase competition in the credit card network market. It would require large card-issuing banks (assets over $100 billion) to enable at least two processing network options on their credit cards, and crucially, neither option can be Visa or Mastercard.

In practice, this means an issuer might pair Visa or Mastercard with an alternative network (like NYCE, Star, or Shazam) to give merchants a choice in how a transaction is routed. Proponents argue that allowing merchants to route payments over a competing network would pressure the dominant networks’ interchange fees downward through competition. This could lower card-acceptance costs for merchants, potentially saving consumers money if merchants pass on the savings.

However, the CCCA has faced strong opposition and has not yet been enacted into law. Opponents, including many banks and card networks, claim that forcing lower interchange revenue would “torpedo” popular credit card rewards programs by cutting the funds that finance points, cash-back, and travel perks.

They often cite what happened after the Durbin Amendment capped debit card interchange in 2010, debit card rewards mostly vanished. History could repeat with credit cards, they warn. Indeed, payment experts note that reducing interchange may lead issuers to scale back generous rewards to make up for lost fee income. This trade-off between lower merchant costs and potential loss of consumer rewards is at the heart of the debate.

As of mid-2025, the fate of the CCCA remains uncertain. It nearly hitched a ride on a larger bill in Congress (the GENIUS Act on stablecoins) but was dropped from the final Senate package. Lawmakers like Senator Dick Durbin (an author of the bill) have signaled they will keep pushing for it, potentially attaching it to other legislation.

For merchants, this means closely watching Capitol Hill. If such a law passes, you could eventually gain new leverage to reduce processing costs, but it might come with shifts in how consumers use their cards if rewards are cut back. The continuing “swipe fee” battle in Washington suggests that regulatory changes to credit card fees are a real possibility, even if timelines are uncertain.

States and Lawmakers Target Swipe Fees and Interest Rates

A growing populist movement is challenging the credit card industry from multiple directions, targeting both the fees that merchants pay and the interest rates consumers face. In 2024, Illinois became the first state to pass a law aimed at limiting interchange fees by prohibiting card networks from charging merchants a percentage on the portion of a sale that accounts for sales tax and tips. The logic is simple: merchants are merely collecting taxes on behalf of the government, so why should they pay swipe fees on that amount? Although a court injunction quickly paused the law, it set a precedent.

As of early 2025, at least a dozen states were advancing similar bills, with several, including Texas, Connecticut, Washington, and Arizona, already pre-filing legislation modeled on the Illinois approach. These efforts are primarily driven by small business groups, who argue that non-negotiable swipe fees imposed by dominant networks, such as Visa and Mastercard, increase costs and erode already thin margins. With federal action stalled, states are stepping in to provide merchants with modest relief on transaction costs that have long been considered unavoidable.

At the same time, that same populist sentiment is reshaping the conversation around what consumers pay to borrow. In a surprising display of bipartisan agreement, President-elect Donald Trump recently proposed a nationwide cap on credit card interest rates at 10 percent. The proposal is even more aggressive than the 15 percent cap initially proposed by progressive lawmakers such as Bernie Sanders and Alexandria Ocasio-Cortez.

Sanders has openly supported Trump’s idea, calling it a long-overdue response to credit card companies charging average rates above 20 percent and retail cards often approaching 30 percent. Although there is currently no federal limit on interest rates for most consumers, the idea of a cap has gained momentum as Americans grow increasingly frustrated with rising credit costs.

Critics warn that such a cap would likely disrupt the business model behind credit cards, leading to fewer approvals, the disappearance of rewards programs, and restricted access to credit. Even so, the fact that lawmakers from opposite sides of the aisle are targeting both the cost of borrowing and the cost of accepting credit cards reflects a more profound shift. Whether it is a small merchant battling swipe fees or a cardholder struggling with high interest, many Americans now view the financial system as tilted toward powerful institutions, and politicians are responding before the pressure becomes impossible to ignore.

Global Context and Proposed Fee Caps

Outside the U.S., regulators have already slashed interchange fees. Notably, the European Union instituted caps years ago, capping consumer credit card interchange at 0.3% of the transaction value (and 0.2% for debit cards). These caps dramatically reduced card acceptance costs in Europe, though they also led European banks to dial back card rewards and introduce annual card fees to compensate. Canada has also moved to ease the burden on merchants: effective late 2024, Canada struck an agreement to cut credit card interchange rates for small businesses by up to 27%, bringing average rates down toward ~1%–1.4%.

This global trend of interchange regulation is influencing the U.S. debate. Some U.S. advocates call for similar direct fee caps on credit card interchange, arguing it would immediately reduce costs for merchants and prices for consumers. Opponents counter that price controls could have unintended consequences, citing studies (often funded by the banking industry) predicting reduced credit availability or higher banking fees if interchange revenue drops.

Credit Card Surcharges Remain a Legal and Compliance Challenge

Adding a credit card surcharge means charging customers a small extra fee when they choose to pay with a credit card. This is one way merchants try to cover the cost of processing those payments. The rules for surcharging have been evolving in recent years, both at the state level and within the regulations established by card networks such as Visa and Mastercard. As 2025 begins, merchants must understand where surcharging is permitted, the applicable limits, and the required disclosures to comply with the law and avoid regulatory issues.

In most of the United States, credit card surcharging is legal, but a few states still ban the practice. As of 2025, Connecticut, Maine, Massachusetts, and California do not permit credit card surcharges. If your business is located in one of these states or sells to customers there, you cannot add a surcharge to credit card payments. Other states allow surcharges, but many set their own rules. For example, Colorado caps surcharges at two percent, which is lower than the national average. States like New York, New Jersey, Nevada, and South Dakota let you apply a surcharge, but only up to your actual processing cost. In Texas, the law is unclear.

While the state officially restricts surcharging, court decisions have created exceptions. Many businesses in Texas now add surcharges by using cash discount programs or relying on court rulings. In Kansas, a former ban was overturned, and the current guidance allows merchants to apply a surcharge as long as the credit card fee is already included in the listed price and a cash discount is displayed instead. Georgia allows convenience fees on credit card payments, provided another payment option is also available. Since the rules vary significantly by state, merchants must stay up-to-date on local laws before deciding to add a surcharge.

Even in states where surcharging is permitted, merchants must still adhere to card network rules. As of 2023, Visa allows a maximum surcharge of three percent, down from its earlier limit of four percent. Mastercard still allows a four percent fee, but since you cannot charge a higher fee for one brand over another, most businesses must stay within the three percent limit if they accept Visa.

Also, card network rules require that the surcharge must not exceed your actual cost of processing payments. In many cases, that means the real cap could be even lower than three percent. Importantly, surcharging is only allowed on credit cards. You cannot add a fee to debit or prepaid card payments, even if the card is run without a PIN. Doing so can result in substantial fines or even the closure of your merchant account.

When applying a surcharge, transparency is critical. Both state laws and card network rules require merchants to inform customers about the surcharge before they pay clearly. This means posting signs at your entrance and at the register that show the surcharge rate and state that it only applies to credit card purchases.

Online businesses must show the surcharge on the checkout page before the customer finishes the transaction. Some states now have stricter rules. Minnesota, for example, updated its law in 2025 to require that any required fee be either included in the listed price or displayed next to it. In face-to-face sales, Minnesota now also requires that staff verbally inform the customer about the surcharge before completing the transaction.

California’s new consumer law, which took effect in 2024, goes even further. It bans adding any required fees at checkout that were not already included in the advertised price. As a result, California businesses can no longer apply a separate credit card surcharge and must instead build those costs into their prices.

Before starting a surcharge program, merchants must notify their payment processor at least thirty days in advance. The processor then informs the card networks on behalf of the merchant. Visa used to require merchants to notify them directly; however, that step is no longer necessary. Many processors offer a form to handle this process. Failing to notify your processor or follow the rules can lead to severe penalties. Card networks can fine businesses tens of thousands or even hundreds of thousands of dollars for violations, such as surcharging a debit card or failing to post proper signage. Enforcement is getting stricter. Visa has already announced that it is increasing efforts to monitor how surcharges are applied.

PCI DSS 4.0 Sets Stricter Standards for Cardholder Data

In 2025, a significant update to payment security rules is taking effect. The new standard, known as PCI DSS 4.0, will be fully enforced starting March 31. PCI DSS stands for Payment Card Industry Data Security Standard. Major credit card networks created it to protect cardholder data and apply to any business that stores, processes, or transmits card payments. Whether you run a small online store or a large retail chain, these rules affect you.

Even if you use a third-party platform to handle payments, like a payment gateway or a point-of-sale system, you are still responsible for certain parts of compliance. Most small businesses complete a yearly Self-Assessment Questionnaire to confirm they meet the standards.

PCI DSS 4.0 replaces the previous version from 2016 and introduces new requirements designed to handle modern security threats better. These changes focus on flexibility, continuous monitoring, and strong authentication. While large businesses may opt for a custom approach, most merchants will continue to follow the standard method by meeting each requirement as written.

Some of the most significant changes include:

• Regular Review of Payment Systems: Businesses must review and document which parts of their system handle cardholder data at least annually. This involves identifying all networks, devices, and individuals involved and ensuring that nothing is overlooked.
• Securing Web Payment Pages: To protect against online threats, such as script attacks, merchants must now track all code running on their payment pages. You need to know which scripts are allowed and make sure none have been tampered with. Tools like script monitoring or browser security settings can help detect changes.
• Multi-Factor Authentication and Stronger Passwords: Anyone accessing systems that store or process card data must now use multi-factor authentication. This means logging in with both a password and an additional factor, such as a one-time code. Passwords must also be stronger. They must now be at least twelve characters long, and shared or default passwords must be carefully controlled or eliminated.
• Better Monitoring and Logging: Businesses must now monitor their systems more closely. Automated tools should be in place to monitor logs, detect unusual activity, and alert staff if an issue arises. If a firewall or antivirus system goes offline, someone should be notified right away. The rules also require checks for malware communication with outside servers, which can indicate a breach.
• Authenticated Internal Scans: Security scans inside your network must now be done using authenticated methods. This means the scanner logs in and checks system settings in detail rather than just scanning from the outside. It provides a more accurate picture of vulnerabilities.
• Anti-Phishing and Third-Party Risk: Companies must protect their staff from phishing scams. This includes training employees, using spam filters, and testing awareness through simulations. Businesses also need to vet any vendors who have access to card data carefully. Contracts should spell out each party’s responsibilities under PCI DSS 4.0.
• Encryption and Data Protection: New rules enhance the protection of stored and transmitted data. Full disk encryption may no longer be sufficient on its own. You may also need to track your security certificates and update them before they expire. If your system utilizes data masking or tokenization, ensure it complies with the latest security standards.

In total, PCI DSS 4.0 includes more than fifty new or updated rules. The goal is to shift from once-a-year checks to ongoing security. Instead of simply completing a checklist, businesses are expected to remain vigilant and adapt to emerging threats over time.

Begin by reviewing your current security setup and comparing it to the new requirements. This is called a gap analysis. Verify that you are using multi-factor authentication, that your passwords meet the latest security standards, and that your payment pages are adequately protected. Then, create a plan with timelines and budgets to address any gaps.

Update your policies and train your employees. Staff should be able to identify phishing emails, know what to do when a system alert is triggered, and understand how their role contributes to overall payment security. Leaders across departments, such as legal, operations, and financ,e should also understand their responsibilities.

Reach out to your payment partners. Request updated compliance reports and clarify which security controls they manage and which ones you are still responsible for. Many businesses use a shared responsibility matrix to maintain clarity.

Failing to comply with PCI DSS 4.0 can result in fines, audit costs, or even liability in the event of a data breach. More importantly, these rules are designed to reduce the chance of a breach in the first place. They help keep your business and your customers safe.

The deadline to comply is March 31, 2025. If you need help, consider hiring a Qualified Security Assessor or a consultant. Starting now gives you time to avoid mistakes and meet the new expectations with confidence.

Conclusion

The regulatory and compliance landscape for credit card payments in 2025 is dynamic. Interchange fees are under the microscope, with lawmakers debating caps and competitive measures that could lower costs for merchants (while potentially reshuffling the rewards ecosystem). Surcharging rules have been implemented nationwide, but the onus is on merchants to surcharge responsibly, within legal limits, and with complete transparency to consumers. And behind the scenes, payment security standards are reaching new heights with the introduction of PCI DSS 4.0, which demands greater vigilance and investment in data protection. For merchants, navigating these changes means staying educated and adaptable.

Those who keep up with the new regulations – adjusting pricing strategies, updating compliance programs, and enhancing security – will not only avoid fines and legal pitfalls but can also gain a competitive edge. By proactively managing transaction costs and safeguarding customer data, businesses can foster trust and resilience in the rapidly evolving world of payments. 2025 presents both challenges and opportunities for merchants to optimize their credit card payment acceptance and security, ultimately benefiting both the business and its customers.