Payment Gateway Compliance Advisory for E-Commerce in Lithuania

AT A GLANCE

Payment processing is the operational heart of an e-commerce business — and the legal and compliance framework around it is significantly more complex than most operators understand before they encounter their first chargeback dispute or PSP account suspension.
PSP agreements contain liability clauses that shift chargeback and fraud exposure directly onto the merchant — understanding what you are signing before you sign it determines your exposure when things go wrong.
Strong Customer Authentication (SCA) under PSD2 affects checkout conversion across the EU — implementation choices have a measurable impact on completed purchases.
PCI-DSS compliance is a contractual obligation in every PSP agreement — non-compliance does not prevent payment processing, but it removes the liability protection that compliance provides when a card data breach occurs.
We advise e-commerce companies on PSP selection, agreement review, chargeback management, SCA implementation, and PCI-DSS compliance across all major payment processing arrangements.

Payment gateway compliance advisory covers the legal, contractual, and technical compliance obligations that arise from accepting card payments and using payment service providers (PSPs). This includes reviewing PSP agreements before signing to identify liability clauses and reserve requirements; implementing Strong Customer Authentication correctly to balance security with checkout conversion; designing a chargeback management framework to handle disputes within PSP deadlines; assessing PCI-DSS compliance obligations for the specific way card payments are processed; and advising on subscription billing compliance under EU consumer law. We provide each of these as standalone advisory engagements or as a combined payment compliance review for businesses launching or auditing their payment setup.

The Payment Compliance Landscape for E-Commerce

Accepting card payments online is not simply a technical integration — it is entry into a contractual and regulatory framework that determines the merchant’s exposure when payments go wrong. Most e-commerce operators sign PSP agreements without reading them in full, implement SCA without understanding how it affects conversion, and discover their PCI-DSS obligations only when they are non-compliant. Payment compliance is one of the most under-resourced areas of e-commerce legal and operational setup.

The PSP agreement: more than a fee schedule

A payment service provider agreement is a commercial contract — but it is a contract heavily weighted in favour of the PSP. Liability clauses shift chargeback liability to the merchant above defined thresholds. Reserve clauses allow the PSP to withhold a percentage of settlements for rolling periods, sometimes extending to 180 days after the last transaction. Termination clauses can result in immediate account suspension and withholding of funds if the merchant’s chargeback rate exceeds the PSP’s threshold. Understanding these clauses before signing — not after the first major chargeback wave — is the most cost-effective thing an e-commerce business can do in payment compliance.

SCA: the regulatory framework for authentication

Strong Customer Authentication (SCA) is a requirement of the EU Payment Services Directive 2 (PSD2), implemented in Lithuania through the Law on Payments. SCA requires that most card-not-present transactions are authenticated using at least two of three factors: something the payer knows (PIN, password), something the payer has (phone, card), and something the payer is (biometric). In practice, SCA is implemented through 3D Secure 2 (3DS2). Correctly implementing 3DS2 — including using SCA exemptions where appropriate — can reduce authentication friction and improve checkout conversion. Incorrectly implemented SCA increases cart abandonment without improving security.

PCI-DSS: the card industry security standard

PCI-DSS (Payment Card Industry Data Security Standard) applies to any organisation that stores, processes, or transmits cardholder data. For e-commerce merchants, the scope of PCI-DSS depends on how payments are processed: a merchant using a hosted payment page provided entirely by the PSP has a narrower scope than one that customises the payment form or stores card data. PCI-DSS compliance is a contractual requirement in every PSP agreement — but the consequence of non-compliance is not typically immediate termination. The consequence becomes visible when a card data breach occurs: a non-compliant merchant bears full liability for all breach-related costs, while a compliant merchant has substantially reduced liability under the card scheme rules.

Our Payment Gateway Compliance Services

We provide advisory across five service areas — each addressing a distinct compliance dimension of the payment processing framework for e-commerce businesses.

PSP Agreement Review and Selection Advisory

A PSP agreement is a legally binding contract — typically 40–80 pages — that defines the merchant's rights, obligations, and liability exposure in payment processing. Most e-commerce operators accept PSP agreements by clicking through an online sign-up process without reviewing the key clauses. We review PSP agreements before signing, identify the provisions that present material risk, and advise on whether the terms are acceptable or whether an alternative provider offers more favourable conditions.

Chargeback liability clauses — confirming at what chargeback rate the merchant bears costs and in what amount
Rolling reserve review — confirming whether a reserve applies, the percentage withheld, and the release timeline
Termination and suspension clauses — identifying the grounds on which the PSP can suspend processing or withhold funds
Prohibited and restricted business clauses — confirming that the merchant's product categories are permitted under the agreement
Dispute resolution and appeal procedures — the merchant's rights when the PSP takes adverse action
Data handling and liability provisions — how cardholder data is handled and who bears liability for data breaches
PSP comparison advisory — comparing the terms of multiple PSPs for a specific e-commerce business profile
Renegotiation support — advising on which clauses are negotiable for merchants with leverage (volume, low chargeback history)

Rolling reserve — what it means in practice

A rolling reserve is a percentage of gross sales (typically 5–10%) withheld by the PSP for a specified period (typically 90–180 days) as security against chargeback and fraud losses. For an e-commerce business processing €100,000 per month with a 10% rolling reserve and a 180-day hold, the PSP is permanently holding approximately €60,000 of the merchant's money at any given time. For a new business or a seasonal business, this has significant cash flow implications. We identify rolling reserve provisions before signing and advise on whether the terms are negotiable or whether a different PSP is more appropriate.

Chargeback Management Framework

A chargeback is a reversal of a card transaction initiated by the cardholder's bank, typically following a consumer dispute. Chargebacks cost the merchant the transaction amount plus a chargeback fee, and if the chargeback rate exceeds the card scheme threshold — 1% for Visa, 0.9% for Mastercard — the merchant faces penalty programmes that can result in increased fees, monitoring status, and ultimately termination. A documented chargeback management framework reduces both the rate and the financial impact of chargebacks.

Chargeback reason code analysis — identifying the predominant reason codes in the merchant's dispute pattern and their root causes
Dispute response procedures — step-by-step procedures for responding to chargebacks within the PSP's dispute window (typically 7–20 days)
Evidence package template — documenting the standard evidence set for each chargeback reason code (proof of delivery, customer communications, order confirmation)
Pre-arbitration strategy — when to accept a chargeback and when to escalate to pre-arbitration; cost-benefit assessment
Chargeback prevention measures — identifying upstream changes to reduce the volume of disputes (clearer billing descriptors, proactive customer communication, improved return processes)
Fraud monitoring framework — distinguishing between fraud chargebacks (genuine fraud) and friendly fraud (customer disputes a valid transaction)
Visa and Mastercard dispute monitoring programme assessment — confirming whether the merchant is at risk of entering a penalty programme
PSP chargeback reporting review — ensuring chargeback data is correctly captured and monitored on an ongoing basis

Chargeback thresholds and penalty programmes

Visa's Dispute Monitoring Programme (VDMP) and Mastercard's Excessive Chargeback Merchant (ECM) programme are triggered when a merchant's monthly chargeback rate exceeds 0.9–1.0% of transactions or when absolute chargeback volumes exceed defined thresholds. Once in a monitoring programme, the merchant faces escalating fees and potential termination if the rate does not reduce. The critical window for intervention is before the threshold is breached — not after the PSP notifies the merchant of programme entry. We advise on chargeback rate monitoring and intervention strategies proactively.

Strong Customer Authentication (SCA) and 3DS2 Implementation

Strong Customer Authentication under PSD2 requires that most online card payments to EU consumers are authenticated with two factors. In practice, this means implementing 3D Secure 2 (3DS2) for card-not-present transactions. The challenge for e-commerce merchants is balancing compliance with conversion: aggressive SCA implementation challenges every transaction, adding friction and increasing cart abandonment. Intelligent use of SCA exemptions — transaction risk analysis, low-value exemptions, trusted beneficiaries — reduces friction for low-risk transactions while maintaining compliance for higher-risk ones.

SCA scope assessment — confirming which transactions are subject to SCA requirements and which are exempt
3DS2 implementation review — assessing whether the current 3DS2 integration correctly handles exemptions and frictionless flow
SCA exemption strategy — identifying which exemptions are applicable to the merchant's transaction profile and how to request them
Transaction Risk Analysis (TRA) — advising on TRA exemption thresholds and PSP-level TRA capabilities
Checkout conversion analysis — assessing the impact of the current SCA implementation on cart abandonment rates
SCA for recurring and subscription payments — special handling for recurring billing under SCA rules
One-leg-out transactions — advising on SCA application where the cardholder's bank is outside the EEA
SCA documentation for payment page — ensuring the checkout page presentation satisfies PSD2 requirements

PCI-DSS Compliance Assessment

PCI-DSS (Payment Card Industry Data Security Standard) applies to every organisation that handles cardholder data. For e-commerce merchants, the scope and complexity of PCI-DSS compliance depends on the payment integration approach used. A merchant using a hosted payment page (HPP) provided entirely by the PSP has the narrowest scope and can self-certify using SAQ A. A merchant with more direct involvement in the payment process has broader scope requirements. We assess the merchant's applicable SAQ type, identify gaps, and advise on the steps to achieve and maintain compliance.

SAQ type assessment — confirming which PCI-DSS Self-Assessment Questionnaire applies to the merchant's specific payment integration
Scope definition — identifying all systems and processes that are within the merchant's PCI-DSS scope
Gap assessment — reviewing current security practices against the applicable SAQ requirements
Remediation plan — prioritised actions to close identified gaps and achieve PCI-DSS compliance
Annual SAQ completion support — guidance through the SAQ completion process for the applicable questionnaire type
Tokenisation advisory — advising on payment tokenisation as a scope-reduction strategy
Qualified Security Assessor (QSA) referral — introducing certified QSAs for merchants requiring a formal PCI-DSS assessment
PCI-DSS breach liability assessment — advising on the liability implications of a cardholder data breach under the current compliance status

PCI-DSS SAQ types for e-commerce merchants

The SAQ (Self-Assessment Questionnaire) type determines the scope of PCI-DSS requirements for a specific merchant. Most e-commerce merchants fall into one of: SAQ A (hosted payment page entirely by PSP — narrowest scope; ~20 questions); SAQ A-EP (payment page partially hosted by merchant with JavaScript redirects — broader scope); SAQ D-MER (merchant stores, processes, or transmits card data directly — broadest scope; ~300+ questions). The most common configuration for Shopify, WooCommerce, and similar platforms using a hosted payment page is SAQ A. Merchants who customise the payment form, log card data, or use direct API integrations typically have a broader scope. We confirm the correct SAQ type before any compliance work begins.

Subscription and Recurring Billing Compliance

Subscription billing — recurring card charges at defined intervals — is subject to both the PSP's recurring billing requirements and EU consumer protection law's obligations for subscription contracts. The intersection creates a specific compliance challenge: the PSP requires certain authorisation procedures for recurring transactions; EU consumer law requires specific disclosure of the recurring nature, the right to cancel, and advance notice of price changes. Getting either wrong creates operational problems on the payment side or regulatory exposure on the consumer law side.

Recurring billing authorisation procedures — confirming the correct initial authorisation flow for subscription billing under PSD2 and card scheme rules
Subsequent transaction flagging — ensuring recurring transactions are correctly flagged as MIT (Merchant Initiated Transactions) to PSP and card schemes
Subscription disclosure requirements — confirming EU consumer law disclosure obligations are met on the checkout page and in the terms
Free trial to paid conversion — payment authorisation and consumer notification requirements for trial-to-subscription conversion
Price increase notification — advance notice obligations under EU consumer law and PSP recurring billing rules
Cancellation processing — ensuring cancellation requests result in immediate cessation of further charges; legal consequences of failing to cancel promptly
Dunning management — the process for handling declined recurring payments; balancing operational efficiency with consumer law obligations
Subscription chargeback management — specific evidence requirements for subscription-related chargebacks

Choosing the Right PSP: Key Factors for Lithuanian E-Commerce

There is no single best PSP for all e-commerce businesses. The right choice depends on transaction volume, average order value, product categories, target geographies, and chargeback history. The table below compares the key factors relevant to Lithuanian e-commerce businesses selecting a primary PSP.

Factor	What to Look For	Risk if Ignored
Merchant category code (MCC)	Confirm the PSP supports your product category without restrictions or additional underwriting	Account suspension or immediate termination if product category is later deemed prohibited
Chargeback threshold	PSP’s internal threshold before monitoring or remediation action; industry standard is 1% but PSPs vary	Account termination and funds withholding if threshold is exceeded without prior agreement
Rolling reserve terms	Whether a reserve applies, the percentage (5–10% typical), and the release timeline (90–180 days typical)	Significant cash flow impact for high-volume merchants; reserve may not be released promptly on account closure
Settlement currency and timing	Which currencies are settled, at what exchange rate, and how quickly after the transaction date	FX losses and cash flow gaps if settlement terms are less favourable than projected
3DS2 / SCA support	Whether the PSP supports full 3DS2 implementation including exemption handling and TRA	Higher cart abandonment if 3DS2 is not properly configured; SCA non-compliance risk
Dispute management portal	Quality and timeliness of the PSP’s chargeback notification system and response interface	Missed dispute windows if notification is slow or interface is difficult to use
Fund withholding rights on termination	How long the PSP can withhold funds after account closure and under what conditions	Extended period of inaccessible funds if account is terminated with outstanding chargebacks

SCA Exemptions: Reducing Friction Without Reducing Security

PSD2 SCA is not a blanket requirement — it contains a defined set of exemptions that allow transactions to be processed without a full two-factor authentication challenge when specific conditions are met. Correctly using these exemptions reduces checkout friction for low-risk transactions while maintaining SCA for the transactions where it matters most.

Low-value transaction exemption

Transactions below €30 may be processed without SCA, provided the total value of SCA-exempt transactions from that card has not exceeded €100 since the last SCA, and no more than five consecutive contactless or remote transactions have been made since the last SCA. For e-commerce businesses with average order values below €30, this exemption is commercially significant — but the cumulative limits mean it cannot be applied indefinitely to the same card.

Transaction risk analysis (TRA) exemption

PSPs and acquirers may apply for a TRA exemption for transactions that their fraud models assess as low risk. The applicable transaction value threshold depends on the PSP’s or acquirer’s fraud rate: at a fraud rate below 0.13%, TRA exemption can be applied to transactions up to €100; at below 0.06%, up to €250; at below 0.01%, up to €500. This exemption can significantly reduce SCA friction for established merchants with clean fraud records whose PSP supports TRA exemptions. We advise on whether the merchant’s PSP has TRA capabilities and how to request TRA exemptions in the payment flow.

Trusted beneficiary exemption

A consumer can instruct their bank to add a specific merchant to a ‘trusted beneficiaries’ list, exempting future transactions with that merchant from SCA. This exemption is initiated by the consumer rather than the merchant, but merchants can encourage its use for repeat customers — particularly for subscription or membership businesses. The practical value of this exemption is limited by the relatively low consumer awareness of the trusted beneficiary mechanism.

Recurring and MIT exemption

The initial setup of a recurring billing arrangement requires SCA. Subsequent recurring charges at the same amount to the same card are classified as Merchant Initiated Transactions (MIT) and are exempt from SCA. For subscription businesses, this means SCA is only required at sign-up — not on each subsequent billing cycle. Correctly flagging subsequent transactions as MIT is a technical requirement that not all payment integrations handle correctly. We review recurring billing setups for correct MIT flagging as part of our subscription billing compliance service.

Payment Gateway Compliance Advisory Pricing

Defined advisory engagements are priced at fixed fees. Ongoing compliance monitoring and complex multi-PSP structures are quoted on request after an initial scoping discussion.

PSP selection advisory — written recommendationAssessment of 3–5 PSP options for a specific merchant profile; written recommendation with rationale€800

Service	Price
PSP agreement review — single provider Review of key risk provisions with written summary of material clauses and recommendations	€600
PSP agreement comparison — two providers Side-by-side comparison of two PSP agreements across key risk factors	€900
PSP agreement renegotiation support Advising on negotiating strategy for key clauses where merchant has leverage	On request
Chargeback management framework Reason code analysis, response procedures, evidence templates, and prevention recommendations	€900
Chargeback dispute response (single chargeback) Drafting the evidence package and response narrative for a specific chargeback	€650
Chargeback rate assessment and remediation plan For merchants approaching or exceeding scheme thresholds; root cause analysis and action plan	€800
SCA implementation review Assessment of current 3DS2 setup; exemption optimisation recommendations	€700
SCA exemption strategy and implementation guidance Identifying applicable exemptions and documenting the implementation approach for the PSP	€600
Recurring billing SCA and MIT compliance review Confirming correct SCA at sign-up and MIT flagging for subsequent transactions	€400
PCI-DSS SAQ type assessment Confirming the applicable SAQ type and initial scope definition	€600
PCI-DSS gap assessment (SAQ A or SAQ A-EP) Gap review against applicable SAQ requirements; remediation recommendations	€500
PCI-DSS gap assessment (SAQ D) Broader scope; quoted based on size and complexity of the cardholder data environment	On request
Annual SAQ completion support Guidance through the annual SAQ completion process; SAQ A or SAQ A-EP	€550
Subscription billing compliance review PSP recurring billing requirements + EU consumer law obligations + MIT flagging review	€600
Subscription terms and payment page disclosure review Ensuring checkout disclosures satisfy both PSD2 and EU consumer law requirements	€400
Full payment compliance review (PSP agreement + chargeback + SCA + PCI-DSS) Comprehensive review of all four payment compliance areas — saving of €400 vs. individual engagements	€3,000

Full payment compliance review — what’s included
The €3,000 full payment compliance review covers the four dimensions of payment compliance that every e-commerce business needs to address: PSP agreement review (identifying liability and reserve clauses), chargeback management framework (response procedures and prevention measures), SCA implementation review (exemption optimisation), and PCI-DSS SAQ type assessment and gap review. Each area would cost €600–€800 individually — the combined review saves €400 and produces a single integrated action plan across all four areas.

Frequently Asked Questions

A chargeback is a reversal of a card transaction initiated by the cardholder’s bank — typically following a consumer dispute, a claim of fraud, or a failure by the merchant to deliver the goods or services. The merchant loses the transaction amount plus a chargeback fee (typically €15–€30 per chargeback). More importantly, if the merchant’s chargeback rate exceeds the card scheme threshold — approximately 1% of monthly transactions for Visa and Mastercard — the merchant enters a formal monitoring programme. Progressive escalation through these programmes results in increasing fees, mandatory remediation programmes, and ultimately account termination. Once terminated by a major card scheme for excessive chargebacks, getting reinstated is difficult and expensive.

If you accept card payments from EU consumers — yes. SCA under PSD2 is mandatory for most card-not-present transactions where both the payer and the payment service provider are in the EEA. Failure to implement SCA does not mean payments are declined — PSPs can apply SCA exemptions — but a merchant who has not implemented 3DS2 at all is relying entirely on the PSP to handle SCA, which may result in more declined transactions and greater friction than necessary. For Shopify, WooCommerce, and most major e-commerce platforms, 3DS2 is implemented through the PSP integration. The question is whether the implementation is configured correctly — including exemptions and MIT flagging for subscription payments.

PCI-DSS applies to any organisation that handles cardholder data — but for merchants using a fully hosted payment page (where the consumer enters their card details directly on Stripe’s, Adyen’s, or another PSP’s hosted page), the scope is very narrow. These merchants typically qualify for SAQ A, which has approximately 20 requirements — mostly focused on ensuring the hosted payment page is genuinely hosted by the PSP and not served from the merchant’s own infrastructure. Where the scope is this narrow, achieving and maintaining compliance is straightforward. The risk materialises if the merchant’s integration is not as simple as assumed — for example, if the payment form is served from the merchant’s domain rather than the PSP’s domain, which shifts the merchant into a broader SAQ category with significantly more requirements.

The first step is understanding why. Chargebacks fall into two categories: fraud chargebacks (where a genuine fraudulent transaction occurred) and non-fraud chargebacks (where the consumer disputes a legitimate transaction — also called friendly fraud or transaction not recognised). The response strategy differs: fraud chargebacks require fraud prevention measures at the transaction level; non-fraud chargebacks require evidence assembly and better customer communication. We conduct a chargeback reason code analysis to identify the split and root cause, then design a specific remediation plan. For merchants already in a monitoring programme, the plan also needs to address the PSP’s requirements for demonstrating progress within the monitoring timeframe.

Yes — operating with two or more PSPs is a standard risk management practice for e-commerce businesses with elevated chargeback risk, high transaction volumes, or product categories that PSPs underwrite conservatively. Using multiple PSPs means that if one PSP terminates or suspends the account, processing can continue through the backup PSP while the issue is resolved. It also allows the merchant to route transactions strategically — sending lower-risk transactions through the primary PSP to protect its chargeback rate while routing higher-risk transactions through a secondary provider. We advise on multi-PSP strategy as part of our PSP selection and agreement review service.

PSP agreements typically permit the provider to withhold funds for a period after account termination — covering the rolling reserve and any chargebacks that arrive after the last transaction. The withholding period can be 90–180 days under standard terms. During this period, the funds are not technically lost — they are held as security against future chargebacks. However, the merchant cannot access them. Challenging a PSP’s decision to terminate or withhold funds requires reviewing the specific grounds for termination under the agreement, assessing whether due process was followed, and — where the termination was improper — pursuing the PSP through the dispute resolution mechanism in the agreement or through legal proceedings. We advise on the legal grounds for challenging termination and fund withholding where applicable.

SCA is required for electronic payments where both the payer’s payment service provider and the payee’s payment service provider (your PSP) are located in the EEA. Transactions where either side is outside the EEA — known as ‘one-leg-out’ transactions — are outside the mandatory SCA scope, though PSPs may still apply 3DS2 for fraud prevention purposes. For a Lithuanian e-commerce business accepting payments from consumers worldwide, SCA is mandatory for payments from EU/EEA cardholders. Payments from UK, US, or other non-EEA cardholders are outside the mandatory scope. In practice, most PSPs and card schemes recommend 3DS2 for all transactions as a fraud prevention tool, regardless of SCA obligation.

Ready to review your payment compliance setup?

Contact us to discuss your current PSP arrangement, transaction profile, and any chargeback or SCA concerns. We will confirm the most relevant advisory engagement, provide a fixed-fee quote, and deliver the review within 5–7 business days of your instruction.