Most platforms researching payfac compliance start with PCI and assume that is the picture. It is not. Becoming a payment facilitator means stepping into the role an acquiring bank used to play for your merchants, and that role comes with a set of obligations that is wider, more continuous and more consequential than a single certification. Underestimating that set is the most common way platforms get surprised after they commit.
Payfac compliance means taking on the obligations an acquiring bank used to carry: PCI DSS Level 1, sub-merchant underwriting and KYC, ongoing transaction and risk monitoring, sanctions and AML screening and the fund-flow and reporting rules your sponsor bank enforces. It is continuous operational work, not a one-time certification you pass and forget.
Payfac compliance is broader than PCI
When you become a payment facilitator, you inherit the obligations an acquirer used to hold for your merchants. Those obligations are ongoing, they are audited and your sponsor bank holds you accountable for every one of them. PCI is the piece everyone knows about. Here is what the full set actually looks like.
1. PCI DSS Level 1
As a payfac you are handling card data at volume, which puts you at PCI Level 1, the most stringent tier: an annual audit by a Qualified Security Assessor, quarterly network scans and a continuous obligation to keep your environment in scope and attested. This is foundational and non-negotiable, and we cover it in depth in PCI compliance for SaaS platforms.
2. Sub-merchant underwriting and KYC/KYB
You are now the entity deciding which merchants get to process, which means you own underwriting. Before a sub-merchant is boarded you have to verify the business and its owners, which is KYB and KYC, assess risk and document it. This is not a one-time check at signup. You are expected to keep the picture current, and how you build this directly shapes merchant onboarding: the same flow that has to feel fast to the merchant has to satisfy your sponsor's underwriting standard.
The card networks do not see your sub-merchants. They see you. Every merchant you board is a risk you have underwritten and now carry.
3. Transaction and risk monitoring
A payfac is required to monitor transactions on an ongoing basis for fraud, money laundering and merchant behavior that breaches the rules. That means systems and, past a certain size, people watching for anomalies, excessive chargebacks, prohibited business types and sudden volume changes. The networks set thresholds, and breaching them carries fines that land on you, not the merchant.
4. Sanctions, OFAC and AML
You have to screen merchants and, where applicable, transactions against sanctions and watch lists, which in the US means OFAC, and maintain an anti-money-laundering program appropriate to your volume. This is a hard regulatory line, not a network guideline, and getting it wrong is the kind of failure that ends programs rather than fining them.
5. Fund flow, settlement and reporting rules
How money moves through a payfac is tightly governed. There are rules on how quickly you settle to sub-merchants, how you handle reserves, how funds are held and segregated and what you report to your sponsor bank and the networks. Your sponsor will hold you to specific settlement and reporting cadences, and your fund-flow design has to satisfy them before a single transaction clears.
Who actually carries this: managed payfac vs full payfac
This is the part that decides whether the obligations above are a reason to pause or a reason to choose a different model. In a full payfac, you carry all of it directly. In a managed payfac or PayFac-as-a-service arrangement, the provider absorbs a large share, the PCI scope, much of the monitoring infrastructure, parts of underwriting, in exchange for a cut of the economics. Neither is free and neither is right for everyone. The trade is real, and it is the same trade running underneath becoming a payment facilitator and the broader payfac vs ISV decision.
The honest question
Payfac compliance is not a checklist you complete. It is an operational function you stand up and run for as long as you are a payfac, with real headcount and real liability behind it. For some platforms the economics clearly justify owning it. For many, a managed model captures most of the upside without the obligation. The right answer depends on your volume, your risk appetite and how much of this you actually want to build. If you are weighing it, that is the conversation worth having before you commit, not after.