Technology has fundamentally changed how businesses, acquiring banks, and card networks work together. The rise of software platforms and online marketplaces has accelerated the change: increasingly, these businesses are connecting buyers and sellers in new ways, adding payments and financial services functionality, and creating new purchase experiences.
In this guide, we’ll explore what a payment facilitator (often abbreviated as payfac or PF) is, examine the considerations and costs of different types of payfac solutions, and identify the best ways to add payments to a platform or marketplace.
If you have any questions or would like to review your specific business model with Stripe, just get in touch — we’d be happy to help.
What is a payment facilitator?
Today, many platforms and marketplaces help merchants accept payments by providing online services for companies of all sizes. Payments functionality has become integral for these platforms to differentiate their product and create stickiness, and merchants using the platform no longer need to establish direct relationships with acquiring banks or payment gateways.
Below are some of the most common types of platforms and marketplaces:
- E-commerce: Platforms, such as Shopify and Squarespace, which help businesses or individuals sell physical goods online.
- Invoicing: Platforms, like Xero and FreshBooks, which help businesses invoice their clients.
- Fundraising: Platforms, such as Blackbaud and Kindrid, which help nonprofits and charities raise money or collect donations.
- Booking: Platforms, like Mindbody and FareHarbor, which facilitate the scheduling of appointments.
- Travel and ticketing: Marketplaces, like Airbnb, which help connect individuals with accommodations and experiences.
- Retail: Marketplaces, such as Tradesy, which help individuals sell to each other.
- On-demand services: A range of services falls into this category, including ride-sharing (e.g., Lyft, Uber), restaurant delivery (e.g., Deliveroo, DoorDash), and professional services (e.g., Handy).
- Other: We’re constantly seeing platforms emerge that are either hybrids or something entirely new, supporting services like online health, pharmacy delivery—and even pet rentals.
While each type of platform or marketplace is different, many have made payments a core part of the customer experience. Increasingly, they’re using payments capabilities to differentiate their offering and brand, strengthen their relationships with their customers, and monetize the transactions on their platforms.
Below, we’ll discuss two models for bringing payments in-house:
- Traditional payfac solutions, which enable platforms to embed card payments into their software
- The Stripe payfac solution, which enables platforms to move faster to embed and monetize payments, and whitelabel other financial services such as issuing cards and loans.
History of payfacs
Traditional payfac solutions were popularized in the late 1990s as a way to help small- and medium-sized businesses accept online payments more easily. Historically, a bank’s onboarding requirements catered to larger businesses that could manage the complex, costly, and time-consuming legacy setup processes. Essentially, these companies had to become experts in payments while also building their core business and product.
The payfac model emerged to give companies that specialized in payments the ability to reduce the complexity of getting started with online payments and offer services to a broader array of businesses, allowing them to focus on their core competencies.
The payfac takes on setting up and managing multiple relationships and systems—the ones the merchant would otherwise need to establish and maintain with each individual party.
How to bring payments in-house
There are two types of payfac solutions. The first type is a traditional payfac solution that involves partnering with an acquiring bank (or an acquirer and payfac vendor) and building out systems for processing, onboarding, risk, and more. This will typically need to be done on a country-by-country basis, and will enable your platform to offer online card payments to your sub-merchants.
The second type is a more modern, technology-first payfac solution from a commerce provider like Stripe. Stripe provides a way for you to whitelabel and embed payments and financial services in your software. You own the payment experience and are responsible for building out your sub-merchant’s experience.
You should ask the following questions before deciding how to bring payments in-house:
- What is my goal for bringing payments in-house? Do I want to improve the customer experience or deepen relationships with customers (adding value to my software), introduce new lines of revenue and increase my valuation, or enable faster expansion to new segments or geographies?
- What does my ideal payments solution look like? Does it include online card payments, in-person point of sale payments, international payments (e.g., iDEAL, Alipay, BECS Direct Debit, and more), or non-card payments like ACH or Apple Pay? Do I also want to add financial services for my customers, like lending, fraud prevention services, and card programs?
- What is my timeline and what is my willingness to invest in payments vs. my core business? To what extent do I want to dedicate the resources of my developers, legal team, and operations teams? Am I ready to build new teams to manage payment and payout systems, merchant onboarding processes, and compliance systems?
- Where does my business operate? Where do I want to offer payments and other financial services today? Where do I plan to expand in the future?
Traditional payfac solutions
Platforms using a traditional payfac solution open a merchant bank account and receive a merchant ID (MID) to acquire and aggregate payments for a group of smaller merchants, typically called sub-merchants. Traditional payfacs have embedded payment systems and register their master MID with an acquiring bank. Sub-merchants, on the other hand, are not required to register their unique MIDs—instead, transactions are aggregated under the payfac’s master MID. This is meant to reduce the complexity that sub-merchants would face when setting up online payments on their own since it eliminates the need for them to establish and maintain relationships with an acquiring bank, payment gateway, and other service providers.
The platform is responsible for the following:
- Controlling who is on the platform: Setting up the right onboarding processes and building trust in those processes.
- Meeting KYC, AML, and OFAC compliance requirements: Ensuring sub-merchants are screened and verified to meet Know Your Customer (KYC) requirements and the US Office of Foreign Asset Control (OFAC) requirements. Monitoring sub-merchant activity to screen for money laundering and terrorist financing. If operating outside the US, there are many other regulations and compliance requirements to consider.
- Auditing account activity on the platform: Putting controls in place to track and mitigate high-risk financial activity on an ongoing basis.
- Maintaining PCI compliance: Ensuring the platform is Payment Card Industry (PCI) compliant and all sub-merchants are accepting payments from customers in a compliant way. To learn more, review our guide to PCI compliance.
Though these four categories are clear, it’s difficult to find a consistent description of a payfac’s granular responsibilities. Each acquiring bank has different rules for registered payfacs, which form a complex web of requirements between card networks and banks. Combined, think of a registered payment facilitator as an entity that handles the relationships with card networks, sub-merchant onboarding, and payment services for merchants. The payfac directly handles paying out funds to sub-merchants.
Most of the requirements for payfacs are enforced by the card networks and acquiring banks. However, regional differences influence how stringently card networks and banks enforce these requirements in the Americas, Europe, and Asia. For example, Visa and Visa Europe are two different entities and have different rules.
Under card network rules, a registered payment facilitator must:
- Conduct due diligence on each sub-merchant.
- Sign a merchant acceptance agreement on behalf of an acquirer.
- Monitor all sub-merchant activity to ensure compliance with network standards.
- Maintain PCI compliance.
- Only use settlement funds to pay sub-merchants.
If a sub-merchant exceeds a certain threshold of transaction volume, the sub-merchant is required to enter into a direct merchant agreement with the acquiring bank.
Traditional payfac solutions require building and investing in multiple systems for payment processing, sub-merchant onboarding, compliance, risk management, payouts, and more. Platforms also have ongoing requirements to maintain their good standing and credit requirements with acquiring banks and card networks.
The Electronic Transactions Association (an advisory organization with members from banks, card networks, and payment processors, also referred to as ETA) strongly recommends engaging industry experts and legal counsel to ensure adherence to laws and guidance that span card networks, acquiring banks, state and federal governments, and global regulatory organizations (e.g., OFAC).
Set up payment systems
- Find an acquiring bank: Platforms must approach acquirers with a business plan in order to establish a partnership and get sponsored to facilitate payments for sub-merchants.
- Integrate payment gateways: Payment gateways provide functionality for sub-merchants to process online payments.
- Obtain Level 1 PCI DSS certification: To ensure the security of sensitive data, the platform is required to be Payment Card Industry Data Security Standard (known as PCI DSS) certified, which may also include Europay, Mastercard, and Visa (EMV or chip) certification if the platform supports in-person transactions.
- Build merchant management: This includes merchant dashboards, payout systems, and dispute management systems to handle chargebacks.
Set up merchant onboarding and compliance systems
- Create underwriting policies and systems to ensure only lawful businesses that comply with card network and acquirer rules are onboarded. The platform’s system and employees will need to do the following:
- Verify identities of sub-merchants, including KYC, ownership structure, and business details.
- Check OFAC and MATCH lists for sub-merchants before onboarding; Mastercard manages the Member Alert to Control High-Risk Merchants (MATCH) list.
- Assess sub-merchant’s financial health and risk, including fraud, credit, financial, compliance, regulatory, or reputational risk.
- To manage and mitigate risk, build systems and internal policies to conduct due diligence. The platform’s system and employees will need to do the following:
- Comply with AML laws by encoding rules and requirements from card networks and regulatory organizations.
- Identify suspicious activities (including indicators of terrorist financing).
- File Suspicious Activity Reports (known as SARs) with the Financial Crimes Enforcement Network (FinCEN) or acquirer, as required.
- Submit registrations and apply for any additional required licenses:
- Register as a payfac with each card network in each country.
- Apply for money transmitter licenses (MTLs) in each state the payfac operates in, if required to support certain fund flows.
- Apply for regional licenses if required. (Brazil, Malaysia, and the EU—to name a few—require separate licenses.)
Manage ongoing processes and systems
- Onboard and underwrite each sub-merchant: Verify the identity, business model, and owner information for each sub-merchant. Set up payment processing for sub-merchants.
- Monitor risk and update risk systems: Perform due diligence, monitor sub-merchant activity on an ongoing basis, and mitigate risk as needed (e.g., apply processing caps, delayed funding, or reserves).
- Prevent and block fraud: Proactively prevent fraud on the platform and block or review suspicious transactions. Best practices include using adaptive machine learning for fraud detection. Submit evidence to card networks when needed for chargebacks on behalf of sub-merchants.
- Pay out funds to sub-merchants: Ensure sub-merchants are paid their earnings on time.
- Reporting and reconciliation: Generate and distribute 1099s or other tax forms as needed annually.
- Maintain PCI DSS compliance: Ensure the platform remains compliant even as data flows and customer experiences evolve. Note that some card networks may require payfacs to submit quarterly or annual reports or complete an annual on-site assessment to validate ongoing compliance.
- Renew payfac registration and licenses: Re-register as a payfac with card networks annually, and update or renew MTLs on the required cadence.
If your platform needs to operate internationally and support sub-merchants in other regions, partnerships with local acquirers, gateways, and other service providers may be necessary. In general, platforms build local systems from scratch in order to adapt to local requirements or support multiple regions.
Governments and regulators may also have different requirements based on geography. The European payments law, known as the second Payment Services Directive or PSD2, introduced major changes that significantly impact multisided platforms, or marketplace businesses, in Europe. Many of these businesses can no longer rely on an exemption from licensing that they availed of previously. Platforms that control the flow of funds need to acquire an e-money license, which can take months and millions of euros to obtain.
Adapt to changing landscapes
The definition of a payment facilitator is still evolving—so is its role. For example, the ETA, published a 73-page report with new guidelines in September 2018. Any investments made now will require updates over time to meet changing regulations and requirements.
The technology landscape is evolving as well: Consider that different providers and vendors may be required to offer solutions for local payment methods (like SEPA, Alipay, or iDEAL), multiple currencies, mobile payments, in-person transactions, billing systems for invoicing or subscription payments, and much more.
Timelines and costs
|Category||Description||Minimum time required||Approximate minimum cost|
|Payment systems setup|
Put a strong business plan in place and potentially hire a consultant to assist
Hire a payments attorney
|3–6 months||Varies by acquirer|
|Payment gateways||Negotiate, contract with, and integrate payment gateways||1–4 months||Varies by gateway, but typically a combination of fixed and per transaction fees|
|PCI compliance (and EMV certification, if needed)||Validate Level 1 PCI DSS compliance (includes on-site auditor visit)||3–5 months||€50,000–€500,000|
|Merchant management system|
Build merchant dashboards
Build merchant payout systems
Build dispute management systems for different card networks
|6–12+ months||€600,000+ (minimum 4 FTEs at €150,000 per year)|
|Merchant onboarding and compliance systems setup|
Encode card network requirements
Build data retention and privacy systems
|2–8 months||€300,000+ (minimum 2 FTEs at €150,000 per year)|
Integrate with ID verification providers
Build risk-scoring systems
|Optionally, use a third-party vendor:|
|Third-party vendor||Select, contract with, and integrate third-party vendor systems||3–6 months||€150,000–€250,000 per year|
|Registrations and obtaining licenses|
|License fees and regulatory registrations|
Initial fees paid to Visa (€5,000) and Mastercard (€5,000)
MTLs required when payfac controls fund flows (€150,000/year for approximately 3 years to set up 50 states = €450,000 minimum)
International licenses (e.g., EU e-money license) if needed
Network fees: €10,000
US and international licenses: >€1,000,000
|Category||Description||Approximate minimum cost|
|Merchant onboarding and monitoring|
One-time fees include €1–€2 for onboarding and initial risk review and €2–€3 for ID verification
Ongoing monitoring system
|€5 per month per account|
|Risk monitoring and mitigation|
Due diligence and risk management to ensure all sub-merchants stay in compliance
Update risk systems on regular cadence
Maintain platform-level balances or reserves on sub-merchants to protect against credit risk
|€250,000+ per year (1 FTE at €150,000 per year and 1 risk analyst at €100,000 per year)|
|Fraud prevention||Operate or integrate with third-party systems to prevent and block fraud||€0.04–€0.10 per transaction|
|Chargeback management||Handle chargeback and evidence submission||€15 per dispute|
|Payouts and funds routing||Ensure merchants get paid out on the right schedule||€0.25 per transaction|
|Reporting and reconciliation|
Generate and distribute 1099s or other tax forms as required (1099s cost as little as €5 per form to generate, but can incur up to €250 in fees if filed incorrectly)
Run platform-level financial close processes and financial audits as needed
€5–€255 per form
€100,000 per year (1 finance FTE)
|Annual PCI validation||Validate Level 1 PCI DSS compliance every year and re-validate any time changes are made to payment flows throughout the year||€200,000+ per year|
|Renew payfac registration (and other licenses, if needed)|
Re-register as a payfac with Visa and Mastercard (€5,000 per year each)
Renew money transmission licenses every 2 years