Name: Merchant BNPL Integration Compliance Mapper — AINumbers.co
Author: Post Oak Labs

Merchant BNPL Integration Compliance Mapper

Generate a tailored compliance obligation map for merchants integrating BNPL at checkout. Covers PCI DSS scope determination by integration method, per-jurisdiction regulatory disclosure requirements, and checkout UX standards. Outputs a prioritised checklist and downloadable Markdown integration guide.

PCI DSS v4.0 FCA Fin. Promotions EU CCD2 CFPB Reg Z Advertising Markdown Export v1.0

Source Notes & Regulatory Citations

PCI DSS v4.0 (March 2022) — PCI Security Standards Council. SAQ A: card-not-present merchants that outsource all cardholder data functions. SAQ A-EP: e-commerce merchants using third-party payment pages with scripts on their own pages. Requirement 6.4.3: management of all payment page scripts loaded in consumer browsers.
PCI DSS v4.0 Req. 12.8 — Third-Party Service Provider (TPSP) management. Merchants must maintain a register of TPSPs, obtain written acknowledgement of PCI DSS responsibility, and monitor compliance status annually.
FCA Financial Services and Markets Act 2000, s.21 — restriction on financial promotions. Any communication inviting or inducing a person to enter into a consumer credit agreement must be approved by an FCA-authorised person or issued by one.
FCA Consumer Credit sourcebook (CONC) 3.3 — financial promotions must be fair, clear and not misleading. CONC 3.5.5 — representative APR must be displayed in any promotion that includes specific credit terms or payment amounts. FCA PS24/3 — Consumer Duty application to BNPL financial promotions from July 2026.
Directive 2023/2225/EU (CCD2) Art. 13 — obligation to inform consumer about BNPL at point of sale. Art. 10 — SECCI must be made available. Recital 29 — BNPL must not be presented as 'free' if charges may arise. Active affirmative consent required; pre-ticked BNPL boxes prohibited.
12 CFR 1026.24 (Regulation Z) — BNPL advertising requirements. Advertising a specific payment amount ("4 payments of $X") triggers full disclosure of APR, total amount, and payment schedule per § 1026.24(d). CFPB interpretive rule (May 2024): 4-installment BNPL classified as closed-end credit.
FCA Consumer Duty (PS22/9) — effective July 2023. Applies to all consumer-facing communications including BNPL checkout flows. Merchants acting as distribution chain must ensure outcomes are fair. Product governance obligations apply from July 2026 to newly regulated BNPL.
Dark patterns in consumer finance: FCA DP22/2 (Consumer Duty); CFPB Circular 2022-04 (UDAAP); EU Unfair Commercial Practices Directive 2005/29/EC. Pre-selected BNPL, misleading countdown timers, and hiding total repayable cost are cited as unfair design practices.
Methodology: compliance items generated deterministically from four merchant profile inputs. Priority levels: High (regulatory breach risk), Medium (best practice / enforcement focus), Low (standard hygiene). Client-side. Zero PII.