Compliance is the part of payment systems that determines whether you can ship. Agent-initiated payments don't change PCI scope much but add new questions around consent, identity, and authorization that regulators are still catching up to. Knowing the landscape avoids the expensive surprise.
PCI DSS — card data handling
If you touch raw card numbers, you're in PCI scope: hundreds of pages of requirements, annual audits. Avoidance is the strategy: use tokenization (Stripe, Adyen, Braintree return tokens). Your app only sees tokens; processor handles raw data. Reduces scope from PCI Level 1 to PCI SAQ A.
GDPR and consent
User consent for agent-initiated payments must be explicit, specific, informed. Pre-checked boxes don't count. Withdrawal must be as easy as granting. The consent record (timestamp, scope, version) is itself sensitive data — protect it.
Strong Customer Authentication (SCA)
EU PSD2 requires SCA for most online payments: two of (something you know, have, are). Card-on-file flows are mostly exempt under merchant-initiated transactions, but only if the agent's scope was properly authorized initially. Get the initial auth right; renewals are easier.
Regional KYC and AML
Marketplaces in many jurisdictions are 'money transmitters' under local law. KYC (Know Your Customer) on merchants: identity verification, sanctions list checks. AML (Anti-Money Laundering): transaction monitoring, suspicious activity reporting. Compliance partners (Stripe Connect, Plaid Identity) handle most of this.
Agent-specific gray areas
Regulators are still catching up. Open questions: is an agent's purchase a 'recurring' or 'one-time' transaction (affects SCA exemptions)? What's the customer-of-record for refunds? Document your interpretation, watch for guidance, plan to change if rules clarify.