Becoming a payment facilitator (payfac) means registering with the major card networks so you can board sub-merchants under your own master merchant account, process their transactions, and handle their payouts. It gives you control over the payments experience and lets you earn revenue on every transaction your sub-merchants process. But it requires significant capital, technical infrastructure, compliance capabilities, and an ongoing commitment to risk management. Here’s what the process actually looks like.
What a PayFac Actually Does
A traditional merchant gets its own merchant account and merchant ID (MID) through an acquiring bank. A payfac sits between the acquiring bank and the merchants it serves. You hold a single master merchant account, then onboard smaller businesses as “sub-merchants” underneath it. You handle their applications, underwrite them, monitor their transactions for fraud and chargebacks, and settle funds to them.
This model is what powers platforms like Shopify Payments and Square. The appeal is straightforward: you control the merchant experience from signup to settlement, you earn a margin on every transaction, and you can board new merchants in minutes instead of days. The tradeoff is that you’re financially liable for every sub-merchant on your platform. If one of them commits fraud, goes bankrupt, or racks up chargebacks, those costs fall on you.
Registration With Card Networks
You must register as a payment facilitator with each card network you plan to support, primarily Visa and Mastercard. Registration happens through a sponsoring acquiring bank, not directly with the networks. The acquirer reviews your business model, financials, and compliance readiness before agreeing to sponsor you.
Each card network charges an initial registration fee. Estimates vary by source, with figures typically cited in the range of $5,000 to $10,000 per network. Annual renewal fees run in that same range per network. Beyond registration fees, you’ll pay standard interchange and assessment fees on every transaction, plus any fees your sponsoring acquirer charges.
Finding a sponsoring acquirer can be the hardest part of the process. Banks are selective because they share liability for your sub-merchants. Expect them to scrutinize your balance sheet, your team’s payments experience, your technology stack, and your risk management plan before agreeing to sponsor you.
Technical Infrastructure You’ll Need
Running a payfac requires building or licensing a payments platform that can handle several core functions: sub-merchant onboarding and application processing, transaction routing and authorization, settlement and fund disbursement, chargeback and dispute management, and reporting dashboards for both you and your sub-merchants.
PCI DSS (Payment Card Industry Data Security Standard) certification is mandatory. As a payfac handling card data at scale, you’ll need to meet the highest applicable compliance tier, which involves an annual on-site audit by a Qualified Security Assessor. PCI compliance alone can cost tens of thousands of dollars per year between the audit itself, penetration testing, and the engineering work to maintain a secure environment.
You’ll also need integration with the Visa Merchant Screening Service (VMSS) or equivalent tools from other networks. Before boarding any sub-merchant, you’re required to check whether they’ve been previously terminated for cause by another processor. Building automated screening into your onboarding flow is not optional.
Sub-Merchant Onboarding and Underwriting
Every sub-merchant you board must go through an underwriting process. Visa’s rules require you to have “sound merchant underwriting policies” and to collect both public and non-public information about each applicant. In practice, this means verifying the business’s identity, its owners’ identities, its financial standing, and the legitimacy of its products or services.
You must execute a written merchant agreement or payment service agreement with each sub-merchant that includes terms and conditions outlined in the card network rules. This contract governs how transactions are processed, how funds are settled, and what happens when disputes arise.
Your underwriting process must comply with Anti-Money Laundering (AML) laws and Know Your Customer (KYC) requirements. AML rules are designed to prevent criminals from using payment systems to move illicit funds. KYC means verifying that merchants are who they claim to be. These aren’t suggestions; they’re legal obligations that apply in virtually every jurisdiction.
If you plan to auto-board merchants (approving them instantly or near-instantly), the card networks require you to follow specific best practices for automated onboarding. Fast boarding is one of the main advantages of the payfac model, but it doesn’t mean you can skip due diligence. You need automated systems that verify business data, screen against watchlists, and flag high-risk applications for manual review.
Ongoing Risk Monitoring
Once sub-merchants are live, your obligations don’t end. You must continuously monitor transactions and behavior across your entire portfolio. Visa’s risk guide specifies monitoring at minimum a long list of velocity parameters for each sub-merchant, including monthly sales volume, average transaction size, refund ratios, chargeback counts and amounts, fraud rates, the ratio of card-not-present to card-present sales, and cross-border transaction ratios.
You’re also required to monitor your sub-merchants’ websites on an ongoing basis, screening for signs of illegal activity, transaction laundering (where a merchant processes payments for an undisclosed business), or deceptive marketing. When any sub-merchant exceeds your velocity thresholds or triggers unusual activity alerts, you must investigate and take action, which can mean holding funds, suspending the account, or terminating the relationship.
This monitoring requires dedicated risk operations staff, automated alert systems, and clear escalation procedures. For many payfacs, the risk team becomes one of the largest ongoing operational costs.
Total Cost and Timeline
The full cost of becoming a payfac from scratch is substantial. Between card network registration fees, technology development or licensing, PCI compliance, legal and regulatory work, and staffing a risk and operations team, the upfront investment commonly runs from several hundred thousand dollars into the millions. Ongoing costs include annual network renewal fees, PCI audits, technology maintenance, and the operational staff to manage underwriting, disputes, and risk monitoring.
Timeline varies widely depending on your starting point. If you’re building the technology in-house, expect 12 to 18 months or more from the decision to launch. If you’re licensing an existing platform, you might compress that, but you’ll still need months to secure a sponsoring acquirer, complete registration, and build out your compliance and operations functions.
PayFac-as-a-Service: The Alternative Path
Not every company that wants payfac-like capabilities needs to become a full payfac. PayFac-as-a-service (PFaaS) is a model where a third-party provider supplies the payment infrastructure, compliance framework, and card network registrations while you maintain control over the merchant experience. You get many of the benefits of being a payfac, like fast onboarding and revenue from transaction fees, without building and maintaining the entire stack yourself.
The key difference is liability and control. With a full payfac setup, you own the compliance policies, the risk monitoring, and the relationship with the acquiring bank. With PFaaS, the provider handles much of that burden. You give up some margin and some control in exchange for dramatically lower upfront costs and faster time to market.
The revenue potential of embedded payments is significant either way. Industry data suggests that embedding financial services can grow revenue per customer two to five times compared to traditional software-only models. As you expand beyond basic payment processing into services like merchant lending, card issuing, or faster payouts, the revenue opportunity grows further.
Deciding If Full PayFac Registration Makes Sense
Becoming a full payfac is typically worth it when you’re processing enough volume to justify the infrastructure costs, when you need deep control over the payments experience, and when the margin you’d capture on transactions significantly exceeds what you’d earn through a managed service. Companies processing tens of millions of dollars annually through hundreds or thousands of sub-merchants are the natural fit.
If you’re earlier stage, processing lower volumes, or don’t have payments expertise on your team, a PFaaS model lets you start earning payments revenue now while preserving the option to bring more in-house later. Many successful payfacs started this way, proving out their business model before investing in full registration.