Skip to main content
Image coming soon

The Merchant Acquirer Compliance Manager's Card-Brand and Money-Transmitter Evidence Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Merchant Acquirer Compliance Manager's Card-Brand and Money-Transmitter Evidence Playbook

A working method for the compliance manager who has to keep PCI DSS, Nacha, OFAC, state MTL, and card-brand mandates audit-ready inside one merchant acquirer at the same time.

Five regulators and rule-setters want overlapping evidence from the same control set, and the compliance manager seat is the only place in a US merchant acquirer where all five examiner cycles land in the same quarter.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Inside a US merchant acquirer the compliance manager carries PCI DSS scope and QSA readiness, Nacha operating rules including the WEB-debit and account-validation amendments, Visa and Mastercard registration and mandate cycles, OFAC sanctions screening and 314(a) responses, FFIEC BSA/AML expectations, state money-transmitter license examiner cycles across forty-plus jurisdictions, Reg E error-resolution timelines, and CFPB supervisory letter responses. Every one of those bodies asks for evidence that overlaps the others: the same OFAC screening logs feed BSA/AML exams and state MTL exams, the same access-control records feed PCI DSS and Reg E error-resolution audits, the same vendor-risk reviews feed card-brand mandates and FFIEC TPRM expectations. The failure mode is having one evidence binder per regulator, maintained by a different team, refreshed at different cadences, with different field definitions. When the QSA arrives for the v4 ROC interview, the PCI binder is current but the OFAC screening sample it asks for sits in the BSA team's SharePoint at a different cut-off date. When the state MTL examiner asks for transaction-monitoring rule changes since last exam, the AML team's tracker shows them but the card-brand registration team made independent rule changes that never made it to the same tracker. The compliance manager spends two weeks per exam reconciling answers across teams that all believed they were giving the right answer. The course teaches how to collapse that into one evidence library with one source of truth per artefact, mapped once to every framework that asks for it, so the next QSA, the next state examiner, the next Nacha rules-compliance attestation and the next card-brand mandate filing all pull from the same shelf without rebuild.

What you walk away with

  • Map PCI DSS v4 sub-requirements, Nacha operating rules, OFAC screening logs, FFIEC BSA/AML expectations and state MTL examiner request lines to one shared set of artefacts with named owners and refresh cadence.
  • Run a QSA-readiness rehearsal four weeks before the ROC interview that surfaces every gap the QSA will find, in the same order the QSA will ask, with sample evidence already pulled.
  • Produce a single examiner-ready evidence pack that answers any of the five regulator types from the same source files, refreshed on one cadence rather than five.
  • Reduce the post-exam reconciliation work to under three days by closing the field-definition gaps between the AML, IT-risk, card-brand registration and state-MTL trackers before the exam, not after.
  • Carry one written compliance manager's playbook into the next examiner cycle, the next QSA, the next Nacha rules-change effective date and the next card-brand mandate filing, so the answer to each one is already drafted before the request lands.

The 12 modules

Module 1. The merchant acquirer regulator map
Reads the compliance manager's calendar from one side: every regulator, rule-setter and examiner that touches a US merchant acquirer in a single fiscal year. PCI DSS QSA, Nacha rules-compliance audit, Visa and Mastercard registration and mandate cycles, OFAC and 314(a), FFIEC BSA/AML, state MTL exam rotations, Reg E and CFPB. For each, the artefacts requested, the cadence, the owner inside the firm, and the overlap with the other four. Produces the single regulator map every subsequent module pulls from.
Module 2. PCI DSS v4 scope-and-evidence rebuild
Walks the v4 sub-requirement changes that matter for an acquirer rather than a merchant, with the customised approach and targeted risk analysis written in a way the QSA will accept rather than send back. Covers card-data flow diagrams that hold up under interview, segmentation testing scope, the new authenticated scanning requirement, and the evidence rotation that keeps the ROC interview a confirmation rather than a discovery exercise.
Module 3. Nacha operating rules compliance for the acquirer side
Reads the current Nacha rulebook through the acquirer's lens: WEB-debit account-validation requirements, micro-entry rule changes, return-rate thresholds, third-party sender oversight, and the rules-compliance attestation cycle. Builds the evidence pack that satisfies a Nacha rules-compliance audit and the same source files that feed a state MTL examiner asking about ACH monitoring.
Module 4. OFAC screening and 314(a) evidence the AML team owns and the QSA reads
Treats OFAC screening logs and 314(a) responses as a shared artefact rather than the AML team's private file. Defines screening cut-offs, false-positive review workflow, list-update timing, and the audit trail that holds up to a BSA/AML exam, a state MTL exam, a card-brand registration review, and a PCI DSS access-control test. One source, one cadence, four examiners satisfied.
Module 5. FFIEC BSA/AML expectations for the acquirer compliance manager
Reads the FFIEC BSA/AML Examination Manual sections the acquirer compliance manager actually owns: customer due diligence on merchants, ongoing monitoring of merchant transaction patterns, SAR filing for merchant fraud and structuring, high-risk merchant programmes. Produces the BSA officer briefing document that survives a federal exam and feeds the next state MTL exam without rebuild.
Module 6. State money-transmitter license examiner cycle
Reads a typical multi-state MTL examiner cycle inside one acquirer: the request list, the examiner workpapers, the response timing, the CSBS Money Services Businesses Call Report, and the way state examiners share findings through MSBCA. Builds the standing MTL response pack that answers any state examiner from the same shelf, with state-specific overlays for New York, Texas, California, Illinois, Florida and Massachusetts.
Module 7. Card-brand registration and mandate tracking
Treats Visa, Mastercard, the firm and Discover registration and mandate cycles as a real compliance discipline rather than a sales-ops afterthought. Tracks mandate effective dates, registration renewal cycles, brand fees and assessment changes, dispute and chargeback rule changes, and the evidence each brand can ask for during a registration review. Single mandate calendar the compliance manager owns alongside the QSA calendar.
Module 8. Reg E error-resolution and CFPB supervisory expectations
Reads Reg E from the acquirer's side rather than the issuer's: error notice handling for ACH and card transactions where the acquirer is in the loop, provisional credit timing, CFPB supervisory expectations for nonbank covered persons, and the way a CFPB exam request list reads. Maps Reg E evidence to the same artefacts the PCI access-control test and the BSA SAR file already produce.
Module 9. Vendor and third-party risk evidence the four examiners want
Builds one vendor-risk file that answers PCI DSS service-provider responsibility matrices, FFIEC third-party risk expectations, card-brand registered service-provider lists, and state MTL vendor-oversight questions. Includes the SIG and CAIQ workflow, the SOC 2 review pack, the bank-sponsor questionnaire response, and the way to handle subservice organisation carve-outs without leaving a gap any of the four can exploit.
Module 10. The single evidence library and refresh cadence
Stops the binder-per-regulator failure mode. Defines one evidence library structure, one artefact per control, named owners, one refresh cadence per artefact type, and a mapping table that takes any incoming examiner request line and points it at the right artefact already on file. Includes the field-definition reconciliation between the AML, IT-risk, card-brand registration and state-MTL trackers so the same field name means the same thing across all four.
Module 11. QSA-readiness rehearsal and examiner interview prep
Runs the four-week QSA-readiness rehearsal: the sub-requirement walk-through, the interview question bank pulled from prior ROC findings, the sample-pull drill, the customised approach defence, and the moment to walk away from a control that will not hold up rather than have the QSA find the gap. Same playbook adapted to a Nacha rules-compliance audit and a state MTL on-site exam.
Module 12. The compliance manager's standing playbook for the next twelve months
Combines the previous eleven modules into one written playbook the compliance manager keeps on the desk: the regulator map, the artefact library structure, the refresh cadence, the rehearsal script, the field-definition glossary, the mandate calendar, and the examiner-response templates. Includes the handover pack the head of compliance or chief compliance officer can read in twenty minutes to know the seat is run.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The QSA arrives for the v4 ROC interview and asks for an OFAC screening sample. The compliance manager has the sample on the same shelf the BSA team uses, at the same cut-off, with the same field definitions, and the interview moves to the next sub-requirement instead of stalling for a week.
A state MTL examiner sends a request list that includes Nacha return-rate monitoring evidence. The compliance manager pulls the same monitoring file that already satisfied the most recent Nacha rules-compliance attestation, no rebuild, no reconciliation call with the ACH operations team.
Visa releases a registration renewal cycle that asks for vendor-oversight evidence. The compliance manager pulls the SOC 2 review pack the FFIEC third-party risk expectations already answer to, files it, and moves on.
The chief compliance officer asks on a Friday for the standing posture across PCI, Nacha, OFAC, state MTL and card-brand mandates for the audit-committee deck on Monday. The compliance manager hands over a one-page status pulled from the single evidence library, not five emails to five team leads.

What you get with this course

  • Twelve written modules covering the regulator map, the evidence library, the rehearsal scripts and the standing playbook.
  • Downloadable artefact templates for the single evidence library, the regulator map, the mandate calendar, the field-definition glossary and the examiner-response templates.
  • Worked examples for a QSA-readiness rehearsal, a Nacha rules-compliance attestation, a state MTL examiner response, an OFAC screening evidence pack, and a card-brand registration filing pulled from the same source files.
  • The hand-built implementation playbook delivered alongside course access, scoped to a US merchant acquirer compliance manager's specific examiner mix (PCI, Nacha, OFAC, FFIEC BSA/AML, state MTL across the licensed states, Visa and Mastercard registrations, Reg E, CFPB).
  • Thirty-day money-back if the course does not change how the next examiner cycle runs.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Week one: regulator map for your specific licensed-state footprint, card-brand registrations and processor relationships.

Week two and three: evidence library structure built, artefact owners named, refresh cadence agreed across the AML, IT-risk, card-brand registration and state-MTL teams.

Week four to six: QSA-readiness rehearsal run against the upcoming ROC cycle, Nacha rules-compliance attestation evidence prepared from the same library, state MTL standing response pack drafted.

Ongoing: the written playbook stays on the desk through every examiner cycle for the next twelve months, with the mandate calendar and field-definition glossary feeding every new request.

Before and after

Before

Five regulator and rule-setter cycles run on five trackers owned by four teams with four different cadences, four field-definition standards and no shared evidence library. Every exam starts with two weeks of reconciliation between the AML team, the IT-risk team, the card-brand registration team and the state-MTL team. The QSA finds gaps the team thought were closed because the access-control evidence the BSA file pointed to was at a different cut-off than the PCI binder. The compliance manager spends most of the quarter chasing answers across teams instead of running the seat.

After

One evidence library, one artefact per control, named owners, one refresh cadence per artefact type, one mapping table that takes any incoming examiner request line and points at the right file already on file. The QSA-readiness rehearsal four weeks out surfaces the gaps in the order the QSA will ask. The state MTL examiner gets the same evidence pack the Nacha rules-compliance attestation drew from. The chief compliance officer reads the single status sheet on Monday morning and the seat is visibly run.

What happens if you do not address this

The merchant acquirer compliance manager seat absorbs additional regulator pressure every cycle: PCI DSS v4 customised approach and targeted risk analysis defences, expanded Nacha account-validation expectations, more frequent state MTL exams as CSBS coordination tightens, OFAC enforcement against payments firms, and more aggressive card-brand registration reviews. Without a single evidence library, each new request is a fresh fire drill across teams, and the gaps the QSA finds in one ROC interview become the gaps the state examiner finds in the next on-site. The cost is not just the findings; it is the credibility of the compliance function at the executive level, and the personal cost of running the seat reactively while the next regulator cycle is already on the calendar.

Who it is for

A compliance manager inside a US merchant acquirer, payment facilitator, or ISO who reports into the head of compliance or chief compliance officer, owns or co-owns PCI DSS attestation, Nacha rules compliance, OFAC sanctions screening, state money-transmitter license examiner relationships, and at least one card-brand registration. Typically holds CRCM, CAMS, CISA, PCIP or similar credential, has been in payments compliance three to ten years, sits across a compliance team of four to twenty, and is the single point of contact for the QSA and at least one state regulator. Manages a calendar where the next examiner request, the next mandate effective date, and the next QSA touchpoint are all visible at once.

Who this is NOT for. Not for an issuing bank compliance officer whose primary frameworks are Reg Z, Reg E credit-side, and FRB exam expectations rather than the acquirer-side PCI plus Nacha plus state MTL stack. Not for a compliance analyst three years away from owning a regulator relationship. Not for a money services business compliance officer whose entire stack is BSA/AML plus state MTL without card-brand registration or PCI scope. Not for a fintech compliance generalist who outsources PCI to the processor and never sees a QSA.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access. Scoped to a US merchant acquirer compliance manager's specific examiner and rule-setter mix.

Time investment. Twelve to sixteen hours across the twelve modules, plus another twenty to thirty hours building the single evidence library against your actual artefacts. The QSA-readiness rehearsal and the standing playbook compress what is currently two weeks of reconciliation per exam into roughly three days, so the investment recovers itself inside one examiner cycle.

Why $199 is the right number

A QSA pre-assessment from a Big 4 or PCI specialist firm answers PCI readiness for one cycle at twenty-five to seventy-five thousand dollars and leaves Nacha, OFAC, state MTL and card-brand registration untouched. A CAMS or CRCM credential refresh teaches the framework knowledge but does not build the evidence library. A GRC platform implementation answers tracking and workflow but does not solve the field-definition reconciliation between the AML, IT-risk, card-brand and state-MTL trackers. The 199 USD course is the working method the compliance manager keeps on the desk; the playbook is hand-built against your specific examiner mix. Buy it alongside the QSA pre-assessment, not instead of it.

FAQ

Is the course US-only or does it cover the international acquirer footprint?
Core scope is the US merchant acquirer compliance manager. The evidence library structure carries over to PSD2, PSD3 and EBA outsourcing expectations for an EU footprint, and the implementation playbook can include the European overlay if your seat covers it. Note the scope when you order.
Does the course assume a specific processor relationship or card-brand portfolio?
No. The regulator map is built from the licensed-state footprint, the card-brand registrations and the processor relationships you actually have. The implementation playbook is scoped against your specific examiner mix, not a generic acquirer.
How is this different from a SOC 2 readiness engagement?
SOC 2 is one of the artefacts the evidence library feeds, not the destination. The course handles the regulator and rule-setter cycles that sit alongside SOC 2 in a merchant acquirer: PCI DSS, Nacha, OFAC, FFIEC BSA/AML, state MTL, card-brand registration and Reg E.
What if my seat splits PCI and BSA across two compliance managers?
The evidence library still works, and the field-definition reconciliation between the two seats is one of the first things the course addresses. The implementation playbook is scoped to your half of the seat with a documented handoff to the other half.
What is the implementation playbook actually?
A hand-built document scoped to your specific examiner mix: your licensed states, your card-brand registrations, your processor relationships, your upcoming QSA cycle, and the artefacts your AML, IT-risk and state-MTL teams already maintain. Delivered alongside course access, not a generic template.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.