Introduction
Merchant acquiring and payment facilitation are central to the Turkish fintech ecosystem. Every online marketplace, e-commerce platform, subscription business, mobile application, digital wallet, food delivery platform, travel platform, SaaS provider, gaming platform, and embedded finance business needs a reliable way to collect payments from customers and transfer funds to merchants. This is where merchant acquiring and payment facilitation become legally important.
In Turkey, these activities are not merely technical payment processing services. They may fall within the regulated payment services framework under Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions. Payment institutions and electronic money institutions may provide payment services only within the scope of the operating license granted by the Central Bank of the Republic of Türkiye, known as the CBRT. TÖDEB, the Turkish Payment and Electronic Money Institutions Association, explains that payment institutions and electronic money institutions may provide payment services within the scope of the operating license issued by the CBRT.
Merchant acquiring, virtual POS aggregation, marketplace payment collection, card acceptance, payment facilitation, refund processing, merchant settlement, and payment instrument acceptance can create serious legal obligations. These obligations include licensing, merchant onboarding, fund safeguarding, anti-money laundering compliance, consumer protection, chargeback management, data protection, cybersecurity, contractual clarity, and regulatory reporting.
This article explains merchant acquiring and payment facilitation in Turkey, focusing on the legal duties of payment service providers, payment institutions, electronic money institutions, platforms, marketplaces, merchants, and fintech companies.
1. What Is Merchant Acquiring?
Merchant acquiring is the service that enables a merchant to accept payments from customers, usually through debit cards, credit cards, prepaid cards, digital wallets, QR payments, bank transfers, payment links, or online checkout systems. In a traditional card payment model, the acquirer contracts with the merchant, enables payment acceptance, processes transactions, handles settlement, and manages chargebacks or refunds.
In Turkey, POS services are treated as part of the payment services ecosystem. TÖDEB explains POS service as the mediation for acceptance of cards and transfer of funds for sales made through debit or credit cards. It also notes that payment and electronic money institutions may make POS services available to merchants by bringing together POS arrangements obtained from banks and issuing their own POS services.
Merchant acquiring may include:
Physical POS services
Virtual POS services
Payment gateway services
Card acceptance
QR payment acceptance
Payment link services
Marketplace collection
Merchant settlement
Refund processing
Chargeback management
Fraud monitoring
Recurring payment processing
Subscription billing
Installment payment support
Payment reporting dashboards
The legal analysis depends on the provider’s actual role. A company that merely provides software to a licensed payment institution has a different legal position from a company that contracts with merchants, accepts payment instruments, receives funds, and settles merchants.
2. What Is Payment Facilitation?
Payment facilitation is a business model where a platform or payment service provider enables many sub-merchants to accept payments through a simplified onboarding and processing structure. Instead of each small merchant negotiating directly with several banks or acquiring institutions, the payment facilitator provides a unified payment infrastructure.
Payment facilitation is common in:
Marketplaces
Food delivery platforms
Ride-hailing platforms
Freelancer platforms
Ticketing platforms
Online education platforms
Gaming platforms
Subscription platforms
Hotel and travel platforms
E-commerce infrastructure providers
SaaS platforms with payment modules
A payment facilitator may onboard sub-merchants, collect customer payments, deduct commissions, process refunds, manage chargebacks, and settle net amounts to merchants. This structure is commercially useful, but it is legally sensitive because the facilitator may enter the regulated payment flow.
The key question is whether the platform is merely a technical service provider or whether it is providing payment services. If the platform controls payment collection, merchant settlement, payment instrument acceptance, or fund transfers, Law No. 6493 and CBRT rules may become relevant.
3. Main Legal Framework in Turkey
The central legal framework for merchant acquiring and payment facilitation is Law No. 6493. TÖDEB explains that payment services include the operation of payment accounts, money transfers, issuance and acceptance of payment instruments, remittance, direct carrier billing, intermediary services for bill payments, payment initiation services, and account information services.
TÖDEB also states that, under Article 13 of Law No. 6493, payment institutions, electronic money institutions, banks under Banking Law No. 5411, and PTT may provide payment services, and these institutions are called payment service providers.
The relevant legal sources include:
Law No. 6493
CBRT secondary regulations on payment services and electronic money
CBRT rules on information systems
MASAK anti-money laundering legislation
KVKK personal data protection law
Law No. 6502 on Consumer Protection
Bank card and credit card rules
Commercial contract law
E-commerce law
Cybersecurity rules
Tax and accounting obligations
Marketplace and platform agreements
A merchant acquiring model must be reviewed under all relevant layers. A product may be technically simple, but legally it may involve several regulated functions.
4. Licensing Requirements
Licensing is the most important issue in merchant acquiring and payment facilitation. Payment services cannot be offered freely by ordinary companies. A company must either be an authorized payment service provider or operate through a lawful structure with a licensed institution.
TÖDEB states that payment institutions and electronic money institutions are required to obtain an operating license granted by the CBRT under Law No. 6493. It also explains that these institutions are subject to CBRT supervision and MASAK liability audits.
A company should obtain legal review if it:
Contracts directly with merchants to process payments
Provides virtual POS services
Aggregates POS services
Accepts payment instruments
Collects customer funds for merchants
Settles funds to merchants
Operates marketplace payment flows
Provides payment links
Provides QR payment collection
Controls refunds and chargebacks
Holds merchant balances
Provides payment accounts
Processes recurring payments
Acts as a payment facilitator for sub-merchants
A software company that merely provides a checkout interface to a licensed payment institution may not need its own payment license if it does not provide regulated payment services. However, the contracts, user interface, fund flow, merchant relationship, and branding must support that position.
5. Merchant Acquiring as Payment Instrument Acceptance
One of the regulated payment service categories is the issuance or acceptance of a payment instrument. TÖDEB lists “issuance or acceptance of a payment instrument” among payment services under Law No. 6493. This is highly relevant for merchant acquiring because card acceptance, wallet acceptance, QR payment acceptance, and similar payment methods can fall within this category.
A merchant acquirer should clearly define:
Which payment instruments are accepted
Whether cards, wallets, QR codes, payment links, or bank transfers are used
Whether the acquirer contracts directly with the merchant
Which bank or payment institution provides settlement infrastructure
Whether the merchant is a direct merchant or sub-merchant
Who handles payment authentication
Who bears fraud risk
Who handles chargebacks
Who has refund authority
Who maintains transaction records
The legal documents must match the technical flow. If a payment service provider accepts cards on behalf of merchants but the contract describes it merely as software support, the structure may be legally vulnerable.
6. Virtual POS Services
Virtual POS is one of the most common merchant acquiring products in Turkey. It allows online merchants to accept card payments through e-commerce websites, mobile applications, marketplaces, and payment links.
Virtual POS services may involve:
Merchant application and onboarding
Card acceptance
3D Secure authentication
Installment options
Transaction authorization
Fraud checks
Payment confirmation
Settlement to merchant
Refund processing
Chargeback management
Transaction reports
Recurring payment functions
Risk monitoring
TÖDEB explains that payment and electronic money institutions may systematically bring together POS services obtained from multiple banks and make them available to merchants. This shows why virtual POS aggregation is a regulated and legally sensitive activity.
A virtual POS provider should ensure that merchants understand:
Payment settlement timing
Commission rates
Installment fees
Refund rules
Chargeback risk
Fraud monitoring rules
Reserve or rolling reserve conditions
Prohibited goods or services
Data security obligations
Termination rights
Settlement suspension rules
Complaint channels
Virtual POS contracts should not be short generic technology contracts. They must include payment-specific risk allocation.
7. Marketplace Payment Facilitation
Marketplace payments are one of the most complex areas of merchant acquiring. In a marketplace, the platform may receive payments from buyers and settle sellers after deducting commissions, service fees, shipping costs, taxes, refunds, or penalties.
This creates several legal questions:
Who is the merchant of record?
Does the marketplace receive customer funds?
Does the marketplace hold seller balances?
Is the payment service provided by a licensed institution?
Does the marketplace act as a payment facilitator?
Are sellers sub-merchants?
Who handles refunds?
Who bears chargeback risk?
Can the platform withhold settlement?
Are customer funds separated from platform revenue?
Are seller funds protected?
Are taxes and invoices properly handled?
A marketplace that controls fund flows may trigger payment services regulation. If it receives customer funds and later transfers them to sellers, it may be providing or facilitating payment services. The safest structure often involves a licensed payment institution or e-money institution handling the regulated payment flow.
8. Sub-Merchant Onboarding
Payment facilitators usually onboard many sub-merchants. This process creates AML, fraud, consumer protection, and contractual risk. A weak sub-merchant onboarding system may allow fake merchants, fraud rings, illegal betting operators, counterfeit sellers, pyramid schemes, or unauthorized financial services to use the payment infrastructure.
A payment service provider should verify:
Merchant legal identity
Beneficial ownership
Tax information
Business activity
Website or app content
Goods and services sold
Refund and cancellation policy
Delivery model
Risk category
Sanctions exposure
Past chargeback history
Bank account ownership
Consumer complaint history where available
Prohibited activity indicators
Merchant onboarding should not be treated as a simple commercial approval. It is part of financial crime prevention and payment system integrity.
9. Prohibited and High-Risk Merchants
Merchant acquiring contracts should include prohibited and high-risk merchant categories. These may include illegal betting, unlicensed financial services, counterfeit products, fraud schemes, unauthorized pharmaceuticals, misleading subscription services, unlawful crypto payment products, adult content where legally restricted, gambling, pyramid schemes, and other legally problematic activities.
The provider should maintain a merchant risk policy. Higher-risk merchants may require enhanced due diligence, rolling reserves, transaction limits, delayed settlement, manual review, or termination rights.
Payment service providers should monitor merchants after onboarding. A merchant may appear low-risk at application but later change its business model or process suspicious transactions.
10. Fund Safeguarding and Settlement
Fund safeguarding is a core legal duty. When a payment institution receives funds for execution of payment transactions, those funds must not be treated as ordinary company revenue.
TÖDEB explains that funds received for payment services and funds received for electronic money issuance must be protected under procedures determined by regulation. It also states that redemption funds must be separated from other funds and may only be used for payment transactions.
For payment institutions, TÖDEB states that unpaid redemption funds at the end of the business day following the day of receipt must be deposited into preservation accounts opened before banks and used only for protecting such funds. It also states that institutions must keep customer-basis records and reconcile preservation account records with bank statements daily.
In merchant acquiring, settlement systems must clearly distinguish:
Customer payment amount
Merchant receivable
Platform commission
Payment service fee
Chargeback reserve
Refund amount
Tax amount where applicable
Delivery fee
Marketplace commission
Seller balance
Provider revenue
The payment service provider should maintain daily reconciliation, customer-basis records, merchant-basis settlement reports, and audit trails. Settlement errors can create regulatory, contractual, accounting, and consumer disputes.
11. Rolling Reserves and Settlement Holds
Payment facilitators often use rolling reserves or settlement holds to manage chargeback, fraud, refund, and AML risk. These mechanisms are lawful only if properly structured, contractually disclosed, proportionate, and based on objective risk.
A merchant agreement should define:
When reserves may be applied
Reserve percentage
Reserve duration
Grounds for increasing reserve
Grounds for releasing reserve
Chargeback set-off rights
Fraud-related withholding
AML-related withholding
Consumer complaint-based withholding
Termination settlement procedure
Final reconciliation process
A provider should not hold merchant funds indefinitely without contractual basis or documented risk. On the other hand, it must preserve the ability to block settlement where there is fraud, suspicious activity, chargeback exposure, or legal restriction.
12. Chargebacks and Refunds
Chargebacks and refunds are central to merchant acquiring. A chargeback occurs when a cardholder disputes a transaction and the transaction is reversed through card scheme or banking processes. Refunds occur when the merchant or platform returns money to the customer voluntarily or pursuant to consumer law.
Chargeback disputes may arise from:
Unauthorized card use
Non-delivery of goods
Defective goods
Cancelled services
Duplicate billing
Fraudulent merchant activity
Subscription disputes
Misleading product descriptions
Customer dissatisfaction
Processing errors
Merchant agreements must allocate chargeback risk clearly. The merchant should provide delivery records, invoices, customer communication, return records, and proof of authorization. The payment service provider should maintain transaction logs, authentication records, authorization results, settlement records, and chargeback correspondence.
Refund procedures should also be clear. The contract should specify who may initiate refunds, how partial refunds work, what happens after merchant settlement, whether provider fees are refunded, and how consumer cancellation rights are handled.
13. Consumer Protection Duties
Merchant acquiring is usually B2B, but consumer protection remains relevant because the payment service affects consumer transactions. Law No. 6502 aims to protect the health, safety, and economic interests of consumers and to compensate consumer losses.
Consumer protection issues may arise where:
The customer is charged but the merchant does not deliver
Refunds are delayed
The payment page is misleading
The merchant uses hidden subscription terms
The platform fails to identify the seller
The payment service provider’s branding confuses the customer
The consumer cannot access complaint channels
Unauthorized transactions occur
Card data or personal data is breached
Marketplace funds are withheld after cancellation
A payment service provider is not automatically liable for every merchant’s defective product. However, if the provider creates confusion, controls refunds, ignores fraud indicators, or enables prohibited merchants, liability risk may increase.
14. MASAK and AML Duties
Payment service providers in Turkey are subject to financial crime compliance duties. Law No. 5549 sets the framework for preventing laundering proceeds of crime. MASAK’s official source states that the objective of Law No. 5549 is to determine the principles and procedures for prevention of laundering proceeds of crime.
In merchant acquiring and payment facilitation, AML risk may arise through:
Fake merchants
Illegal betting payments
Mule accounts
Layered marketplace structures
High-volume low-value transactions
Refund abuse
Cross-border payment flows
Unusual settlement patterns
Merchants selling prohibited goods
Multiple merchants using same beneficial owner
Mismatch between business activity and transaction volume
Rapid merchant onboarding and closure
Use of nominee bank accounts
Payment service providers should implement:
Merchant KYC
Beneficial ownership verification
Sanctions screening
PEP screening
Transaction monitoring
Merchant risk scoring
Suspicious transaction escalation
Record retention
Periodic review
Employee training
Compliance officer review
AML audit readiness
Payment facilitation can be attractive to criminals because it provides access to card and digital payment rails. Strong merchant monitoring is therefore essential.
15. KYB: Know Your Business
For merchant acquiring, KYB, or Know Your Business, is as important as KYC. The provider must understand the merchant’s business, ownership, products, sales channels, risk profile, and settlement account.
KYB should include:
Company registry review
Tax number verification
Beneficial ownership review
Authorized signatory check
Website and app review
Product category review
Business model verification
Bank account ownership check
Physical address review
Historical activity review where available
License verification for regulated sectors
High-risk industry classification
Ongoing monitoring
KYB should be repeated periodically. A merchant may change ownership, product category, website content, or risk profile after onboarding.
16. KVKK and Payment Data
Merchant acquiring involves significant personal data. Payment service providers may process cardholder data, customer identity data, transaction records, IP addresses, device data, merchant contact information, beneficial ownership data, fraud scores, complaint records, and chargeback files.
KVKK requires personal data to be processed lawfully, fairly, accurately, for specific purposes, proportionately, and securely. The law defines the data controller as the person who determines the purposes and means of processing personal data. KVKK also requires data controllers to inform data subjects at the time personal data is obtained, including information on identity, processing purposes, transfer recipients, method and legal basis of collection, and rights under Article 11.
For merchant acquiring, KVKK compliance should include:
Privacy notices
Data processing inventory
Legal basis analysis
Merchant data processing agreements
Cross-border transfer review
Retention policies
Data subject request procedures
Security controls
Breach response
Vendor due diligence
Access control
Audit logs
KVKK Article 12 requires data controllers to take necessary technical and organizational measures to provide an appropriate level of security and prevent unlawful processing or access to personal data. This is especially important where payment data, fraud data, and merchant onboarding documents are processed.
17. Card Data and Cybersecurity
Payment facilitation platforms are high-value cyber targets. Attackers may try to steal card data, compromise merchant accounts, manipulate settlement bank accounts, take over admin panels, abuse refund functions, or redirect payment pages.
Cybersecurity controls should include:
PCI DSS compliance where applicable
Tokenization of card data
Encryption
Secure checkout pages
Strong merchant authentication
Role-based access control
Admin activity logging
Secure API design
Fraud monitoring
Device and IP monitoring
Penetration testing
Incident response
Business continuity
Vendor security review
Secure software development
Settlement bank account change controls
A payment service provider should also monitor merchants’ cybersecurity practices. A compromised merchant website may create fraudulent payments or expose customer data.
18. API and Payment Gateway Contracts
Payment facilitation usually depends on APIs. Merchants integrate checkout pages, payment forms, hosted payment pages, recurring payment functions, refund APIs, reporting APIs, and settlement dashboards.
API contracts should address:
Permitted use
Authentication
API keys
Security requirements
Testing environment
Production approval
Transaction limits
Rate limits
Error handling
Logging
Webhook security
Data protection
Unauthorized API calls
Merchant responsibility
Service levels
Maintenance
Suspension rights
Termination
API misuse can create serious losses. For example, a stolen API key may initiate refunds, retrieve transaction records, or manipulate payment flows. The contract must require merchants to protect credentials and notify the provider immediately after compromise.
19. Liability of Payment Service Providers
Payment service providers may face liability for:
Unauthorized payment transactions
Settlement errors
Failure to safeguard funds
Late merchant settlement
Improper chargeback handling
Failure to detect fraudulent merchants
Unlawful account freezing
Data breaches
Cybersecurity failures
Misleading payment page design
Incorrect transaction reporting
Unclear contractual terms
Failure to comply with MASAK obligations
Failure to preserve records
API failures
Improper refund processing
However, providers are not automatically liable for every merchant dispute. Liability depends on the provider’s role, applicable law, contract terms, fault, causation, evidence, and regulatory duties.
The provider’s best defense is evidence: transaction logs, authentication records, merchant onboarding files, risk alerts, settlement reports, chargeback files, complaint records, preservation account records, and compliance decisions.
20. Merchant Liability
Merchants also have legal duties. They must sell lawful goods and services, provide accurate product descriptions, deliver goods, handle cancellations, comply with consumer law, protect customer data, prevent fraud, and comply with payment provider rules.
Merchant agreements should require merchants to:
Provide accurate company information
Use payment services only for approved activities
Avoid prohibited goods and services
Deliver goods or services properly
Maintain refund and cancellation policies
Preserve transaction evidence
Cooperate in chargebacks
Protect API credentials
Avoid misleading advertising
Comply with consumer law
Comply with KVKK
Notify business model changes
Accept settlement holds where contractually justified
Cooperate with AML inquiries
A payment facilitator should be able to terminate merchants that create legal, fraud, AML, reputational, or chargeback risk.
21. Marketplace Liability
Marketplace platforms have special responsibilities because consumers may perceive the platform, not the individual seller, as the main commercial actor. If the marketplace also controls payment collection and settlement, its legal risk increases.
Marketplace payment contracts should clarify:
Who is the seller
Who is the payment service provider
Who issues invoices
Who receives customer funds
Who controls refunds
Who handles consumer complaints
Who bears chargeback risk
When sellers receive settlement
Whether seller balances may be withheld
How prohibited sellers are removed
How buyer funds are protected
How return rights are implemented
Marketplaces should avoid misleading consumers about the identity of the seller and the role of the payment service provider.
22. Cross-Border Merchant Acquiring
Cross-border merchant acquiring creates additional legal risk. A foreign payment company may want to serve Turkish merchants, or a Turkish payment institution may want to cooperate with a foreign payment entity.
TÖDEB states that there are several ways for licensed institutions residing abroad to provide payment services in Türkiye, including obtaining an operating license in Türkiye, international cooperation, and representation.
Cross-border models should review:
CBRT licensing or permission requirements
Whether Turkish residents are targeted
Whether Turkish merchants are onboarded
Whether Turkish lira payments are accepted
Whether settlement occurs abroad
Whether customer funds are held outside Turkey
Whether cross-border data transfers comply with KVKK
Whether MASAK obligations apply
Whether consumer protection issues arise
Whether tax obligations exist
Whether card scheme rules apply
A foreign license does not automatically authorize merchant acquiring in Turkey. Local legal analysis is essential.
23. Payment Facilitation and Tax/Accounting
Merchant acquiring creates accounting and tax complexity. Payment service providers must distinguish merchant funds from their own revenue. The entire customer payment volume is not the provider’s income; the provider’s income is generally its commission, processing fee, subscription fee, or other agreed service charge.
Important accounting distinctions include:
Gross transaction value
Merchant settlement amount
Provider commission
Marketplace commission
Refund amount
Chargeback amount
Rolling reserve
Tax amount
Customer funds
Provider revenue
Bank fees
Card scheme fees
Incorrect classification may create tax, audit, and regulatory problems. Payment service providers should maintain settlement reports and reconciliation systems that support both financial reporting and regulatory compliance.
24. Practical Compliance Checklist for Merchant Acquirers and Payment Facilitators in Turkey
A merchant acquiring or payment facilitation provider should consider:
Confirm whether the activity requires CBRT authorization.
Operate within the scope of the payment license.
Structure the merchant relationship clearly.
Classify direct merchants and sub-merchants.
Implement KYB and merchant onboarding.
Screen prohibited and high-risk merchants.
Prepare merchant risk policies.
Maintain AML/KYC procedures.
Monitor transaction patterns.
Safeguard customer and merchant funds.
Keep preservation account records where applicable.
Perform daily reconciliation.
Draft clear settlement and reserve clauses.
Define refund and chargeback procedures.
Prepare API and cybersecurity requirements.
Protect personal data under KVKK.
Review cross-border data transfers.
Prepare consumer complaint workflows.
Maintain audit-ready logs.
Review cross-border acquiring structures.
Train compliance, risk, operations, and customer support teams.
This checklist should be adapted to the model. A traditional acquirer, virtual POS provider, marketplace payment facilitator, wallet provider, payment gateway, subscription payment platform, and cross-border merchant acquirer will not have identical obligations.
25. Why Legal Support Is Important
Merchant acquiring and payment facilitation require legal support because they combine payment services law, CBRT regulation, MASAK compliance, KVKK, consumer protection, cybersecurity, e-commerce, contract law, tax, and dispute resolution.
A fintech lawyer can assist with:
Payment service classification
CBRT licensing analysis
Merchant acquiring contracts
Payment facilitation structures
Marketplace payment models
Sub-merchant agreements
KYB and AML procedures
Settlement and reserve clauses
Chargeback and refund rules
KVKK compliance
API and cybersecurity clauses
Cross-border acquiring analysis
Consumer dispute strategy
Regulatory correspondence
Administrative sanction defense
Legal review should begin before launch. Once merchants are onboarded and funds are processed through a non-compliant structure, remediation may require contract changes, merchant re-papering, regulatory engagement, fund-flow redesign, and customer communication.
Conclusion
Merchant acquiring and payment facilitation are essential to Turkey’s digital economy. They allow merchants, marketplaces, platforms, and consumers to transact quickly and securely. However, these services are legally sensitive because they involve payment instruments, customer funds, merchant settlement, refunds, chargebacks, data protection, AML controls, and consumer trust.
Under Law No. 6493, payment services include payment account operations, money transfers, issuance and acceptance of payment instruments, remittance, payment initiation, and account information services. TÖDEB’s official explanations confirm that payment institutions and electronic money institutions may provide payment services only within the scope of the CBRT operating license.
The most important legal duties for merchant acquirers and payment facilitators are licensing, merchant onboarding, fund safeguarding, daily reconciliation, AML monitoring, KVKK compliance, cybersecurity, transparent contracts, refund and chargeback management, and clear settlement procedures. Payment facilitators must also understand the legal risks of sub-merchants, marketplace payments, rolling reserves, prohibited merchants, and cross-border payment flows.
A successful payment facilitation model is not only a strong API or a smooth checkout page. It is a regulated financial infrastructure. Companies that build legal compliance into their acquiring model from the beginning will be better positioned to satisfy regulators, protect merchants and consumers, avoid disputes, and scale sustainably in Turkey’s fintech market.
Yanıt yok