Introduction
Merchant acquiring in Turkey is a central component of the digital payments ecosystem. Every time a customer pays a merchant by card through a physical POS terminal, virtual POS infrastructure, mobile POS solution, online checkout page, QR payment interface or marketplace payment flow, there is usually an acquiring relationship behind the transaction. The acquiring institution enables the merchant to accept payments, processes transaction data, communicates with card schemes and issuers, settles funds and manages chargeback and fraud risk.
In Turkey, merchant acquiring is important not only for banks and payment institutions but also for e-commerce companies, marketplaces, retailers, restaurants, hotels, subscription platforms, digital service providers, fintech companies and small businesses. A merchant cannot treat POS or virtual POS services as merely technical tools. The legal structure behind acquiring affects settlement timing, commission fees, chargeback liability, fraud monitoring, consumer refunds, data security, anti-money laundering controls and termination risk.
The Turkish legal framework is based mainly on Law No. 5464 on Bank Cards and Credit Cards, Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, Banking Law No. 5411, Central Bank of the Republic of Türkiye regulations, BRSA electronic banking rules, consumer protection law, data protection law and anti-money laundering rules. Law No. 6493 regulates payment systems, payment services, payment institutions and electronic money institutions, while Law No. 5464 regulates the card payments system, card issuers, card system organizations and merchant-related card payment structures.
This article explains merchant acquiring in Turkey, focusing on POS services, virtual POS, online payments, merchant agreements, payment institutions, chargebacks, fraud, data security and legal risk management.
1. What Is Merchant Acquiring?
Merchant acquiring is the service that allows a merchant to accept electronic payments from customers. In a card payment transaction, the merchant usually contracts with an acquiring bank or payment service provider. The acquirer provides payment acceptance infrastructure, processes the transaction, receives authorization through the card payment system and settles the transaction amount to the merchant after deducting commission, fees, chargebacks, refunds or reserves where applicable.
In a physical store, acquiring is usually visible through a POS terminal. In e-commerce, it appears as virtual POS, payment gateway, hosted checkout page, payment link, mobile payment SDK, marketplace payment integration or API-based payment acceptance.
The acquiring relationship is legally important because the merchant does not directly collect card funds from the customer’s issuing bank. The acquiring institution acts as the merchant’s payment acceptance partner. It manages technical processing, settlement, scheme compliance, fraud monitoring and chargeback procedures.
In Turkey, merchant acquiring may be offered by banks and, depending on the structure, licensed payment institutions. BKM also explains that merchants receive POS services by signing a card acceptor agreement with banks, and its merchant guide is designed to inform merchants about card payment system rules and responsibilities.
2. Legal Framework of Merchant Acquiring in Turkey
Merchant acquiring in Turkey does not rely on a single statute. It is regulated by several overlapping legal regimes.
The first key regime is Law No. 5464 on Bank Cards and Credit Cards. This law regulates card systems, card issuing, card use, card accepting relationships and related institutions. It is particularly relevant where the merchant accepts bank cards or credit cards through POS or virtual POS infrastructure.
The second key regime is Law No. 6493, which regulates payment services, payment institutions and electronic money institutions. This law is important where a non-bank payment institution provides merchant payment acceptance, payment facilitation, e-money, wallet or payment gateway services. The Central Bank of the Republic of Türkiye is the principal authority for payment services and payment institutions under this framework.
The third regime is Banking Law No. 5411, which is relevant when acquiring services are provided by banks, when customer funds are processed through bank accounts, or when banking confidentiality and bank risk management obligations apply. Banking Law No. 5411 includes banking services, card-related services and payment-related activities within the broader banking regulatory environment.
The fourth regime includes consumer protection, data protection, anti-money laundering, cybersecurity and tax rules. Merchant acquiring involves payment data, personal data, card data, transaction records, suspicious transaction monitoring and customer refunds. Therefore, merchants and acquirers must manage both financial regulation and general legal compliance.
3. Parties in a Merchant Acquiring Transaction
A merchant acquiring transaction usually involves several parties.
The cardholder is the customer making the payment.
The merchant is the seller of goods or services accepting payment.
The acquirer is the bank or payment service provider that enables the merchant to accept payment.
The issuer is the bank or institution that issued the customer’s card.
The card scheme or card system organization provides the network rules and infrastructure under which the transaction is authorized, cleared and settled.
The payment gateway may provide technical processing between the merchant’s website and the acquiring infrastructure.
The payment facilitator or aggregator may enable smaller merchants to accept payments under a broader acquiring model, depending on the legal structure.
The marketplace may collect payments from buyers and distribute funds to sellers, subject to payment services and e-commerce rules.
Each party has different duties. A merchant must deliver goods or services and comply with merchant agreement rules. An acquirer must process transactions securely and apply risk controls. An issuer must handle cardholder authentication and cardholder objections. A payment gateway must maintain technical reliability and data security.
4. POS Services in Turkey
A POS terminal allows a merchant to accept card payments in a physical location. POS is widely used in retail, restaurants, hotels, pharmacies, service businesses, fuel stations, transport, healthcare and many other sectors.
A merchant obtains POS services through a merchant agreement with an acquiring bank or authorized provider. The agreement usually regulates commission rates, settlement period, card acceptance rules, installment options, cancellation and refund procedures, chargebacks, suspicious transaction monitoring, data security, terminal use, prohibited transactions and termination rights.
POS services may appear operationally simple, but legally they create an ongoing financial relationship. The merchant must follow the card acceptance rules, verify transactions where required, avoid fraudulent or prohibited transactions, preserve transaction documents, process refunds correctly and respond to chargeback requests.
The acquiring institution may suspend POS services or withhold settlement if it detects fraud, excessive chargebacks, suspicious activity, illegal betting, money laundering risk or breach of the merchant agreement.
5. Virtual POS and E-Commerce Payments
Virtual POS is the online equivalent of physical POS. It allows merchants to accept card payments through websites, mobile applications, payment links, subscription platforms and online marketplaces.
Virtual POS is essential for Turkey’s e-commerce sector. However, virtual POS creates higher fraud risk than ordinary face-to-face transactions because the cardholder and card are not physically present. Fraud may involve stolen card data, fake identities, account takeover, delivery fraud, fake refund claims or merchant collusion.
A virtual POS agreement should regulate:
Payment integration, transaction authorization, 3D Secure use, refund process, chargeback handling, settlement period, commission, reserve rights, fraud thresholds, prohibited products, installment sales, recurring payments, subscription cancellation, customer data, card data security, API use, technical downtime and termination.
E-commerce merchants should not treat virtual POS as a mere checkout tool. It is a legal and financial infrastructure that can create liability if the merchant fails to deliver goods, processes fraudulent orders, violates consumer cancellation rights or ignores chargeback deadlines.
6. Online Marketplaces and Merchant Acquiring
Online marketplaces create additional complexity. A marketplace may connect many sellers with many buyers. The platform may collect payments from buyers, hold funds, deduct commissions and distribute settlement to sellers.
This structure may fall within payment services regulation depending on how funds are collected and transferred. If the marketplace controls payment flow, holds funds or provides payment services beyond a technical exemption, it may need to work with licensed payment institutions or structure its operations carefully under Law No. 6493.
Merchant acquiring for marketplaces should address:
Seller onboarding, seller KYC, buyer payment authorization, escrow-like flows, settlement timing, chargeback allocation, refund responsibility, fraud monitoring, seller termination, reserve accounts and consumer complaint handling.
A marketplace may face claims from both buyers and sellers. Buyers may claim non-delivery or unauthorized payment. Sellers may claim withheld settlement. Payment institutions may impose reserves due to chargeback risk. Therefore, marketplace payment contracts should be drafted with precision.
7. Merchant Agreements
The merchant agreement is the central legal document in acquiring. It is the contract between the merchant and the acquirer or payment provider. A weak merchant agreement creates legal uncertainty when fraud, refunds, chargebacks or settlement disputes arise.
A strong merchant agreement should include:
Merchant identity and business activity; accepted payment methods; commission and fees; settlement period; rolling reserve or collateral rights; transaction limits; installment payment rules; refund and cancellation procedures; chargeback liability; fraud monitoring; prohibited products and services; AML and sanctions compliance; card data security; confidentiality; data protection; audit rights; suspension and termination; dispute resolution; and evidence retention obligations.
Merchants should read these contracts carefully. Many merchants focus only on commission rates and settlement timing, but chargeback and reserve clauses may be more important in practice. An acquirer may withhold substantial settlement amounts if fraud or chargeback risk increases.
8. Acquiring by Banks and Payment Institutions
Historically, banks played the dominant role in card acquiring. Today, licensed payment institutions and fintech providers also play an important role in merchant payment acceptance, payment facilitation and virtual POS aggregation.
The legal distinction matters. A bank providing acquiring services is subject to banking law, card law and related BRSA rules. A payment institution providing payment services is subject to Law No. 6493 and CBRT supervision. The CBRT’s payment services framework confirms that payment services and electronic money institutions are regulated and supervised under Law No. 6493 and secondary regulations.
A fintech company that wants to provide virtual POS or merchant payment acceptance must determine whether it is acting as a technical service provider, payment gateway, payment facilitator, payment institution or e-money institution. The legal classification determines licensing, capital, safeguarding, reporting, AML and operational obligations.
9. Payment Facilitators and Aggregated POS Models
Payment facilitators or payment aggregators provide integrated payment acceptance services to multiple merchants. They may integrate with banks or card acquiring infrastructure and offer merchants a simplified payment acceptance solution.
Legal commentary on the Turkish payment services market explains that payment facilitators may contract with different banks, integrate POS services and provide merchants with an integrated physical or virtual POS solution through a single interface.
This model is commercially attractive because small merchants may avoid separate POS negotiations with multiple banks. However, it also creates legal risk. The facilitator must conduct merchant due diligence, monitor transactions, manage chargebacks, prevent prohibited transactions and ensure that it is properly licensed or structured.
A payment facilitator that onboards merchants too quickly without sufficient KYC may become exposed to fake merchants, illegal activity, stolen card transactions or money laundering schemes.
10. Merchant Onboarding and KYC
Merchant onboarding is one of the most important legal risk points in acquiring. Acquirers and payment institutions must understand who the merchant is, what business it conducts, what products it sells, who owns it, where it operates and whether its activity is lawful.
KYC should include:
Trade registry records, tax registration, authorized signatories, beneficial ownership information, website review, product and service review, refund policy review, delivery model, sector risk, expected transaction volume, chargeback history and sanctions or AML screening.
High-risk merchants require enhanced review. These may include cross-border e-commerce, digital goods, subscription services, travel, gaming, adult content, high-value electronics, investment products, crypto-related businesses, gambling-related services or businesses with high refund and chargeback risk.
Weak onboarding creates downstream problems. If a fake merchant processes stolen card transactions and disappears after settlement, the acquirer or payment institution may bear financial and regulatory exposure.
11. Prohibited and High-Risk Transactions
Merchant agreements usually prohibit certain transactions. These may include illegal gambling, unauthorized financial services, counterfeit goods, unlawful pharmaceuticals, prohibited weapons, fraud-related products, unlicensed crypto services, adult content where restricted, sanctions-related activity and transactions violating card scheme rules or Turkish law.
The acquirer must monitor merchant behavior. A merchant approved for ordinary retail should not suddenly process high-risk foreign transactions, illegal betting payments or suspicious digital goods sales. Sudden transaction pattern changes may trigger suspension, settlement hold or termination.
Merchants should also avoid changing business activity without notifying the acquirer. A virtual POS approved for clothing sales should not be used for unrelated high-risk financial products. Misuse of POS infrastructure may result in termination and legal claims.
12. Settlement and Reserve Mechanisms
Settlement is the payment of transaction proceeds to the merchant after authorization, clearing and deduction of commissions or fees. Settlement timing may vary depending on the acquiring agreement, card scheme rules, risk profile and commercial terms.
Acquirers may use reserve mechanisms to manage chargeback and fraud risk. A reserve may be fixed, rolling or event-based. For example, a payment institution may withhold a percentage of settlements for a certain period to cover potential chargebacks.
Reserve clauses are especially common for high-risk merchants, new merchants, travel businesses, subscription models, digital services and merchants with high chargeback ratios.
Merchants should understand reserve rights before signing. A low commission rate may not be attractive if settlement is heavily delayed or a large rolling reserve is imposed.
13. Chargeback Liability
Chargebacks are one of the most important legal and financial risks in merchant acquiring. A chargeback occurs when a cardholder disputes a transaction and the transaction amount is reversed under applicable card scheme and acquiring rules.
Common chargeback reasons include:
Unauthorized transaction, fraud, non-delivery of goods, defective goods, duplicate charge, cancelled subscription, refund not processed, merchant misrepresentation, cardholder did not recognize transaction or technical processing error.
The merchant must usually provide evidence to defend the transaction. This may include invoice, order confirmation, delivery proof, customer communication, IP address, transaction logs, 3D Secure record and refund policy.
If the merchant fails to respond in time or cannot prove the transaction, it may lose the amount and pay additional chargeback fees. Excessive chargebacks may lead to higher reserves, termination or blacklisting.
14. Refunds, Cancellations and Consumer Rights
Online payments frequently involve refunds and cancellations. Consumer protection law may apply where the buyer is a consumer. A merchant must comply with distance sales rules, withdrawal rights, defective goods rules, refund periods and information obligations where applicable.
A merchant cannot use payment infrastructure to avoid consumer law. If a consumer lawfully cancels a purchase, the merchant must process the refund through the proper payment channel.
Acquirers and payment institutions should monitor refund patterns. Excessive refunds may indicate customer dissatisfaction, misleading sales, subscription abuse or fraud. Very low refund rates in a high-risk sector may also be suspicious if complaints are being suppressed or processed outside the system.
15. 3D Secure and Strong Authentication
3D Secure is widely used in online card payments to authenticate cardholders. It may reduce fraud risk and shift liability in certain card scheme contexts, depending on the transaction and applicable rules.
However, 3D Secure is not a complete shield. Fraudsters may still manipulate customers into approving transactions, use SIM swap attacks, take over devices or exploit social engineering. Therefore, merchants and acquirers should combine authentication with transaction monitoring.
High-risk indicators may include mismatch between billing and shipping addresses, unusual IP location, multiple failed card attempts, repeated small transactions, high-value first purchase, use of disposable e-mails, and multiple cards used from the same device.
16. Fraud Monitoring in Merchant Acquiring
Fraud monitoring is essential for acquirers and payment institutions. Merchant acquiring creates exposure not only to customer fraud but also to merchant fraud.
Fraud monitoring should detect:
Stolen card transactions, fake merchants, unusual transaction spikes, high refund ratios, high chargeback ratios, transactions inconsistent with merchant profile, illegal product categories, multiple cards from one IP address, suspicious cross-border patterns, split transactions, refund abuse and mule activity.
If suspicious activity is detected, the acquirer may suspend settlement, request documents, terminate the merchant agreement, file suspicious transaction reports, notify law enforcement or cooperate with card schemes.
A failure to monitor fraud may lead to financial losses, regulatory scrutiny and reputational damage.
17. AML and MASAK Compliance
Merchant acquiring can be misused for money laundering. Fake merchants may process fabricated sales. Criminal proceeds may be disguised as card payments. Merchant accounts may be used for illegal betting, fraud proceeds, sanctions evasion or mule activity.
Turkey’s AML framework is based on Law No. 5549 on Prevention of Laundering Proceeds of Crime. Financial institutions and obliged parties must conduct customer due diligence, monitor transactions, keep records and report suspicious transactions where required. MASAK identifies Law No. 5549 as the core law establishing procedures and principles for preventing laundering proceeds of crime.
Acquirers should integrate AML controls into merchant onboarding and transaction monitoring. Merchant acquiring is not only a payment business; it is also a financial crime risk point.
18. Data Protection and Card Data Security
Merchant acquiring involves personal data and payment data. Names, card data, transaction history, addresses, phone numbers, e-mail addresses, IP addresses and purchase details may qualify as personal data. Where payment card data is processed, additional technical security standards may apply through card scheme rules and industry practice.
Merchants should not store sensitive card data unless legally and contractually permitted and technically secure. Payment pages should use secure payment infrastructure, encryption and compliant tokenization where possible.
Data breaches may lead to customer claims, card scheme penalties, regulatory investigations and reputational damage. A merchant agreement should allocate responsibility for data security, breach notification, PCI-related compliance, audit rights and liability for card data compromise.
19. Virtual POS Integration Agreements
Virtual POS integration may be direct or indirect. A merchant may integrate directly with a bank’s virtual POS API, or it may use a payment gateway or payment institution that offers integrated payment acceptance.
A virtual POS integration agreement should regulate:
Technical specifications, uptime, API changes, test environment, security requirements, transaction logging, error handling, refund API, recurring payment API, installment options, tokenization, data storage, customer authentication, fraud filters and liability for technical failure.
If a payment fails due to system error, the merchant may lose sales. If a duplicate charge occurs, the customer may claim refund and damages. If transaction logs are incomplete, chargeback defense becomes difficult.
Therefore, technical terms are also legal terms. They determine evidence, liability and operational risk.
20. Recurring Payments and Subscription Models
Recurring payments are common in software, streaming, memberships, gyms, education platforms, telecom services and digital subscriptions. They create special legal risks because the customer authorizes repeated charges over time.
A recurring payment structure should include clear customer consent, transparent cancellation methods, renewal reminders where required, easy subscription termination and proper refund handling.
Fraud and chargeback risk is high if customers do not recognize recurring charges. Merchants should ensure that transaction descriptions are clear, invoices are sent, and cancellation terms are visible.
Acquirers may impose stricter rules on subscription merchants because chargeback ratios can become high.
21. Installment Sales and Card Payments
Installment card payments are common in Turkey. Merchants may offer customers the option to pay in installments through card infrastructure, subject to legal, banking and card scheme restrictions.
Installment structures may affect merchant settlement, commission, cancellation, partial refund and chargeback handling. A refund for an installment transaction may require different processing than a single-payment transaction.
Merchants should make installment terms clear to customers. Misleading installment advertising may create consumer disputes. Acquirers should ensure that merchants comply with applicable card and consumer rules.
22. Cross-Border E-Commerce and Acquiring
Turkish merchants may sell to foreign customers, and foreign merchants may target Turkish customers. Cross-border acquiring raises additional legal issues.
These include:
Foreign currency settlement, chargeback rules, international card scheme requirements, tax, customs, consumer law, data transfer, sanctions, foreign merchant onboarding and local licensing risk.
A Turkish payment institution serving foreign merchants must examine whether it can onboard and settle such merchants under its license and internal risk policies. A foreign acquirer targeting Turkish merchants or customers should review whether its activities create regulatory obligations in Turkey.
Cross-border e-commerce can be profitable, but it is also fraud-sensitive. International transactions may involve stolen cards, reshipping fraud, fake delivery claims and high chargeback risk.
23. Merchant Disputes with Acquirers
Merchants may dispute acquirer actions such as settlement withholding, sudden termination, excessive chargeback deductions, unexplained reserves, delayed payouts, commission changes, blocked transactions or refusal to process refunds.
The first step is to review the merchant agreement. Many agreements give acquirers broad rights to withhold funds when fraud or chargeback risk exists. However, these rights must still be exercised in good faith and within the contract.
A merchant challenging a settlement hold should request written explanation, transaction breakdown, chargeback list, reserve calculation and legal basis. If the acquirer acted arbitrarily or withheld more than necessary, legal remedies may be available.
24. Acquirer Disputes with Merchants
Acquirers may sue merchants for chargeback losses, fraud, contractual breach, prohibited transactions, false merchant information, fake sales, excessive refunds or misuse of POS infrastructure.
The acquirer should preserve onboarding documents, transaction records, chargeback notices, scheme correspondence, merchant communications, settlement records and risk alerts.
If the merchant is fraudulent, quick action is necessary. Acquirers may need to suspend settlement, terminate services, file criminal complaints and report suspicious transactions.
25. Evidence in Merchant Acquiring Disputes
Evidence is crucial. Important documents include:
Merchant agreement, POS application form, virtual POS integration records, transaction logs, settlement reports, invoices, delivery notes, cargo records, refund records, chargeback notices, customer complaints, IP logs, device data, fraud monitoring alerts, merchant KYC files, tax records, website screenshots, terms of sale and correspondence.
In virtual POS disputes, technical logs are especially important. Without logs, it may be difficult to prove whether the transaction was authorized, whether the customer was redirected properly, whether 3D Secure was used or whether a refund was processed.
26. Regulatory Risks for Acquirers
Acquirers face several regulatory risks:
Operating without proper authorization, weak merchant onboarding, insufficient AML controls, failure to detect suspicious transactions, poor data security, inadequate outsourcing controls, misleading merchant terms, failure to handle complaints, and inadequate recordkeeping.
Payment institutions must pay particular attention to licensing scope. A company offering merchant acquiring, payment gateway or virtual POS services should ensure that its activity is covered by its license and that it complies with CBRT rules under Law No. 6493.
27. Regulatory Risks for Merchants
Merchants also face legal risks. A merchant may lose POS services if it processes prohibited transactions, hides real business activity, has excessive chargebacks, violates consumer law, fails to deliver goods, misuses customer data or participates in fraud.
For e-commerce merchants, legal compliance should include:
Clear terms and conditions, privacy policy, distance sales disclosures, refund policy, secure checkout, invoice compliance, delivery evidence, customer service records and fraud controls.
A merchant that treats virtual POS as only a payment button may face serious financial losses when chargebacks and settlement holds occur.
28. Practical Checklist for Merchants
A merchant using POS or virtual POS in Turkey should:
Read the merchant agreement carefully.
Understand commission and settlement terms.
Check reserve and withholding clauses.
Use secure payment pages.
Maintain proof of delivery.
Respond to chargeback requests on time.
Use fraud screening for high-risk orders.
Keep customer communication records.
Process refunds properly.
Avoid prohibited products and services.
Notify acquirer before changing business activity.
Comply with consumer law and data protection law.
Preserve transaction records.
29. Practical Checklist for Acquirers and Payment Institutions
An acquiring bank or payment institution should:
Verify merchant identity and ownership.
Review merchant business activity.
Conduct website and product checks.
Assess sector risk.
Apply transaction monitoring.
Monitor chargeback and refund ratios.
Use reserves for high-risk merchants.
Preserve technical logs.
Comply with MASAK obligations.
Protect card and personal data.
Maintain clear merchant agreements.
Provide transparent settlement reports.
Respond to merchant disputes in writing.
Terminate suspicious merchants promptly.
30. Why Legal Support Is Important
Merchant acquiring in Turkey requires specialized legal review because it combines card payment law, payment services regulation, banking law, consumer protection, AML, data protection, e-commerce law, fintech contracts and dispute resolution.
A Turkish payment law lawyer may assist with merchant agreement drafting, virtual POS contracts, payment gateway structures, payment institution licensing, marketplace payment flows, chargeback disputes, fraud investigations, settlement withholding disputes, AML policies, data protection documentation and regulatory correspondence.
Legal support is especially important for high-volume e-commerce merchants, marketplaces, payment facilitators, virtual POS providers, subscription businesses, cross-border platforms and fintech companies seeking to provide acquiring-related services.
Conclusion
Merchant acquiring in Turkey is a legally complex but commercially essential part of the payments ecosystem. POS, virtual POS and online payment services enable merchants to accept card and electronic payments, but they also create legal obligations involving merchant agreements, chargebacks, fraud, settlement, consumer rights, data protection, AML compliance and regulatory licensing.
For banks and payment institutions, acquiring is not only a technical processing service. It requires merchant due diligence, transaction monitoring, suspicious activity detection, card scheme compliance, data security and clear contractual documentation. For merchants, POS and virtual POS services are not merely payment tools; they create financial and legal exposure through chargebacks, settlement holds, refunds, consumer complaints and fraud.
The strongest acquiring structures are built on clear contracts, accurate merchant onboarding, secure technical infrastructure, transparent settlement reports, strong fraud controls and proper legal classification. In Turkish payment law, a successful merchant acquiring model must combine speed and convenience with compliance and risk management. As online payments continue to grow, merchants and payment providers that understand the legal framework will be better positioned to reduce disputes, prevent fraud and build sustainable digital commerce operations in Turkey.
Yanıt yok