What issuer processor handles compliance during a card programme switch?
During a card programme switch, the issuer processor plays a key role in executing compliance controls. Platforms such as Enfuce are designed to support this as part of the overall migration process.
That said, there is no single party that “takes over” compliance during a card programme switch. Responsibility is shared across stakeholders. The issuer processor provides and operates the compliant processing environment, while full legal and regulatory accountability remains with the regulated issuer (typically a bank or BIN sponsor).
Who is responsible for compliance in a card programme switch?
| Function / Responsibility | Issuer / BIN Sponsor | Issuer Processor | Programme Manager |
| Legal accountability | Fully accountable (FCA, PSD2, AMLD) | No primary regulatory accountability | No primary regulatory accountability |
| Compliance ownership | Defines policies, ensures compliance | Executes controls within platform | Supports oversight |
| Transaction processing | Not directly involved | Runs authorisation, clearing, settlement | Not involved |
| Cardholder data (PCI DSS) | Accountable | Secures, processes, stores data | Verifies certifications |
| KYC and AML | Approves customers, sets policy | Provides infrastructure, monitoring | Coordinates providers |
| Scheme compliance | Accountable to Visa/Mastercard | Implements rules and updates | Ensures alignment |
| Migration execution | Oversees and approves | Leads technical execution | Manages timelines, stakeholders |
| Risk management | Owns regulatory and financial risk | Manages operational risk | Identifies gaps |
| Vendor coordination | May manage key relationships | Works with issuer and partners | Primary coordination |
The issuer or BIN sponsor is legally responsible for regulatory compliance. While the issuer processor supports compliant operations through its infrastructure, controls, and operational processes, regulatory accountability remains with the regulated entity under frameworks such as PSD2 and AMLD.
What does the issuer processor do?
The issuer processor runs the core infrastructure of the card programme, including:
- Transaction authorisation
- Ledger management
- Fraud monitoring
- Data storage and processing
During a migration, the processor is responsible for operating a compliant processing environment, while the issuer retains full regulatory accountability. This means the processor is responsible for supporting:
- Secure, compliant data processing aligned with PCI DSS, PSD2, GDPR requirements, and card scheme rules
- Secure data migration
- Transaction processing that continues without disruption
Many processors embed compliance into their platforms rather than treating it as a separate function.
What does the programme manager do?
In some card programmes, a third party – often a fintech or programme manager – sits between the issuer and the processor to coordinate operations.
Their responsibilities include:
- Conducting processor due diligence
- Verifying certifications such as PCI DSS Attestation of Compliance (AoC)
- Defining roles and responsibilities contractually
In many cases, migration risk comes from unclear ownership. This role helps ensure alignment across all parties.
How compliance works during a card programme migration
During a migration, the issuer processor acts as the technical engine that enables compliant operations. It connects the programme to card schemes such as Visa and Mastercard, enforces security controls, and ensures transactions meet regulatory and scheme requirements.
This is why both processors are involved:
- The outgoing processor must securely transfer sensitive data
- The incoming processor must ensure its platform is compliant from day one
Core compliance responsibilities during a switch
1. How is cardholder data protected (PCI DSS)?
The highest-risk phase of a migration is the transfer of cardholder data, especially Primary Account Numbers (PANs).
- Data is transferred within a PCI DSS-compliant environment
- Tokenisation and encryption are used to protect sensitive data
- Strict access controls limit exposure
2. Who handles KYC and AML compliance?
Know Your Customer (KYC) and Anti-Money Laundering (AML) obligations remain with the issuer, who can handle this in-house or outsource to a third party.
However, the processor provides the infrastructure that enables compliance, including:
- KYC/KYB integrations
- Transaction monitoring
- Real-time fraud and AML alerts
The issuer defines compliance policies and customer approval processes, while the processor provides the infrastructure and monitoring capabilities needed to support compliant operations.
3. How is card network compliance maintained?
Issuer processors help maintain operational alignment with Visa and Mastercard rules.
This includes:
- Implementing scheme updates
- Supporting compliant authorisation flows
- Managing disputes within scheme timelines
During migration, continuity is critical.
4. How are disputes and chargebacks handled?
Dispute management is a key compliance risk during a switch.
To maintain compliance:
- Open disputes must be transferred or managed without breaching scheme requirements
- Historical transaction data must remain accessible
- Scheme deadlines must not be missed
The processor provides the systems, but the issuer remains responsible for correct handling.
5. What about regulatory reporting and audit requirements?
Processors provide the infrastructure for accurate, auditable transaction records.
This supports compliance with:
- PSD2, including Strong Customer Authentication (SCA)
- GDPR for data protection
- AML reporting obligations
Today’s issuer processors typically include:
- Real-time reporting dashboards
- Audit trails
- Data access for regulators and partners
Example: How Enfuce supports compliant migrations
Enfuce brings together issuer processing, BIN sponsorship, and compliance capabilities within a single platform.
As a regulated Electronic Money Institution (EMI) in the UK and EEA and principal member of Visa and Mastercard, Enfuce embeds compliance across:
- Transaction processing
- Fraud monitoring
- Reporting and audit readiness
During a migration, Enfuce typically provides:
- Dedicated migration teams
- Structured data mapping and testing environments
- Coordination across stakeholders such as KYC providers and card schemes
This integrated approach can reduce operational complexity and minimise compliance gaps during transition.
Integrated issuing, processing, and compliance
For example, Enfuce supported Avida during a large-scale card portfolio migration by combining issuer processing infrastructure with built-in compliance capabilities.
Enfuce enabled a more streamlined operating model by combining into a single platform:
- BIN sponsorship
- Transaction processing
- Built-in compliance controls
This allowed Avida to focus on its customer offering while ensuring compliance with scheme rules and regulatory requirements.
From a migration perspective, this integrated setup helps maintain continuity across compliance, data, and operations—reducing fragmentation and lowering risk.
Why compliance must be continuous during a switch
A common misconception is that compliance transfers between providers.
In reality, compliance must be maintained at every stage, from planning and data transfer to testing and post-migration monitoring.
In many cases, the biggest risk is not the migration itself, but poor planning and fragmented ownership.
FAQs
Who is legally responsible for compliance during a card programme switch?
The issuer or BIN sponsor is legally responsible. While the issuer processor executes compliance controls, regulatory accountability remains with the regulated entity under frameworks such as PSD2 and AMLD.
What is the biggest compliance risk during a migration?
The secure transfer of cardholder data is the highest-risk phase. This includes ensuring PCI DSS compliance, protecting PAN data, and avoiding data breaches during migration.
Does compliance transfer from one processor to another?
No. Compliance does not transfer. It must be maintained continuously across both the outgoing and incoming processors, with the issuer retaining responsibility throughout.
What happens to disputes during a processor switch?
Open disputes must be transferred or mirrored, and all scheme deadlines must still be met. Failure to maintain dispute continuity can lead to regulatory breaches and financial penalties.