When selling online, your Terms and Conditions need additional protections and disclosures.

Essential additions for e-commerce:

• Order acceptance process
• Payment terms and methods
• Delivery arrangements and timeframes
• Returns and refunds policy (beyond statutory rights)
• Product descriptions and availability
• What happens with faulty or damaged goods
• Cancellation procedures
• International shipping terms (if applicable)

Consumer sales (B2C): You cannot override consumers' statutory rights, but you can clarify your processes and set reasonable additional terms.

Business sales (B2B): More flexibility in terms, but they must still be fair and clearly written.

Legal requirements: Enhanced T&Cs for e-commerce are governed by:

• Consumer Rights Act 2015 - sets out consumer rights for goods, services and digital content; requires terms to be fair and transparent
• Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 - requires specific information disclosure and 14-day cooling-off periods for distance sales
• Unfair Contract Terms Act 1977 - prevents businesses from excluding liability unreasonably in B2B contracts
• Consumer Protection from Unfair Trading Regulations 2008 - prohibits misleading information in consumer contracts

Penalties: Unfair terms are not binding on consumers. Misleading practices can result in enforcement action and unlimited fines.

Clear sales terms reduce disputes, returns, and customer service load. Efficient processes mean fewer problems and more satisfied customers.

References: Consumer Rights Act 2015, Consumer Contracts Regulations 2013, GOV.UK: Online and distance selling for businesses

UK VAT Registration: Required if your annual turnover exceeds £90,000. Optional below this threshold.

What VAT registration means:

• Add VAT to your prices (usually 20%)
• Submit quarterly VAT returns
• Display VAT number on invoices and your website
• Keep detailed VAT records

Selling to EU customers:

• Use OSS (One-Stop Shop) to handle EU VAT
• Customers pay VAT upfront, avoiding customs delays
• Simplifies the process for cross-border sales

Northern Ireland: Special rules apply for EU sales due to the Northern Ireland Protocol. Check current requirements.

Legal framework: VAT requirements are set by:

• Value Added Tax Act 1994 - the main UK VAT legislation
• The VAT Regulations 1995 - detailed implementation rules
• Various Finance Acts that update VAT rates and thresholds annually

Proper VAT setup from the start avoids costly retrofitting and compliance issues. Plan for growth mindfully.

References: VAT Act 1994, HMRC VAT guidance

PCI DSS Compliance: If you process, store, or transmit credit card data, you must comply with PCI DSS 4.0.1 standards.

Common Payment Processors and Shared Responsibility: Most e-commerce businesses use third-party payment processors like:

• Stripe - handles PCI DSS compliance for card data processing
• PayPal - manages security for transactions through their system
• Square - provides secure payment processing and hardware
• Apple Pay/Google Pay - tokenised payments with enhanced security
• Worldpay, Adyen, SagePay - enterprise payment solutions

Your Responsibilities vs Payment Processor Responsibilities:

What your payment processor handles:

• Secure storage of card details
• PCI DSS Level 1 compliance for card processing
• Fraud monitoring and detection
• Secure transmission of payment data
• Most technical security requirements

What you're still responsible for:

• Ensuring your website connection to the payment processor is secure (HTTPS)
• Implementing Strong Customer Authentication (SCA) correctly
• Never storing card details on your systems
• Keeping your e-commerce platform and plugins updated
• Monitoring for unauthorized access to your website
• Having proper access controls for your payment processor account
• Meeting PCI DSS Self-Assessment Questionnaire requirements (usually SAQ-A for hosted solutions)

Integration Method Affects Your Responsibilities:

• Hosted checkout (recommended): Customer enters card details directly on processor's secure page - minimal PCI responsibilities for you
• Embedded forms: Card details entered on your site but sent directly to processor - moderate responsibilities
• Direct API integration: You handle card data before sending to processor - highest responsibilities and compliance requirements

Requirements:

• Annual PCI DSS self-assessment questionnaire
• Secure payment forms (HTTPS encryption)
• Monitor for tampering or breaches on your website
• Maintain secure networks and systems
• Regularly test and update your e-commerce platform

Strong Customer Authentication (SCA): Most online card payments need two-factor authentication under PSD2 rules. Your payment processor typically handles this, but you need to ensure your checkout process supports it.

Card surcharges: You cannot charge extra fees for customers paying by card.

Legal framework: Payment security is governed by:

• Payment Services Regulations 2017 - implements PSD2 in the UK, including Strong Customer Authentication requirements (Regulation 100)
• Consumer Rights (Payment Surcharges) Regulations 2012 - bans excessive payment surcharges
• PCI DSS 4.0.1 - while not UK law, compliance is required by card schemes and often contractually mandated by payment processors

Penalties: Under PSD2: unlimited fines for serious breaches. Card scheme penalties for PCI DSS non-compliance can include increased transaction fees and termination of processing rights. Payment processors may suspend your account for non-compliance.

Secure payment processing builds long-term trust and reduces fraud-related costs. Efficient security measures protect both business and customers. Using reputable payment processors reduces your compliance burden while maintaining security.

References: Payment Services Regulations 2017, FCA Strong Customer Authentication guidance, UK Finance PSD2 guidance

This new law affects how online marketplaces handle product safety.

If you sell via Amazon, Etsy, or other marketplaces:

• Both you and the platform share responsibility for product safety
• Enhanced monitoring and recall procedures
• Authorities have stronger powers for inspections and forced recalls

What this means:

• Keep detailed product safety records
• Respond quickly to safety concerns
• Update your supplier contracts to cover new responsibilities
• Monitor products throughout their sale period

Direct selling: If you sell directly from your website, you remain fully responsible for product safety and compliance.

Legal framework:

• Product Regulation and Metrology Act 2025 - new law creating shared liability between online marketplaces and sellers for product safety
• Consumer Protection Act 1987 - existing product liability law that continues to apply
• General Product Safety Regulations 2005 - ongoing safety requirements for all products

Penalties: Enforcement orders, unlimited fines, and potential criminal prosecution for serious safety breaches. Enhanced powers allow authorities to force product recalls and marketplace suspensions.

Responsible product sourcing and safety practices create long-term business sustainability. Avoiding shortcuts prevents costly recalls and reputation damage.

References: Product Regulation and Metrology Act 2025, Consumer Protection Act 1987