5 things Acquirers and PayFacs need to know about proactive merchant monitoring.

The card schemes are raising the bar on merchant monitoring. ‍

Here’s what you need to know.

‍

Something has been quietly shifting in the regulatory posture of card schemes over the past 12 months, and I think the industry has not fully processed the cumulative weight of what is coming.

For years, merchant risk management operated on a relatively reactive model. Onboard, monitor loosely, respond to notifications. The implicit assumption was that the acquirer's job was to catch problems after they surfaced. That model is being systematically dismantled.

‍

What we are seeing across the scheme landscape is a clear directional shift: the expectation is now that acquirers and payment facilitators take a much more proactive stance in identifying and removing bad actors before they cause damage. Not after.

‍

‍

Two distinct pressure points are converging

The first is around scam merchant activity. Schemes are formalizing requirements that have long existed as best practices but were never explicitly mandated. The direction is clear: acquirers and PayFacs must have active monitoring logic that can detect the behavioral signatures of scam merchants, and when those signals appear, they must act fast. We are talking about defined investigation windows measured in hours. New merchants with elevated refund and chargeback ratios, sharp drops in authorization approval rates, multi-issuer fraud reporting -  these are the triggers that now carry formal compliance weight. Monitoring Service Provider alerts are explicitly recognized as a valid trigger for investigation, which is a meaningful signal about where scheme enforcement is heading.

‍

The second pressure point is around content risk. Unacceptable content standards are being extended explicitly to cover digitally altered content, AI-generated images, and synthetic depictions of real individuals without their consent. The rise of synthetic media has created a category of content risk that existing frameworks were not built to address. Schemes are catching up, and the compliance expectation lands on acquirers.

‍

‍

What this means operationally

The merchants in your portfolio who are newly boarded, operating in CNP environments are now in a meaningfully higher-scrutiny category than they were 18 months ago.

‍

The acquirers and PayFacs who get ahead of this will need to:

• Tighten the logic on how they detect behavioral red flags in the first months of a merchant's lifecycle, when scam activity most commonly surfaces.
• Build or strengthen monitoring for authorization rate degradation and abnormal refund-to-purchase ratios as early warning signals.
• Update content risk frameworks to account for AI-generated and synthetic media, not just traditionally produced material.
• Ensure MMSP alert workflows are integrated into formal investigation processes, not treated as advisory noise.
• Document everything, because scheme audits are increasingly focused on whether your monitoring framework is structured and enforceable, not just whether it exists.

‍

‍

The bigger picture

Schemes are not inventing new categories of risk here. Scam merchants, synthetic content abuse, authorization manipulation -- these have existed for years. What is new is the formalization of acquirer accountability for detecting and acting on them within defined timeframes.

‍

The cost of non-compliance is no longer abstract. It is operational. And the infrastructure gap between acquirers who have invested in intelligent monitoring and those who have not is becoming very visible, very fast.

‍

‍