.webp)
Related Questions
Managing compliance with card scheme risk programs is one of the most important parts of running a responsible PSP or acquirer business.
Mastercard's Business Risk Assessment and Mitigation (BRAM) program and Visa's Integrity Risk Program (VIRP) have existed for years, but their relevance and expectations have increased significantly as digital commerce accelerates and merchant models evolve faster than traditional controls can track.
For PSP risk, compliance, and underwriting teams, these programs are not theoretical guidelines. They are ongoing obligations tied directly to your ability to operate safely, protect cardholders, and maintain healthy scheme relationships.
This guide is written from the practical reality of running PSP compliance programs, and is designed to reflect the seriousness with which Mastercard and Visa treat these topics.
Both programs have a common purpose: to protect consumers, card brands, and the payment ecosystem from illegal, non-compliant, deceptive, or brand-damaging merchant activity. They are not meant to restrict legitimate commerce. They are meant to ensure that the ecosystem is safe, transparent, and compliant at scale.
BRAM and VIRP expectations include ensuring PSPs and acquirers onboard legitimate merchants, preventing transactions for prohibited or unlicensed activities, identifying deceptive marketing, illegal products, and misrepresented services, detecting transaction laundering and undisclosed third-party processing, acting promptly when issues are identified, and demonstrating oversight and governance appropriate to the portfolio size and risk mix.
Schemes understand that PSPs cannot achieve perfection. What they expect is reasonable, documented, risk-based diligence supported by credible controls and ongoing monitoring.
The specific categories may evolve, but the core themes that lead to BRAM/VIRP issues have remained consistent.
Illegal or Unlicensed Activity
This includes prescription medication without proper licensing, CBD/THC products that are non-compliant in specific jurisdictions, unlicensed gambling or wagering services, and unregulated financial services, crypto exchanges, or MSBs. Scheme expectation: PSPs must have processes to identify licensing requirements, verify merchant claims, and react quickly when regulations or offerings change.
Intellectual Property Infringement
This covers counterfeit goods and unauthorized replicas. Scheme expectation: PSPs should prevent obviously infringing merchants from onboarding and act when rights holders raise credible claims.
Adult and Age-Restricted Content
These categories are permitted but tightly regulated. Scheme expectation: PSPs must ensure required controls exist, including age verification and compliant content practices.
Transaction Laundering and Misrepresentation
This is one of the most serious issues in both BRAM and VIRP. Transaction laundering allows criminals to process illicit payments through legitimate merchant acquirers, creating significant compliance challenges. Scheme expectation: Merchants must accurately describe what they sell. PSPs must detect cases where a merchant processes for undisclosed parties or where the actual business model differs materially from what was approved.
Card brands use a combination of methods, including web crawling and automated content analysis, transaction pattern analytics, cardholder complaints and disputes, input from regulators or enforcement agencies, and cross-brand intelligence and industry partnerships.
None of these mechanisms are secret, and none are arbitrary. They reflect a consistent scheme priority: maintaining trust and preventing card usage for prohibited or harmful activity.
Every PSP knows the rulebooks. The challenge is operational.
A PSP may support thousands of merchants across dozens of verticals and jurisdictions. Manual oversight alone is insufficient. Merchants often change products, marketing claims, sales channels, and jurisdictions. A merchant that was fully compliant at onboarding may shift unintentionally into non-compliant territory later.
CBD, gambling, adult, financial services, supplements, and healthcare each involve complex, region-specific regulation. PSPs must understand the broad outlines and apply risk-based controls. Many PSPs lack systematic ways to detect new products added to websites, landing pages or funnels managed by affiliates, changes in merchant policies or claims, misaligned web content versus declared business model, or related entities that indicate possible transaction laundering.
Visa and Mastercard do not expect perfection, but they expect PSPs to build capabilities that meaningfully reduce risk and allow for timely remediation.
The consequences extend beyond fines. The wider impact includes increased scheme oversight and reporting obligations, mandatory monitoring or remediation programs, stricter underwriting expectations, reputational impact with banks and partners, lost merchant revenue from required terminations, operational burden on compliance teams, and delays in launching products or entering new markets.
Schemes track PSP performance over time. Consistent, documented improvement matters.
Across the industry, PSPs typically apply increased scrutiny to nutraceuticals and dietary supplements, software and digital services with potential links to gambling or financial utilities, travel and lifestyle packages (especially those involving licensing or advance payment risk), MLM/direct selling models, and high-risk financial services, including crypto-adjacent offerings.
These categories are not inherently problematic. They simply evolve quickly and therefore require proportionate oversight.
Across high-performing PSPs and acquirers, the strongest programs share several traits.
Merchants are categorized based on risk exposure, jurisdiction, business model, and compliance requirements. Not just onboarding snapshots, but ongoing monitoring for new products, health or income claims, landing pages owned by affiliates, and additions that fall into regulated categories.
Looking for connections between merchants through domains, hosting, contact details, and shared operational footprints is essential. A single merchant problem is often not isolated. Shifts in transaction mix, geography, ticket size, or descriptors often reveal business model drift.
When an issue arises, the PSP can provide evidence of onboarding checks, monitoring history, documentation of actions taken, timelines of communication with the merchant, and remediation steps. This is a key factor in scheme confidence.
Professionalism is reflected in several principles: respect for the programs (BRAM and VIRP are essential to ecosystem integrity), accuracy (focusing only on publicly known requirements and industry practices), fairness (acknowledging that schemes do not expect perfection, only robust oversight), operational realism (describing constraints PSPs face without assigning blame), and responsible framing (avoiding exaggeration, speculation, or claims that misrepresent scheme programs).
At Ballerine, we work with PSPs, acquiring banks, and PayFacs who take BRAM and VIRP seriously and want to strengthen their oversight programs. Our role is not to replace scheme compliance teams or interpret scheme rules. Our focus is operational: helping PSPs detect business model changes earlier, monitoring web presence and marketing claims at scale, identifying indicators of transaction laundering or misrepresentation, and supporting continuous risk assessment across large merchant portfolios through merchant monitoring and merchant underwriting capabilities.
We view our work as complementary to Visa and Mastercard's objectives: clearer oversight, better visibility, and improved consumer and brand protection. Whether PSPs use Ballerine or another solution, the direction across the industry is the same: more transparency, more continuous monitoring, better alignment between what merchants declare and what they actually do, and faster and better-documented incident resolution.
If your team is strengthening your BRAM and VIRP processes, we're always interested in learning how you are approaching the operational challenges and where you see the ecosystem moving.
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
