Blogs
>
How Mastercard Certifies an MMSP: The Approval Process

How Mastercard Certifies an MMSP: The Approval Process

Robert Ellenhorn
May 4, 2026
Share:

Index

Heading
Related Tags
MMSP
Merchants

Acquirers evaluating new monitoring relationships, and technology vendors exploring entry into Mastercard's program, frequently ask the same question: what does it actually take to become a certified Merchant Monitoring Service Provider (MMSP)? The answer matters not only to prospective providers but to any risk team building or auditing an MMP-compliant monitoring program, because the certification status of an MMSP directly affects an acquirer's ability to defend its compliance posture.

This article explains what Mastercard evaluates, what standards must be met, and why acquirers should confine their MMSP engagements to certified providers.

What Is an MMSP

A Merchant Monitoring Service Provider is a third-party vendor that Mastercard has explicitly approved to perform merchant risk monitoring services on behalf of acquirers participating in the Merchant Monitoring Program (MMP). The MMP is Mastercard's framework for detecting and addressing Business Risk Assessment and Mitigation (BRAM) violations and merchant transaction laundering across acquiring portfolios.

The MMSP designation is not self-declared. It requires formal approval from Mastercard. An acquirer cannot register an unapproved vendor as an MMSP and rely on that vendor's outputs for MMP compliance purposes.

What Mastercard Evaluates

Mastercard's published program documentation does not include a step-by-step application guide for prospective MMSP candidates in the manner that, for example, payment security programs publish detailed self-assessment questionnaires. Certification is conducted through a direct engagement with Mastercard's program team. Based on what Mastercard's published rules and program requirements specify for MMSP outputs, the evaluation focuses on the following capability areas.

BRAM detection. The provider must demonstrate the ability to identify BRAM violations across a merchant's digital presence, including open web content, product listings, and transaction patterns that indicate exposure to prohibited categories.

Transaction laundering detection. The provider must show technical capability to detect indicators of merchant transaction laundering, including proxy merchant structures and undisclosed sub-merchants. This requires analysis of both web-facing and transaction-level data.

Initial scan capability. Effective January 1, 2026, Mastercard requires that any merchant onboarded on or after that date undergo an initial scan before processing their first transaction. Prospective MMSPs must be capable of executing these scans at onboarding speed without creating operational bottlenecks.

Persistent monitoring coverage. Monitoring must extend beyond publicly accessible web content to include restricted and members-only areas, unless access is prohibited by law. An MMSP must demonstrate the ability to assess gated content as part of its surveillance capability.

Reporting standards. Monthly reports submitted to Mastercard must be unaltered copies of MMSP-generated output. Providers must demonstrate that their report generation processes produce complete, accurately timestamped documentation that can withstand scrutiny during an investigation.

What Standards Must Be Met

Approved MMSPs operate within the requirements defined in Mastercard's Security Rules and Procedures. For acquirers, these include:

  • Providing the MMSP with complete merchant data: legal names, doing business as (DBA) names, physical addresses, and all URLs associated with the merchant

  • Ensuring that an initial scan is completed before the merchant's first transaction

  • Investigating any reported BRAM violations within 15 calendar days and ensuring that all violating activity ceases

  • Reporting investigation resolutions back to the MMSP

  • Submitting unaltered monthly MMSP reports to Mastercard within 30 days of monitoring completion

These requirements define the operating environment an MMSP must function within. A provider being considered for certification must demonstrate that its processes, systems, and output formats are compatible with each of these requirements in practice, not only in documentation.

Recertification

Mastercard's publicly available program documentation does not specify a fixed recertification interval for MMSPs. Acquirers and risk teams should confirm the current certification status of any MMSP partner directly, rather than relying on approval letters issued at the time of initial engagement. We recommend building certification verification into the standard third-party review cycle for service providers operating within regulated compliance programs.

Why Acquirers Should Engage Only Certified MMSPs

Participating in the MMP with an uncertified monitoring vendor does not satisfy Mastercard's program requirements. The compliance benefit associated with MMP participation, including potential mitigation of assessments related to BRAM violations, is available only to acquirers that engage Mastercard-approved MMSPs and meet all program requirements. An acquirer that substitutes an uncertified vendor cannot claim this mitigation, regardless of how capable that vendor's monitoring may be.

The operational risk extends further. When Mastercard initiates an investigation, acquirers must submit an unaltered incident report generated by the MMSP, covering the monitoring period in question. If the vendor is not registered as an MMSP, that report does not qualify under the program. The acquirer then has no compliant evidentiary basis to submit, regardless of the quality of monitoring that occurred.

We also see a risk that teams address less consistently: MMSP certification signals that a provider's technical capabilities and report formats have been reviewed against Mastercard's standards. An uncertified vendor's monitoring logic and data coverage may appear comparable in a procurement evaluation, but the outputs have not been validated against the specific requirements Mastercard enforces at the investigation stage. That gap remains invisible until evidence is needed and the format does not meet program specifications.

About Ballerine

Ballerine is a certified Mastercard MMSP. The platform delivers AI-native merchant monitoring, initial scan execution at onboarding speed, access to gated and members-only content, and portfolio-level risk analytics aligned with Mastercard's MMP compliance standards. Monthly reports generated by Ballerine meet Mastercard's unaltered reporting requirements. For acquirers, payment facilitators (PayFacs), and payment service providers (PSPs) building or reviewing their MMP programs in preparation for the January 2026 standards, Ballerine provides the monitoring infrastructure and certified MMSP capabilities that the program requires.

Disclaimer: The information in this article is provided for general educational purposes and is not endorsed by or affiliated with Mastercard. Readers should consult Mastercard's official Rules, Security Rules and Procedures, and applicable program documentation for definitive requirements

Schedule Demo

Related Questions

Reeza Hendricks

Share this blog

Acquirers evaluating new monitoring relationships, and technology vendors exploring entry into Mastercard's program, frequently ask the same question: what does it actually take to become a certified Merchant Monitoring Service Provider (MMSP)? The answer matters not only to prospective providers but to any risk team building or auditing an MMP-compliant monitoring program, because the certification status of an MMSP directly affects an acquirer's ability to defend its compliance posture.

This article explains what Mastercard evaluates, what standards must be met, and why acquirers should confine their MMSP engagements to certified providers.

What Is an MMSP

A Merchant Monitoring Service Provider is a third-party vendor that Mastercard has explicitly approved to perform merchant risk monitoring services on behalf of acquirers participating in the Merchant Monitoring Program (MMP). The MMP is Mastercard's framework for detecting and addressing Business Risk Assessment and Mitigation (BRAM) violations and merchant transaction laundering across acquiring portfolios.

The MMSP designation is not self-declared. It requires formal approval from Mastercard. An acquirer cannot register an unapproved vendor as an MMSP and rely on that vendor's outputs for MMP compliance purposes.

What Mastercard Evaluates

Mastercard's published program documentation does not include a step-by-step application guide for prospective MMSP candidates in the manner that, for example, payment security programs publish detailed self-assessment questionnaires. Certification is conducted through a direct engagement with Mastercard's program team. Based on what Mastercard's published rules and program requirements specify for MMSP outputs, the evaluation focuses on the following capability areas.

BRAM detection. The provider must demonstrate the ability to identify BRAM violations across a merchant's digital presence, including open web content, product listings, and transaction patterns that indicate exposure to prohibited categories.

Transaction laundering detection. The provider must show technical capability to detect indicators of merchant transaction laundering, including proxy merchant structures and undisclosed sub-merchants. This requires analysis of both web-facing and transaction-level data.

Initial scan capability. Effective January 1, 2026, Mastercard requires that any merchant onboarded on or after that date undergo an initial scan before processing their first transaction. Prospective MMSPs must be capable of executing these scans at onboarding speed without creating operational bottlenecks.

Persistent monitoring coverage. Monitoring must extend beyond publicly accessible web content to include restricted and members-only areas, unless access is prohibited by law. An MMSP must demonstrate the ability to assess gated content as part of its surveillance capability.

Reporting standards. Monthly reports submitted to Mastercard must be unaltered copies of MMSP-generated output. Providers must demonstrate that their report generation processes produce complete, accurately timestamped documentation that can withstand scrutiny during an investigation.

What Standards Must Be Met

Approved MMSPs operate within the requirements defined in Mastercard's Security Rules and Procedures. For acquirers, these include:

  • Providing the MMSP with complete merchant data: legal names, doing business as (DBA) names, physical addresses, and all URLs associated with the merchant

  • Ensuring that an initial scan is completed before the merchant's first transaction

  • Investigating any reported BRAM violations within 15 calendar days and ensuring that all violating activity ceases

  • Reporting investigation resolutions back to the MMSP

  • Submitting unaltered monthly MMSP reports to Mastercard within 30 days of monitoring completion

These requirements define the operating environment an MMSP must function within. A provider being considered for certification must demonstrate that its processes, systems, and output formats are compatible with each of these requirements in practice, not only in documentation.

Recertification

Mastercard's publicly available program documentation does not specify a fixed recertification interval for MMSPs. Acquirers and risk teams should confirm the current certification status of any MMSP partner directly, rather than relying on approval letters issued at the time of initial engagement. We recommend building certification verification into the standard third-party review cycle for service providers operating within regulated compliance programs.

Why Acquirers Should Engage Only Certified MMSPs

Participating in the MMP with an uncertified monitoring vendor does not satisfy Mastercard's program requirements. The compliance benefit associated with MMP participation, including potential mitigation of assessments related to BRAM violations, is available only to acquirers that engage Mastercard-approved MMSPs and meet all program requirements. An acquirer that substitutes an uncertified vendor cannot claim this mitigation, regardless of how capable that vendor's monitoring may be.

The operational risk extends further. When Mastercard initiates an investigation, acquirers must submit an unaltered incident report generated by the MMSP, covering the monitoring period in question. If the vendor is not registered as an MMSP, that report does not qualify under the program. The acquirer then has no compliant evidentiary basis to submit, regardless of the quality of monitoring that occurred.

We also see a risk that teams address less consistently: MMSP certification signals that a provider's technical capabilities and report formats have been reviewed against Mastercard's standards. An uncertified vendor's monitoring logic and data coverage may appear comparable in a procurement evaluation, but the outputs have not been validated against the specific requirements Mastercard enforces at the investigation stage. That gap remains invisible until evidence is needed and the format does not meet program specifications.

About Ballerine

Ballerine is a certified Mastercard MMSP. The platform delivers AI-native merchant monitoring, initial scan execution at onboarding speed, access to gated and members-only content, and portfolio-level risk analytics aligned with Mastercard's MMP compliance standards. Monthly reports generated by Ballerine meet Mastercard's unaltered reporting requirements. For acquirers, payment facilitators (PayFacs), and payment service providers (PSPs) building or reviewing their MMP programs in preparation for the January 2026 standards, Ballerine provides the monitoring infrastructure and certified MMSP capabilities that the program requires.

Disclaimer: The information in this article is provided for general educational purposes and is not endorsed by or affiliated with Mastercard. Readers should consult Mastercard's official Rules, Security Rules and Procedures, and applicable program documentation for definitive requirements

Related Articles

FinCEN NPRM: New AML Rules and What They Mean for Payment Companies
Merchants
Compliance
Andy Vrabel
Apr 29, 2026
FinCEN NPRM: New AML Rules and What They Mean for Payment Companies

How Risk Teams Classify Gaming vs. Gambling Merchants
Merchants
Risk Management
Ballerine team
Mar 26, 2026
How Risk Teams Classify Gaming vs. Gambling Merchants

How acquirers, PayFacs, and risk teams can classify gaming-adjacent merchants correctly, apply the three-element legal test to product mechanics, and prevent misclassification from entering the portfolio.

FinCEN NPRM: New AML Rules and What They Mean for Payment Companies
Merchants
Compliance
Andy Vrabel
Apr 29, 2026
FinCEN NPRM: New AML Rules and What They Mean for Payment Companies

Turning Acceptable Use Policies into a Dynamic Decision Engine
Product update
Gadi Ben-Amram
Apr 13, 2026
Turning Acceptable Use Policies into a Dynamic Decision Engine

Apply your own Acceptable Use Policy automatically during merchant onboarding and monitoring, with clear decisions, clear reasoning, and audit-ready outcomes.