Related Questions
edited%205.webp)
Payment service providers (PSPs) that process card transactions through an acquiring relationship have a concrete decision to make ahead of Mastercard's January 2026 Merchant Monitoring Program (MMP) standards: build a monitoring capability internally, or engage a certified Merchant Monitoring Service Provider (MMSP). This article lays out the operational implications of each path, based on what Mastercard's program requirements actually specify.
MMP compliance obligations sit formally with acquirers, not with PSPs as a distinct category. If you are a PSP operating under a sponsor bank's acquiring license, the primary compliance responsibility falls on the acquirer. However, PSPs who hold their own acquiring licenses, or who are structured as payment facilitators (PayFacs) with direct Mastercard relationships, face the same monitoring obligations as any acquirer. For simplicity, this article addresses risk teams in any organization that bears direct MMP compliance responsibility for a portfolio of merchants.
Before evaluating the build-versus-buy decision, it is worth being precise about what the program requires operationally, because each requirement carries implementation weight regardless of which path is chosen.
Under Mastercard's published MMP standards, participating acquirers must:
These requirements remain constant regardless of whether monitoring is performed in-house or by a certified MMSP. The acquirer's accountability to Mastercard does not transfer.
Mastercard's program documentation confirms that an acquirer with its own dedicated internal detection system may register itself as the monitoring entity for MMP participation, rather than engaging an external MMSP. If the acquirer chooses this path, it must register its internal system and comply with all MMP and service provider requirements. This is not a lighter compliance path. It carries the same technical and operational obligations as an external MMSP, applied to an internally owned system.
The technical scope of what must be built includes:
BRAM content detection. The system must be capable of evaluating merchant web content against Mastercard's BRAM prohibited category list, which covers product types including prescription pharmaceuticals sold without appropriate verification, prohibited adult content, counterfeit goods, and other defined categories. The list is not static: Mastercard updates it in response to emerging enforcement priorities, and an internal system must track those updates and apply them to active monitoring logic.
Transaction laundering detection. The system must analyze transaction-level data and web-facing signals together to identify proxy merchant structures, undisclosed sub-merchants, and Merchant Category Code (MCC) mismatches. This is a structurally different capability from content scanning. It requires integration with transaction data and the analytical logic to identify discrepancies between declared and actual merchant activity.
Gated content access. Persistent monitoring must extend to password-protected and members-only areas of merchant websites. An internal system must be able to authenticate into these environments, evaluate their content against BRAM categories, and document the monitoring activity with the same audit-ready evidence required for public content.
Mastercard-format reporting. Monthly reports must follow the specific Excel format and naming convention that Mastercard defines. Each report must include all monitored merchants, all identified violations, and all resolution details. Incomplete reports are rejected. Late reports may result in the loss of assessment mitigation. An internal reporting pipeline must produce this output reliably, at scale, every month.
Ongoing system maintenance. Prohibited category updates, coverage gaps identified during investigations, and Mastercard's evolving technical expectations all require the internal team to maintain and update the system continuously. The compliance obligation does not pause between monthly reporting cycles.
Engaging a certified external MMSP transfers the execution of monitoring to a vendor whose capabilities have been reviewed and approved by Mastercard specifically for this purpose. The acquirer retains accountability for MMP compliance. What the MMSP provides is a validated detection and reporting infrastructure that the acquirer can depend on to meet the program's technical requirements without building or maintaining it internally.
Practically, the MMSP path separates the compliance obligation from the engineering and operational burden of meeting it. The acquirer's internal team focuses on receiving violation alerts, conducting investigations within the 15-day window, and maintaining the merchant data pipeline to the MMSP. The monitoring system itself, including content scanning, gated content access, transaction laundering detection logic, and monthly report generation in Mastercard's required format, sits with the provider.
The assessment mitigation benefit that MMP participation offers is contingent on meeting all program requirements. An internal system that misses a URL, produces an incomplete monthly report, or fails to detect a BRAM violation that subsequently generates a Mastercard notification is treated identically to no monitoring program at all when it comes to the acquirer's ability to claim mitigation. The certification that an approved MMSP carries signals that its detection methodology and output formats have been reviewed against Mastercard's standards, which is a risk consideration that sits alongside the build-versus-buy cost analysis.
The build path provides direct control over the monitoring system. For acquirers and PSPs with the engineering capacity to build and maintain a compliant system, register it with Mastercard, and sustain the ongoing operational requirements at portfolio scale, it is a structurally viable option. The trade-off is the full resource commitment required: initial development, Mastercard registration and approval, ongoing maintenance as the program evolves, and the internal compliance team capacity to manage investigations and reporting.
The certified MMSP path converts that build-and-maintain commitment into a vendor management relationship. The trade-off is dependency on the MMSP's detection accuracy, coverage, and operational reliability. Acquirers should evaluate MMSP options against the specific monitoring requirements: coverage of gated content, transaction laundering detection capability, report format compliance, and the ability to deliver initial scans at onboarding speed without creating merchant intake bottlenecks.
For PSPs operating at scale, where merchant intake volume creates onboarding pressure and portfolio diversity increases the complexity of BRAM and transaction laundering detection, the evaluation should center on whether an internal system can meet all of Mastercard's technical requirements consistently. Partial coverage does not produce partial compliance benefit. The monthly report must be complete, or Mastercard will reject it.
Ballerine is a certified Mastercard MMSP. The platform's monitoring infrastructure covers BRAM content detection, transaction laundering identification, gated content access, and Mastercard-format monthly reporting for acquirers, PSPs, and PayFacs operating under the January 2026 standards. For risk teams evaluating the build-versus-buy decision, Ballerine provides the technical capabilities and certified MMSP status that MMP participation requires, without the internal development and maintenance commitment.
Disclaimer: The information in this article is provided for general educational purposes and is not endorsed by or affiliated with Mastercard. Readers should consult Mastercard's official Rules, Security Rules and Procedures, and applicable program documentation for definitive requirements.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.png)
