Mastercard’s June 2026 bulletin clarified the operational requirements under its Merchant Monitoring Service Provider standards, including how acquirers should use approved MMSPs, submit reports, and evidence ongoing monitoring activity. The underlying monitoring obligations were already substantively effective as of January 1, 2026. For merchants onboarded on or after that date, acquirers must complete an initial scan before the merchant begins processing Mastercard transactions.
The first monthly reporting cycle under the clarified framework falls due in July, so acquirers should use the bulletin as an implementation checkpoint rather than treating July as the start of the obligation.
The Merchant Monitoring Service Provider (MMSP) program sits under Mastercard's Business Risk Assessment and Mitigation (BRAM) program. Its purpose is to give acquirers a structured, third-party mechanism for monitoring merchant websites for prohibited content, transaction laundering activity, and other violations of Mastercard's acceptable use policies.
The June 2026 bulletin clarified four operational requirements under the MMSP standard, rather than creating entirely new obligations.
MMSP must be Mastercard-approved. Acquirers cannot designate internal scanning tools or unapproved third parties to fulfill the MMSP requirement. The provider must appear on Mastercard's published list of approved MMSPs.
An initial scan is required before processing begins. For merchants onboarded on or after January 1, 2026, the MMSP must complete an initial review of the merchant’s digital footprint before the merchant begins processing Mastercard transactions.
URL monitoring must cover members-only areas. Prior practice focused on publicly visible pages. The MMSP framework requires ongoing monitoring that extends into authenticated or gated content on merchant websites. This matters because prohibited content is frequently concealed behind login walls rather than on publicly indexed pages.
Reports must be MMSP-authored and unaltered. Acquirers who forward monthly or incident reports to Mastercard must transmit them exactly as received from the MMSP. Internal annotation, summarization, or reformatting is not permitted.
The primary obligation falls on acquirers: financial institutions and processors that hold a direct Mastercard membership and board merchants under that membership.
Payment facilitators (PayFacs) do not carry a direct compliance obligation to Mastercard under this standard. However, their sponsoring acquirer does, and that acquirer's MMSP program must extend to cover PayFac sub-merchants. PayFacs need to understand their sponsoring acquirer's MMSP configuration and ensure their own merchant onboarding and monitoring processes align with it.
Network Enablement Partners and Branded Processors are also in scope. If your organization touches Mastercard transaction routing and boards merchants in any capacity, confirm your compliance posture with your legal and compliance team.
One practical implication for PayFacs: if your sponsoring acquirer has not yet opted into the MMSP program, the fine relief protections available to registered participants do not extend to your portfolio. This is a risk worth assessing now, not after the first reporting cycle.
The following nine steps represent the complete operational sequence for acquirers implementing the clarified MMSP framework.
Step 1: Opt in to the MMSP program. Participation is structured as an opt-in. Acquirers that do not opt in forfeit the 75% fine relief available to registered participants. Non-participation does not exempt an acquirer from Mastercard's broader merchant monitoring obligations.
Step 2: Select a Mastercard-approved MMSP. The MMSP must appear on Mastercard's approved provider list. Acquirers may work with more than one MMSP, which can be appropriate for portfolio segmentation or geographic coverage needs.
Step 3: Submit merchant data to the MMSP. Once contracted, the acquirer submits merchant data, including URLs, business descriptors, and known digital identifiers, to the MMSP. The completeness of this data set directly affects scan coverage.
Step 4: Complete the initial scan before transaction processing. For merchants onboarded on or after January 1, 2026, the MMSP must finish an initial web analysis before that merchant can begin processing Mastercard transactions. For acquirers with high-volume merchant boarding, this creates a workflow dependency that should be reflected in both MMSP contract SLAs and internal onboarding tooling.
Step 5: Maintain continuous URL monitoring, including members-only areas. After initial onboarding, monitoring continues on an ongoing basis. This includes publicly accessible pages and authenticated or gated areas of the merchant's website.
Step 6: MMSP reports violations within 5 business days. When the MMSP identifies a policy violation, it must report that finding to the acquirer within 5 business days of detection. Review your MMSP contract to confirm this SLA is explicitly stated and enforceable.
Step 7: Acquirer investigates and resolves within 15 calendar days. Upon receiving a violation report, the acquirer has 15 calendar days to investigate and reach a resolution. Resolution may mean remediation with the merchant, suspension of processing, or termination. This window applies from the date of the MMSP's notification, not from when the acquirer internally triages the report.
Step 8: Submit monthly MMSP-generated reports to Mastercard. Every month, the acquirer submits a report to Mastercard covering all enrolled merchants. This report must be generated by the MMSP. If the acquirer forwards it, it must be transmitted unaltered.
Step 9: Apply MATCH system compliance where applicable. Where violations result in merchant termination, MATCH (Mastercard Alert to Control High-Risk Merchants) reporting obligations apply. MMSP enrollment provides documented evidence that the acquirer followed a structured monitoring process.
A clarification worth noting for planning purposes: the June 2026 bulletin clarified the MMSP framework and reporting workflow. The underlying merchant monitoring obligations were already substantively effective as of January 1, 2026, while July 2026 is when the first monthly reporting cycle under the clarified framework falls due.
Compliance teams should treat July as an operational reporting milestone, not the start of the obligation.
Mastercard's specific fine schedules for MMSP-related violations are contained in the Security Rules and Procedures manual, which is available to acquirers through their Mastercard membership agreements and relationship contacts, but is not publicly available.
What the bulletin makes clear is the consequence of participating versus not participating.
Acquirers enrolled with a registered MMSP receive 75% fine relief on assessments related to covered violations. This is the program's most significant financial incentive. An acquirer that opts in, enrolls merchants, and follows the reporting workflow retains substantial protection against fine exposure when violations occur despite proper monitoring.
Acquirers that do not opt in receive no fine relief. The full assessment applies on any qualifying violation. For portfolios with meaningful Mastercard volume, cumulative exposure over time represents a more significant risk than the operational cost of enrollment.
Beyond financial assessments, consequences for repeated or unaddressed violations can include MATCH listing of merchants and, in more serious cases, risk to acquiring privileges. These outcomes are consistent with Mastercard's broader risk program structure. The absence of an MMSP enrollment record weakens an acquirer's compliance posture in any enforcement conversation.
The reporting structure under the clarified MMSP framework has two components.
Monthly reports cover the acquirer's enrolled merchant portfolio in full. Requirements include:
Incident reports follow the same authorship requirement. When an MMSP identifies and reports a violation, that report document is the official record for Mastercard submission. Acquirers should not create parallel summaries or reformatted versions for submission.
From an operational standpoint, this has real implications for how acquirers select and contract with an MMSP. Providers that generate structured outputs in a format compatible with Mastercard submission requirements reduce the compliance risk associated with manual handling.
Providers that require acquirer staff to reformat or consolidate data before submission introduce both operational burden and compliance exposure.
We recommend confirming during the MMSP evaluation process that the provider generates the monthly report directly from their platform and that the output format has been validated with Mastercard. This is worth specifying in the contract.
Mastercard approval is the baseline requirement. Beyond that, acquirers evaluating MMSP options should assess the following criteria.
Coverage depth, including members-only content. The MMSP framework requires monitoring of authenticated areas. Ask the provider to describe their methodology for accessing and scanning content behind login walls. This capability varies meaningfully across providers.
Detection methodology. There is a real difference between keyword-based scanning and contextual web analysis that evaluates meaning across a merchant's full digital footprint. Keyword matching generates higher false positive rates and can miss violations phrased to avoid known trigger terms. Ask how the provider handles content that does not match a predefined term list.
Language coverage. Merchants operating across jurisdictions may present content in a range of languages. An MMSP with language-agnostic digital footprint analysis provides more complete coverage than one dependent on supported language configurations.
Native report generation. MMSP reports must be MMSP-authored. A provider whose platform generates the required monthly and incident report formats directly, without requiring acquirer-side reformatting, reduces both compliance risk and operational load.
Speed and SLA terms. The initial scan SLA matters for onboarding velocity. The violation reporting SLA (the 5 business day window) should be contractually specified. Ask for historical performance data on both.
API integration. Acquirers and PayFacs with significant boarding volume will want the MMSP to integrate with existing onboarding and case management workflows. Manual data submission at scale is not a sustainable approach for most portfolios.
Risk level classification. Evaluation outputs should map to a structured risk level framework (low, medium, high, critical) that integrates with the acquirer's existing risk decisioning process. Ask how the provider defines and classifies findings.
Ballerine is a Mastercard-approved MMSP. Our web analysis capability covers both publicly visible and members-only merchant content, and our detection approach uses AI-based contextual analysis rather than keyword matching. This reduces false positives and improves coverage for content designed to avoid conventional scanning.
Key operational features:
For compliance teams managing the transition to the clarified MMSP framework, the platform handles registration, monitoring, and reporting requirements within a single workflow. If you want to see how it works in practice, we are available for a demonstration.
Ballerine is a Mastercard-approved Merchant Monitoring Service Provider. This guide reflects publicly available information about the MMSP program structure and is intended for general informational purposes. Acquirers should review their Mastercard membership agreements and consult compliance counsel for guidance specific to their situation.
edited%205.webp)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
