Acquirers
- Obtain MMSP approval from Mastercard to perform monitoring internally
- Engage an approved third-party MMSP
- Ensure pre-transaction scans are completed without delaying merchant onboarding
Related Questions
.png)
Effective 1 January 2026, updated Mastercard Merchant Monitoring Program (MMP) standards require persistent merchant oversight. Acquirers and Payment Service Providers (PSPs) must now conduct merchant scans before the first transaction and maintain continuous monitoring of all content. This article examines Rule 5.12.7 updates and the 15-day remediation mandate designed to mitigate Brand Risk Assessment and Mitigation (BRAM) penalties.
Mastercard has introduced updated requirements for its MMP to strengthen brand integrity compliance. Starting 1 January 2026, newly onboarded merchants must undergo an initial scan before their first transaction. Acquirers are required to demonstrate persistent monitoring capabilities throughout the merchant lifecycle. These requirements apply to the broader payment ecosystem, including acquirers, PSPs, and Payment Facilitators (PayFacs).
A Merchant Monitoring Service Provider (MMSP) is an approved entity that performs monitoring on behalf of acquirers to detect BRAM violations and transaction laundering. Mastercard requires acquirers to either develop internal MMSP capabilities that meet specific criteria or engage an approved third-party MMSP.
The Mastercard brand integrity framework is governed by two primary regulatory sections:
Rule 3.7:
Integrity of Brand and NetworkThis rule requires participants in the Mastercard ecosystem to protect the reputation of the brand and maintain network integrity.
Rule 5.12.7:
Illegal or Brand-Damaging TransactionsThis rule states: "A Merchant must not submit to its Acquirer, and a Customer must not submit to the Interchange System, any Transaction that is illegal, or in the sole discretion of the Corporation, may damage the goodwill of the Corporation or reflect negatively on the Marks".
Violations of these rules trigger the BRAM program. Historically, BRAM penalties have reached 150,000 USD per violation.
Revised standards published in mid-2025 change the operational approach required for merchant onboarding and monitoring.
Merchants onboarded on or after 1 January 2026 must undergo an initial scan prior to their first transaction.
This pre-transaction scan must be completed by an approved MMSP to ensure the merchant's digital presence aligns with brand standards.
Acquirers must collect and submit comprehensive merchant information to their MMSP. This includes:
Monitoring must now extend beyond public website content to include:
This requirement addresses the risk of merchants hosting non-compliant content behind authentication walls to evade standard crawlers.
Acquirers must maintain auditable evidence of:
This documentation must be available for review by Mastercard during audits to prove the efficacy of the monitoring program.
Issues identified through monitoring must be investigated and resolved within 15 days of detection. This timeline applies to both BRAM violations and transaction laundering indicators.
MMSP scans detect several categories of prohibited or restricted content:
Direct acquiring banks must ensure they have a clear path to compliance.
We typically advise teams to choose between obtaining MMSP approval from Mastercard to perform monitoring internally or engaging an approved third-party MMSP.
In both cases, pre-transaction scans must be completed during onboarding without introducing significant latency.
Payment facilitators and service providers are expected to submit complete merchant data to their acquiring bank or MMSP.
We recommend maintaining high data quality across legal names, DBAs, and URLs to ensure monitoring accuracy.
Independent Sales Organizations (ISOs) and processors should verify that upstream acquirers have adequate MMSP coverage.
We look for evidence that merchant applications include all required data fields and document merchant ecosystem relationships, such as related storefronts and domains.
Meeting these requirements involves making operational adjustments across the merchant lifecycle.
We recommend collecting comprehensive merchant data, including legal names and all associated URLs, at the point of application.
Merchant details must be submitted to the MMSP for an initial scan, and approval decisions should be documented before the first transaction is processed.
Look for monitoring systems that cover gated content.
Risk teams should seek to automate alerts for content changes or the appearance of new URLs and maintain a continuous audit trail of monitoring activities.
Flagged content must be reviewed within the mandated timeframes.
We advise teams to document the rationale for every compliance determination and ensure remediation is completed within the 15-day window.
Effective MMSP compliance requires specific technical capabilities:
Merchant risk assessments now often include an ecosystem section mapping storefronts and domains operated by the same entity.
We see this show up when merchants attempt to hide restricted activity across related domains.
MMSP scans should identify multiple URLs operated by the same merchant, related business entities with shared ownership, and marketplace sellers connected to merchant account holders.
Mastercard enforces BRAM rules through systematic compliance programs.
Fines vary based on the severity and frequency of the violation, with penalties typically applied to the acquirer.
Continued non-compliance, such as failing to perform initial scans or missing the 15-day remediation window, may result in program suspension.
We recommend that compliance leaders take the following steps:
Ballerine is a merchant risk intelligence platform that helps acquirers, PSPs, and PayFacs automate the merchant lifecycle.
Our platform integrates MMSP-compliant scanning, gated content monitoring, and automated remediation workflows into a single interface.
By providing the tools needed to meet Mastercard's 2026 standards, Ballerine helps risk teams maintain compliance without sacrificing onboarding speed.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.png)
