Choosing the wrong merchant monitoring vendor carries real costs. Risk teams discover the gap not during the sales cycle but after it: a prohibited merchant passes screening undetected, a chargeback program breach triggers scheme enforcement, or an audit reveals that evidence trails are incomplete.
By that point, the cost is not just the vendor contract. It includes scheme fines, remediation resources, regulatory exposure, and the time required to transition to a replacement.
According to Gartner Peer Insights research, detection accuracy and false positive rates are among the leading reasons organizations switch monitoring vendors, ranking ahead of pricing concerns. For acquirers managing large merchant portfolios, false positive volume is not a minor operational inconvenience.
High false positive rates consume analyst time that should be focused on genuine risk signals.
This checklist is designed to help heads of risk and chief compliance officers evaluate merchant monitoring vendors systematically, before a contract is signed. It covers core detection capabilities, compliance alignment, integration requirements, pricing structure, and warning signs worth watching for during vendor conversations.
This is where the most meaningful differentiation exists among merchant monitoring vendors, and where evaluation questions tend to reveal the most about a vendor's actual methodology.
Web analysis depth
Ask vendors how they analyze merchant web presence. The distinction between surface-level crawling and deep contextual analysis is significant.
A vendor that scrapes visible text for flagged keywords will perform differently from one that evaluates business model coherence, content context, product category signals, and cross-domain associations.
Request examples of what their analysis produces for a high-risk merchant category relevant to your portfolio.
Detection methodology: AI versus keyword matching
Keyword-based detection identifies merchants that use flagged terms. It does not evaluate what a merchant is actually doing. A merchant selling counterfeit goods without using the word "replica," or operating a regulated service without labeling it as such, will pass keyword screening without review.
Contextual AI analysis evaluates the full picture: what the site sells, how it presents itself, whether its stated business model is consistent with its actual content, and whether its MCC classification is accurate.
Ask vendors directly: "How does your system detect a prohibited product category when the merchant does not use the exact terminology associated with that category?"
Language coverage
Merchants operate in multiple languages. A monitoring approach that performs well in English but degrades in Arabic, Mandarin, Thai, or Portuguese creates a systematic gap in coverage.
Ask whether the vendor's methodology is truly language-agnostic, meaning the detection logic applies equally regardless of the language the merchant's website uses, rather than relying on translated keyword lists that miss idiomatic or colloquial product descriptions.
Cloaking detection
Some merchants present different content to payment processors and compliance reviewers than they show to consumers. This includes geo-targeted content switching, user-agent detection, and referrer-based redirects. Vendors without cloaking detection capability will review what a merchant wants them to see.
Ask how the vendor handles content that differs between review environments and consumer environments.
Real-time versus periodic monitoring
Periodic batch monitoring (weekly or monthly scans) creates windows of exposure. A merchant that passes an initial review can change its inventory, add prohibited categories, or redirect traffic within days of onboarding. Continuous or near-real-time monitoring significantly reduces that window. Confirm the monitoring cadence and ask how quickly a newly detected risk signal generates an alert.
Transaction laundering detection
Transaction laundering, where a merchant processes payments on behalf of undisclosed sub-merchants, is a persistent and often invisible risk for acquirers. Ask whether the vendor evaluates indicators beyond a merchant's primary URL, including associated storefronts, linked domains, and patterns consistent with front merchant activity.
MCC classification accuracy
Incorrect MCC classification creates compliance exposure and can mask risk categories. Ask how the vendor validates that a merchant's declared MCC matches its actual business activity, particularly for merchants in categories with elevated chargeback or fraud profiles.
Regulatory alignment is not a checkbox item. It shapes what a vendor's output is actually worth in an audit or enforcement context.
Mastercard MMP and MMSP alignment
Effective January 1, 2026, Mastercard's revised Merchant Monitoring Program (MMP) standards require acquirers to use a Mastercard-approved Merchant Monitoring Service Provider (MMSP) for monitoring activity.
Requirements include an initial scan prior to first transaction, ongoing monitoring that extends to gated and member-exclusive content, and evidence retention that meets Mastercard's data integrity standards. Confirm whether the vendor holds current MMSP approval and ask for documentation.
Visa GBPP alignment
For Visa, the Global Brand Protection Program (GBPP) sets requirements for monitoring merchants associated with brand-risk categories. Confirm whether the vendor's methodology addresses GBPP criteria and whether reporting output meets Visa's documentation standards.
Evidence generation and audit trails
The value of a monitoring result depends on how well it can be documented. Ask what evidence the vendor produces for each review: screenshots, metadata, timestamps, content extracts, risk classification rationale. Evidence that cannot be reproduced or verified after the fact has limited value in a scheme audit or regulatory inquiry.
SOC 2 certification
Monitoring vendors process sensitive merchant data. SOC 2 Type II certification demonstrates that security controls have been independently audited over a sustained period, not just at a point in time. Confirm the certification status and ask for the most recent audit report.
Data residency and retention
Depending on the acquirer's operating jurisdiction, merchant data may be subject to residency requirements. Ask where vendor data is stored, how long it is retained, and whether retention policies can be configured to meet local regulatory requirements. The ETA's Guidelines on Merchant and ISO Underwriting and Risk Monitoring provide a useful reference framework for due diligence requirements in this area.
Incident response
Ask vendors how they notify clients of system outages, monitoring gaps, or changes to detection methodology. An undisclosed change to detection logic can affect compliance posture without the acquirer's knowledge. Request the incident response policy in writing.
Even strong detection capability creates operational problems if it cannot integrate cleanly with existing risk infrastructure.
API availability and documentation
Confirm that the vendor offers a well-documented API for ingesting merchant data, triggering reviews, and retrieving results. Manual portal workflows are not sustainable at scale. Ask about rate limits, authentication methods, and supported data formats.
Case management integration
Ask whether the vendor supports integration with common case management platforms, or whether results require manual transfer into existing workflows. A monitoring result that requires manual re-entry before it can be acted on adds latency to the response process.
Onboarding time and implementation support
Ask for a realistic implementation timeline, including data ingestion setup, API integration, workflow configuration, and training. Reference the vendor's standard onboarding documentation and, where possible, speak to an existing client in a similar operating environment.
Service level agreements
Confirm SLAs for report turnaround, system availability, and support response times. For acquirers with real-time or near-real-time monitoring requirements, turnaround time on individual merchant reviews is an operational dependency, not a secondary consideration.
Pricing transparency is itself a signal. Vendors that are reluctant to explain pricing methodology before contract negotiation tend to surface unexpected costs once the contract is signed.
Per-URL versus per-merchant pricing
Per-merchant pricing obscures the actual cost of monitoring merchants with multiple storefronts, sub-domains, or associated URLs. Per-URL pricing is more transparent and aligns cost directly with monitoring scope. Ask for clarity on how pricing scales when a merchant operates more than one web presence.
Volume scaling
Ask for the pricing structure across volume tiers relevant to your portfolio size. Confirm whether pricing adjusts dynamically as portfolio volume grows or contracts, and whether there are minimum commitment requirements.
Contract flexibility
Ask about contract term requirements, notice periods, and exit terms. A vendor that is confident in its detection quality will generally not require multi-year commitments to justify the relationship.
Some vendor behaviors during the sales process are worth treating as early warning signals.
Ballerine is an AI-native merchant risk platform designed for acquirers, payment facilitators, and marketplaces that need to move beyond keyword-based monitoring.
Detection methodology
Ballerine uses contextual AI analysis rather than keyword matching. The system evaluates merchant web presence in full context: business model classification, product category signals, content coherence, MCC accuracy, cloaking indicators, and transaction laundering exposure.
Detection logic is applied consistently regardless of the language the merchant's website uses, meaning an Arabic-language site and an English-language site go through the same analytical framework.
Report turnaround
Individual merchant monitoring reports are typically returned in approximately 10 minutes, supporting near-real-time use cases and pre-transaction screening requirements.
Scheme compliance
Ballerine holds Mastercard MMSP approval and produces audit-ready reporting designed to meet Mastercard's data integrity standards under the revised MMP compliance requirements effective January 1, 2026. Evidence generation is structured to support scheme audits and internal compliance documentation.
Pricing
Ballerine prices on a per-URL basis, not per merchant. This reflects the actual scope of monitoring for merchants operating multiple storefronts and avoids cost ambiguity as portfolio composition changes.
Security
Ballerine is SOC 2 Type II certified.
Evaluating detection quality before contract
Acquirers can request five free merchant monitoring reports to evaluate detection depth, evidence quality, and MCC classification accuracy against real merchants in their portfolio. Request 5 free reports to compare Ballerine's output against your current monitoring vendor before making a vendor decision.
Ballerine provides merchant risk and compliance infrastructure for acquirers, payment facilitators, and marketplace operators. Our platform supports end-to-end merchant lifecycle management, including onboarding, ongoing monitoring, and risk decisioning for merchant portfolios that span both URL-based and social-only commerce.
We work with risk and compliance teams to build monitoring programs that reflect the actual structure of their merchant base, not the assumptions of legacy tooling.